The newly released McAfee Threat Report shows phishing still is one of the most prevalent tactics for cybercriminals
It’s been a few tumultuous years so far in the world of cybersecurity. Looking back at the past 12-24 months, we have the “SolarWind” hack, which involved compromising at least three different software providers and subsequently lead to hackers penetrating at least 12 U.S. federal agencies. This was followed by the Colonial Pipeline ransomware attack, which led to a short-lived energy crisis after halting this massive oil and gas company’s operations. This was resolved after a hefty payment of almost 5M USD in cryptocurrency to the ransomware group DarkSide.
In the last couple of weeks, we’ve also seen a critical Windows vulnerability that allows hackers to take full control of a target computer and servers, as well as a large-scale ongoing attack on the US tech firm Kaseya. The network management and remote-control software was compromised, affecting around 60 of their clients. However, with many of these clients being Managed Service Providers with a client base of their own, the downstream number of affected businesses is well over a 1000 globally, many of whom have been forced to shut down whilst the problem is being resolved, including Sweden’s very own COOP.
Many of these attacks highlight the increase and danger of what’s called a supply chain attack. This means hackers slip a piece of malicious code into a trusted software or hardware to simultaneously gain access to 100s or 1000s of businesses, whilst the Microsoft vulnerability requires gaining access to your servers for it to be exploited.
Some good has come from all this activity, especially The Colonial Pipeline attack, which spurred the US Government to create a ransomware task force whilst a large portion of the cryptocurrency ransom has now been recovered possibly hinting that crypto anonymity is a fallacy.
It might be difficult to comprehend what could’ve been done to prevent the above attacks, or how to stop cybercrime, and realistically we won’t. It’s a cat and mouse game and just like with other types of criminality if there’s money to be made (or information to be gained) it will continue.
With that being said, I thought I should mention a few basics of how your business can protect itself against hackers gaining access to information or control of business-critical systems.
There is a critical stage in the roadmap for hackers called “Initial Access”, during which they’re attempting to gain access to your system. According to a newly released McAfee threat report, phishing is still one of the most prevalent tactics used at this stage.
Phishing is a type of online scam where criminals impersonate legitimate organizations via email, text, or other means to steal sensitive information.
A great scenario for a cybercriminal using phishing as their strategy is to be able to use an exact match of your domain, just under another TLD (domain name extension).
Exact match domains under different TLDs are the easiest to get confused in an email and employees (or customers) might interact with its contents, download a file, or click a link and before you know it, their machine is infected and now the hacker is looking for vulnerabilities in your systems.
Furthermore, if you’re actively marketing or have customers in a country where you don’t own the domain, you need to be aware that you’re not only giving up this space to a cybercriminal, but you are also generating interest and traffic for them.
For example, they might put up a website designed to collect sensitive information from employees or your customers. If an employee is tricked into giving up their credentials, you’re in trouble. The good news is, there are some basic strategies and policies which you can implement to avoid this.
First off – Have a clear domain strategy
Register domains in the countries where you are already or intend to be active in the future, even if it’s not generating traffic, it has a protective value that could save you 1000 times the investment of the domain.
Continuing on this journey, another very common phishing technique is spoofing. Email spoofing is the creation of email messages with a forged sender address (your domain), which is made possible by you not having implemented a mechanism for authentication.
This means that without the right technical configuration anyone can send an email using your domain. There are existing solutions to counteract spoofing.
Implementing DMARC is highly recommended and allows your sending domain to indicate that your emails are being protected by SPF and/or DKIM and tells a receiver (like Gmail) how to act if neither of those authentication methods passes. For example, reject the message completely. Thus, you can protect both your business, employees, and customers from ever receiving the Spoofing email which uses your domain in the first place.
A clear strategy for user access
To prevent damage if credentials are lost, a more proactive action to take is to manage the rights/actions of every employee carefully. Ask yourself, “what access do my employees need for them to do their job effectively?”. The more restricted the access, the more limited the damage can be if a cyber-criminal were to gain access to an employee’s credentials or machine.
Implement a password policy
If they can’t fool your employees into interacting with a malicious email – can they gain access in any other way? Yes, for example, brute-forcing their way through a weak password, or even a password that’s been leaked. Passwords should be changed intermediately in case of a database being breached and should have some minimum requirements in terms of length and character use. It’s preferable to use a randomly generated password with at least 10 characters, which would take years to brute-force whilst your policy might force employees to change every 6 months.
Above all, the most important, yet arguably most simple thing to do is educate your employees. Explain what they need to watch out for and why – what is the damage that can be caused?
Perhaps a chat about policy and security should be part of the onboarding conversation? Explain why they need to follow certain policies because even the smallest diversion from the overall policy can cause massive damage for both your business and your clients.