by Andrea Lee Taylor
3:00 min read
Insider threats are a hidden and yet obvious peril. They are human security risks to an organization’s cybersecurity from those who have authorized access to the company's data and computer systems. They are the biggest cause of security breaches in companies. They are also difficult to deal with and costly to remediate.
A 2016 Cyber Security Intelligence Index by IBM reported that 60% of all attacks in organizations were carried out by insiders. In the US, it is estimated that 2500 internal security breaches occur in firms daily, yet only 1 in 5 of IT professionals consider them a priority when addressing security issues.
Who are the insiders in your organization?
Any trusted or privileged user in your system is a potential, even when unintentional, threat. They include:
Employees: Your workforce is your greatest asset, and yet they present a huge threat to the security of your organization. They may leak sensitive data due to negligence, ignorance, or misuse it intentionally for personal gain. Hackers target them on a daily basis in an attempt to compromise or steal their credentials.
Former employees: If their user access credentials were not disabled upon being laid off, terminated employees can still access systems and data. Some may take sensitive data with them when leaving while others may attack your business via malware, conversant with your security practices and thus your known vulnerabilities.
Third parties: This group comprises partners, remote employees, third-party vendors, and sub-contractors. They access your data but you may not know how secure their systems are. It is also hard to establish if they have any ill motive.
Types of Insider threats
Insider threats are grouped into two broad categories, inadvertent and malicious.
Inadvertent insider threats: These breaches are caused by insiders who have no malicious intent. They may result in data loss, damage to your infrastructure, or unauthorized disclosure of confidential and sensitive information. Everyday situations involve negligence, convenience, human errors such as accidental deletion of files, unintentionally aiding someone with malicious intent, phishing, or someone accessing your systems using stolen employee credentials.
Malicious insider threats: Malicious breaches are intentional, and they are meant to harm your organization. The motivation for malicious threats may be personal vendetta, competition, or financial gain. They include theft of intellectual property, fraud, corporate espionage, and sabotage.
Why are insider threats so rampant?
It is easier to overlook risks posed by insiders. Training employees takes time, and time away from other projects. Most budgets for IT emphasize making infrastructure and databases impervious to hackers and malware.
Breaches or data leaks can go on for months before they are discovered. And when employees routinely work with sensitive data, intellectual property or customer information, it can be difficult to know which interactions are harmful or not. Employees who infiltrate systems with malicious intent also cover their trails by editing or deleting implicating logs. And without egregious harm it can be difficult to prove intent. Mistakes do happen.
And there are innocent, ignorant users in organizations. These insiders pose the most significant security risk to their firms. According to a report from Forrester, 36% of security breaches in companies stem from careless or ignorant user actions. Another report revealed more than 50% of employees don't think it is risky to share their work login information. Some employees even leave their workstations without logging out of their user accounts, giving malicious insiders the opportunity of using their credentials to sabotage systems or obtain sensitive data.
True crime stories aside, there are ways to help. Wombat’s User Risk Report outlines issues and helps for training employees – in ways that make an actual difference.
by Peter Dietrich
3:00 min read
The principle of least effort is sensible in many cases, but it's a poor guide to computer security and an uncomplicated human security risk. If a device or software service comes with a default password, failing to change it will open security risks. In a complicated networking environment, it takes some effort to make sure no default passwords open backdoors because they went unnoticed. Installed systems need review to make sure none have been missed.
Infrastructure? All passwords need changing
There are websites with comprehensive lists of default passwords for every device on the market. On one level, this is helpful; if users need to do a hard reset, they need to know how to access the device, and they may not have the original manual anymore. But these lists are also very handy for criminals.
Default passwords are often weak in themselves, so intruders can guess them in a few hundred tries even if they aren't publicly available. The password "admin" is a popular one.
Even devices that seem unimportant in themselves need a password change. That smart thermostat or security camera very likely has a full operating system running on it, and someone with access can install software that has nothing to do with its intended function. It becomes a back door to the local network, able to infiltrate other systems and steal data.
Software services may come with default accounts, where the installation procedure either automatically disables the accounts after they've served their purpose or keeps them locked until their passwords are changed. For example, Oracle sets up default accounts with these precautions built in. The best practice is to delete such accounts or immediately change their passwords, so that no one will inadvertently enable them in a vulnerable state.
New virtual machines, set us as PaaS, may likewise have accounts with default passwords or no passwords. The setup procedure should prompt the administrator to select a password but hitting Enter too hastily may leave one unchanged. It's wise to review all accounts after setting up a VM to make sure they have good passwords.
The biggest risk is not realizing that there's a password that needs changing. A service such a database may set up a default account which ought to be removed or changed. Administrators may be careful in securing every new account yet fail to notice that a vulnerable one was automatically installed.
Documentation isn't always good about mentioning the issue, especially on commodity IoT devices. If a password is needed only for maintenance functions, the person installing the device might not notice that it's there.
Changing it may not be easy. It may be necessary to set up a Telnet or SSH connection to the device and run the "passwd" command or some equivalent, without any mention in the documentation of how to do it.
Sometimes accounts exist on a device that aren't revealed to the user at all, and sometimes there's no way to change the password. These are sometimes leftover test code that the manufacturer forgot to remove. Security updates may remove the test account or give instructions for changing the password.
Don't assume it's unreachable
Even if the device is reachable only on the local network, leaving its password unchanged is a poor practice. A network configuration error could expose it, or malware could reach it through another computer on the network. The principle of defense in depth says that networks should have strong internal security as well as protection from outside threats.
At one time, routers were commonly shipped with a published, default administrative password, and remote administration over the Internet was enabled by default. Botnets devoted to scanning them quickly sprang up. They used the brute-force method of probing every possible IPv4 address. The routers would typically get compromised within seconds of being plugged in.
Sometimes there's no getting around this vulnerability. Administrators need to familiarize themselves with the security setup for devices before installing them, and if possible keep them off the public Internet while setting them up as these devices are inherently insecure.
Following CERT's recommendations will help to avoid exposing devices to default-password risks. Suggested measures include:
by Andrea Lee Taylor
4:30 min read
Phishing remains the top human security risk. But what works to help mitigate the risk? There are proven, measurable, methods. So we thought we'd share a post you might appreciate from one of our partners.
Wombat 2017 Beyond the Phish
by Gretel Egan, Marketing Brand Manager @WombatSecuirty
Wanting industry- and category-specific data points that illustrate business implications and highlight knowledge deficiencies in end-user cybersecurity knowledge? Our partner, Wombat Security Technologies’ 2017 Beyond the Phish Report™ is now available for download.
This analysis represents more than 70 million questions asked and answered — a survey of over a thousand US and UK working adults. The report examines strengths and weaknesses related to phishing threats, but also analyzes end-user knowledge beyond the phish. Within the Beyond the Phish Report, we explore employee understanding of business-critical cybersecurity best practices such as data protection measures, mobile device security, safe social sharing, password hygiene, and more. It’s important that organizations take the opportunity to evaluate knowledge across a range of topics, as poor cyber hygiene in these areas can compound the phishing threat and weaken security postures in general.
Wombat President & CEO Joe Ferrara noted, “We continue to see in our year-over-year results that reinforcement and practice are critical to learning retention. As with any learned skill, organizations need to work on cybersecurity awareness and knowledge to see continual improvements. Organizations that focus on building a culture of security and empowering their employees to be a part of the solution develop the most sustainable and successful security awareness training programs.”
Areas of Improvement
Key areas from the 2017 Beyond the Phish analysis that revealed room for improvement include the following:
Areas of Improvement
While we can likely all agree that there is always room for improvement with regard to managing end-user risk, the 2017 Beyond the Phish Report did reveal categories and industries in which employees are improving year-over-year:
Ultimately, the 2017 Beyond the Phish Report shows the need to continuously assess and train employees about cybersecurity threats. Infosec teams cannot assume that knowledge is a constant; like any skill, cybersecurity expertise needs to develop over time, and users need the opportunity to practice and grow their abilities. An hour of training, once a year, is not the way to move the dial on behavior change, nor can anyone tool serve as a silver bullet to knowledge enhancement. It is a combination of phishing tests; question-based knowledge assessments; interactive training; reinforcement techniques and tools; and gathering of metrics and business intelligence that will give your security awareness and training program the best shot at success.
As always, Wombat and Anchor Technologies remain poised to be the partners that can help you move the dial and deliver measurable behavior change within your organization.
by Peter Dietrich
3:30 min read
Human behavior is a huge issue in network security, and it's one of the hardest to manage. Technical protection is important, but the human security risk is the mistakes people make that can undo it. People tend to be trusting. This makes for good social relationships but is a problem for network security.
Phishing attacks prey on people's trust. When we think of phishing, we usually think about email. Criminals don't stop there, though. SMS phishing, called SMiShing, makes up a rapidly growing proportion of the threat. Trojan Horse attacks delivered by SMS were one of the fastest-growing forms of malware distribution in 2017. Many phones have no SMS spam protection, so it's easier to get through.
People haven't had as many years of experience with deceptive SMS messages, so they aren't always as alert to them. Text messages are normally terse, so the lack of personally identifying information isn't as obvious a clue as with email. People usually deal with them more hastily than they do with email, and it's easier to catch them off guard with a text message.
The pattern isn't much different from email phishing. Typically, it's a fake notification of a payment or invoice, or some other supposedly urgent message. The victim taps on the link and opens a Web page that's designed to cause trouble.
Varieties of SMiShing
The link may lead to what looks like a legitimate business site, claiming some issue needs to be resolved. The victim is asked to enter personal information, such as a Social Security or credit card number. After getting the information, the site will probably express polite gratitude. It now has a lot more to be grateful for than the user realizes.
Sometimes the linked site tries to download malware. It might claim that an application or plug-in is needed to see some important content. It might try to exploit a browser bug and install the malware directly.
Phones are often the weakest link in a business network. BYOD policies let employees use personal phones that may not have any security software. Getting malware onto a phone with access to a VPN is the first step to getting at the company's confidential data.
If the criminal is targeting a particular individual, the message can use techniques to appear more plausible. It can forge the sender ID to impersonate someone the recipient knows. It can add personal details.
If someone's phone is infected by malware, it can send out text messages without the owner's knowledge. They don't just appear to come from someone the target knows, but really do come from there.
The first line of defense is user awareness. Employees need to be as aware of the dangers of SMS spam as they (hopefully) are of email spam. Their awareness needs to be a habit, not just a fact they can recite. A training program in security practices is the best way to accomplish this. Followup testing with SMiShing messages can attest to how well employees have incorporated the information, as well as reminding them they need to stay alert.
Even smart people will sometimes be fooled, though. Security measures that protect the whole network are necessary. Spam filtering is as important for text messages as it is for email. A BYOD policy should require phones to meet certain standards before they get VPN access or custom applications. IT departments need to keep software patches up to date. Network monitoring is necessary to detect suspicious traffic.
Check Point SandBlast Mobile provides comprehensive mobile security. It filters SMS messages, using dynamic security intelligence, and blocks malicious ones. It checks downloaded applications for malicious behavior, keeping them in a sandbox environment till it has verified them. Users continue to use their phones the way they always have, but with fewer annoying text messages and less risk. SandBlast is designed for EMM deployment, so it can easily be installed on all devices on a network.
People make mistakes, and nothing can eliminate them all. However, a multi-layered approach to security can sharply reduce their consequences. It needs to include training, network maintenance, and high-quality security software.
by Peter Dietrich
3:00 min read
Human security risks happen because people are trusting, not because they’re incidentally fools. Phishing (email) and SMiShing (texting/mobile) attacks abuse trust, and employees need to be careful with every message they get. But what happens when a site, which they have every reason to trust, is subverted? That's what happens in a waterholing attack.
The term "waterholing" comes from the expression "poisoning the waterhole," perhaps from predatory animals lurking near a waterhole. Businesses with serious data protection requirements put a lot of effort into protecting their websites, but their people often visit websites that are less careful. Local stores, restaurants, and entertainment sites may be small operations that use weak administrative passwords and don't patch their software regularly.
An attacker will find many of these sites easy to break into, thus making it possible to inject malware into a website. The aim is to take advantage of browser bugs and get access to the client's computer. From there the attacker can get into the business network and steal data, or run ransomware and destroy files.
The attack is usually a targeted one. The attacker decides what business it's attacking and looks for sites that its people are likely to visit. Probing enough sites has a fair chance of finding one that's vulnerable.
Protection against waterholing
The insidious part of waterholing is that the victim doesn't have to make any mistakes. Just visiting a familiar website is enough. Some waterholing sites require the user to accept a download, but many do their dirty work without any user interaction. Still, there are several practices that will reduce the risk.
Keeping browsers up to date will foil a lot of attacks. Waterholing exploits often rely on browser bugs that have been fixed in the latest version, counting on access from those who have yet to patch. However, many attackers use zero-day exploits that no one has patched yet, so any browser can be vulnerable.
Keeping plug-ins up to date is equally important. Adobe Flash is the number one target, and old versions of it are extremely vulnerable. Businesses should either make sure it's kept strictly up to date or else prohibit it completely. Adobe is phasing it out, since modern browsers have better ways of performing its functions. Limiting Flash to a set of whitelisted sites can strike a reasonable balance if banning it isn't acceptable.
Users should pay attention to browser warnings. The leading browsers check visited sites against a constantly updated list of known rogue or compromised sites. Security training needs to stress that ignoring the warnings is a bad idea, since people are very inclined to trust familiar pages.
Employees should be trained to ignore unexpected download requests. If the corner pizza shop asks you to download software, that’s a reason for suspicion.
Network security measures
Attacks that use trusted sites are insidious and have a high chance of getting past people's defenses. Strong network protection is necessary in order to limit their damage. Software such as Sentinel One covers the entire network, using dynamically updated threat intelligence to detect any breaches and handle them quickly.
Unusual network traffic may be the first clue that a breach has happened. Ongoing network monitoring will spot such events. The first thing to do when they're detected is to quarantine the affected machine from the network. This allows time to analyze the problem and remove the malware.
The more quickly a waterhole is identified, the sooner access to it can be blocked. The owner should be notified, and access shouldn't be allowed until the problem is truly fixed. If the site owner doesn't fix the underlying vulnerability, the malware may come back five minutes after it's removed.
Attempts to break into computer networks are a constant fact of life, and there's no absolute safety short of unplugging completely from the Internet. A strong multilayered defense will stop most attacks, though. It needs to include training, system maintenance, and software protection.
by Peter Dietrich
1:00 min read
All the cyber shpere is abuzz over the latest in world ending vulnerabilities Meltdown and Spectre. Truly the hype is impressive these past few weeks. But all kidding aside, this one is pretty serious or at least it may be if certain things come together. I guess that's typical of most of the big named vulnerabilities like EternalBlue (WannaCry), Heartbleed and Krack. Your Internet browser will likely be the method of delivery for these attacks, according to the SANS storm Center. Many of my clients have come to me and asked what can they do? Well, certainly you could replace all of your hardware with new hardware when the new chips come out or.... you could do the basics.
1. Patch, then really patch and patch again. This really is our only hope with this one for now. Everything with a processor will likely need a patch. Accept the patches that are coming out from your vendors, but be careful and test first, there have been some things breaking.
2. Scan for vulnerabilities more often. Weekly or at least monthly. But do this on your internal network as well as your external one and do these as authenticated scans. But above all, actually dedicate resources to fix the vulnerabilties identified.
3. Develop a mature cybersecurity program based on the Center for Internet Security's (CIS) 20 Critical Security Controls (CSC), including all appropriate 149 sub controls.
by Peter Dietrich
3:00 min read
Phishing can be a company's worst nightmare. According to Google, phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. Many security measures can be in place to guard against human security risk, but without proper knowledge provided to individual employees, one email with an attachment can compromise everyone. According to EdTech Magazine, one third of employees in America are falling for phishing scams.
Got a minute? Try a free interactive security training module.
Phishing scams are becoming more sophisticated, fooling anyone from the new hire all the way to the CEO. If employees aren't educated and brought up to date on the latest phishing scams, companies leave themselves more susceptible to breach. Phishing scams also increase at times when there are major data breaches with large companies. Some examples of companies who have been hacked in the last year are Uber, Deloitte and Equifax. According to the FTC, the Equifax breach affected 143 million people accessing their social security numbers, birthdates, addresses, and driver’s license numbers. After the breach, Equifax even inadvertently directed people to a fake version of its own hacking help page. The seriousness of phishing should not be overlooked. Wombat reports 3 reasons end users fall for phishing attacks:
Expecting employees will never click on a bogus attachment is unrealistic; however, keeping employees in the dark about phishing is a sure and certain way to compromise a company.
10 tips for employees to decrease their chances of getting hooked:
by Peter Dietrich
3:00 min read
Of all the typical applications in most organizations, email is perhaps the most basic and essential. Any systems administrator knows that if email goes down they will hear about it. Email is a tool; increasingly it's a weapon as well.
In terms of basic human security risks, email is also the most frequent route for systems intrusions. The most common example is "phishing" or "spear phishing" messages that lead to malware infections. The differences between the two? Phishing is aimed at a broad audience (think of fishing with a tuna net) and Spear Phishing is aimed at a single target or a small group of targets (think of fishing with, well, a spear). The malware can be anything from "ransomware" that tries to encrypt your files and hold them for ransom to a Remote Access Trojan (RAT) that silently gives a hacker access to your system.
Email delivery of malicious software is usually in one of two ways. In the first case, an attached file contains code that exploits a vulnerability in the software used to open the file (e.g., Adobe Reader, Microsoft Word). In the second case, the email contains a link to a website or other online resource and that online resource delivers the malware, typically by exploiting a vulnerability in some element of the web browser.
See the results of an international user Risk Report
6 key features and considerations to keep in mind with email security software or services:
by Peter Dietrich
3:00 min read
Phishing is the attempt to obtain sensitive information, primarily for malicious reasons, by disguising itself as a trustworthy entity in an electronic communication. If you think you aren't susceptible, think again. Humans will always be the #1 security risk. According to the Microsoft Computing Safety Index, the annual worldwide impact of phishing could be pushing $5 Billion.
6 of the fastest and easiest ways scammers can breach a company:
Don’t let phishing attacks lure you, make yourself foolproof.