Best Practices for Protecting Against Phishing, Ransomware and Email Fraud
Security teams and the organizations they support live in difficult times: they increasingly are the targets of sophisticated threats developed by a shadowy and very well financed cybercrime industry that has demonstrated it can often outsmart even the most robust security defenses.
Cybercriminals are aided by the fact that security teams often lack the human and financial resources necessary to keep pace, and so often cannot defend against the latest threats that are directed against them. Add to this the fact that security teams often support users who unwittingly aid cybercriminals (or occasionally become them) through mistakes or intentional acts that can result in the loss of sensitive data or corporate funds.
Growing Success of Cyberthreats – Organisations are not performing adequate due diligence –
One of the several reasons that cybercriminals are achieving success is because many organizations are not exercising adequate due diligence in addressing the problems of phishing, spear phishing, CEO fraud/business email compromise (BEC) and ransomware. For example:
- Most organizations do not sufficiently test their users’ security awareness to determine which are most susceptible to interacting with malicious content.
- Many have inadequate backup processes that would enable them to rapidly recover from a ransomware attack.
- Many lack strong the internal control processes that would enable them to prevent CEO Fraud/BEC attacks.
- Many have not implemented technologies that are sophisticated enough to reduce the number of incoming phishing, spear phishing and other threats that are sent to them.
- Some organizations don’t perform the basic types of due diligence that would enable them to identify problems before they start.
- Finally, many IT and security departments have not properly addressed the “Bring Your Own” devices/cloud/apps phenomenon, allowing corporate data and system resources to be accessed through insecure means.
Best Practices to Consider
UNDERSTAND THE RISKS
Decision makers must understand the risks that their organizations face from phishing, spear phishing, CEO Fraud/BEC, ransomware, traditional malware, cryptomining malware, other threats and just dumb mistakes, and address them as a high priority. That seems obvious, but many decision makers give intellectual assent to the risks they face without taking them to heart.
CONDUCT A THOROUGH AUDIT OF THE CURRENT SECURITY INFRASTRUCTURE, TRAINING PRACTICES AND CORPORATE AND COMPLIANCE POLICIES
Decision makers should conduct a complete audit of their current security infrastructure, including their security awareness training programs, the security solutions they have in place, and the processes they have implemented to remediate security incidents. This is a key element in identifying the deficiencies that may (and probably do) exist, and it can be used to prioritize spending to fix the problems it finds.
CONSIDER A MULTI-LAYER APPROACH FOR EMAIL SECURITY
It is important to note that security solutions need advanced threat protection features because security is no longer simply about just spam and phishing campaigns. Advanced threats like ransomware, cryptojacking, zero-days, CEO Fraud/BEC, etc. are sophisticated, advanced threats that need advanced capabilities. These capabilities include attachment sandboxing and time-of-click URL analysis to complement the incumbent anti-spam and anti-malware for email hygiene.
VIEW SECURITY HOLISTICALLY
Security should be viewed as a holistic exercise, from the cloud services that are employed to detect and remediate threats all the way down to every endpoint solution. This doesn’t mean single sourcing of a security infrastructure, but it does require appropriate reporting and monitoring mechanisms be in place so that security teams can have a full understanding of their organizations’ security posture in as close to real time as possible.
ESTABLISH DETAILED AND THOROUGH POLICIES
It is essential to develop policies for all of the email, Web, collaboration, social media, mobile and other solutions that IT departments have deployed or that they permit to be used by employees. An important step should be the establishment of detailed and thorough policies focused on the tools that are or will be used in the future. These policies should focus on the regulatory, legal, industry and other obligations to encrypt emails if they contain sensitive or confidential data; monitor all communication for malware that is sent to social media, blogs, and other venues; and control the use of personally owned devices that access corporate systems that house any kind of business content.
IMPLEMENT AND REVISE COMPANY PROCEDURES
All organizations should implement and regularly update their company procedures about how sensitive and confidential data assets, as well as business-critical systems, are accessed and protected.
IMPLEMENT BEST PRACTICES FOR USER BEHAVIOR
There are a number of best practices to address the cybersecurity gaps that might exist in the organization. For example:
- All employees, especially senior executives who are more likely to be the target of a CEO Fraud/BEC attack, should be reminded regularly about the risks associated with oversharing information on social media.
- Any employee who deals with finances or sensitive data assets should have preestablished “backchannels”, or out-of-band communication methods, provided to them for verifying sensitive requests.
- Employees should be required to use passwords that match the sensitivity and risk associated with the corporate assets they are accessing, and these passwords should be changed on a regular schedule enforced by IT.
- Software and operating systems should be kept up-to-date to reduce the potential for a known exploit to infect a system with malware. IT can help through management and enforcement on behalf of employees.
- Ensure that every employee maintains good endpoint defenses on their personal devices if there is any chance that these devices will access corporate resources like corporate email or databases with sensitive information. That includes employees’ personally owned computers and devices if they access corporate resources while traveling or at home
TRAIN ALL USERS, INCLUDING SENIOR EXECUTIVES
Every organization should have a robust security awareness training program that will enable users to make better judgments about the emails they receive, how they surf the web, how they use social media, and so forth. The goal of any security awareness training program is to help users be better aware and more skeptic about what they receive in email, what they view on social media, and what they consider to be safe to access.
DEPLOY ALTERNATIVES TO “SHADOW IT”
Most organizations permit employees to use their own smartphones, tablets, filesharing accounts and cloud storage services. While this alleviates the burden on IT from having to provide all of these tools to users (or incur their wrath if they don’t), it can create enormous security holes. As a result, it’s important for IT to offer robust alternatives to the solutions that employees have deployed or might want to deploy. This includes solutions for file-sync-and-share, voice-over-IP, cloud storage, real-time communications and other capabilities that employees use.
OTHER ISSUES TO CONSIDER
Keep systems up-to-date
All corporate systems are buggy and the vulnerabilities in applications, operating systems, plug-ins, devices and systems can allow cybercriminals to successfully infiltrate most corporate defenses. As a result, every application and system should be inspected for vulnerabilities and brought up-to-date using the latest patches from vendors.
Keep recent backups and verify them
The most effective way to recover from a ransomware attack, as well as from other types of malware infections, is to restore the infected endpoint(s) to a known good state, preferably as close to the most recent pre-infection state as possible. With a recent backup, an endpoint can be reimaged and its data restored with minimal data loss. While this strategy will probably result in some level of data loss because there will usually be a gap between the most recent backup and the time of reimaging, recent backups will minimize data loss if no other recovery solution can be found.
Deploy good endpoint solutions
A number of good endpoint solutions can be deployed that can detect ransomware, other malware, phishing attempts, spear phishing attempts, data exfiltration and a variety of other threats. Every organization should deploy solutions that are appropriate to its cybersecurity infrastructure requirements, with an emphasis on the ability to detect, isolate and remediate phishing, spear phishing, CEO Fraud/BEC and ransomware threats.
Consider the risks inherent in the Internet of Things
The growing number of Internet of Things (IoT) devices pose a growing threat to any organization that has deployed these devices, or that has business partners who have deployed them. Decision makers need to have a well-considered security strategy to mitigate malware infiltration and other consequences of unsecured IoT devices in their ecosystem
Use adequate threat intelligence
Using historical and real-time threat intelligence to reduce the potential for infection can be a good way to reduce the likelihood of an attack or infection. Real-time threat intelligence can offer a good defense to protect against access to domains that are known to have a poor reputation and so are more likely to be used by cybercriminals for phishing, ransomware, spear phishing and other types of attack.
Protect all high value data
A sophisticated cyberattack always has the potential to penetrate even the best cyberdefenses. Consequently, organizations should protect their most valuable data so that if attackers get through, the information captured will be unusable. New encryption technologies like Format-Preserving Encryption (FPE) are easy to use, simple to maintain and can protect high value data at rest, in-use or in motion, ensuring protection in all use cases.
Encrypt sensitive and confidential email communications
The revelation of sensitive or confidential email communications has been key to some of the most high-profile data breaches. Organizations should broadly leverage email encryption for protection of all internal and external emails. Email encryption should be a standard tool for fighting phishing and other threats by making sensitive data useless to the attackers.
Consider using behavior analytics
Behavior analytics solutions examine the normal behavior patterns of employees across an organization and when a divergence is noted an exception is raised for further investigation or access is immediately blocked. Unusual behavior could signal an employee about to leave the organization, a malware attack, the presence of compromised credentials or some other problem, thereby enabling early detection and risk mitigation.
(The author Debasish Mukherjee : Vice President, Regional Sales APAJ at SonicWall Inc. and the views expressed in this article are his own)