A new twist on commonly reported hacks. One where spear phishing emails (impeccably worded and including advice or documents from apparent industry experts) were used to gain access to senior staff mailboxes. Mailbox contents was then reviewed to piece together insider information.
This is a cybercrime without the telltale noise that would trigger alerts from security tools. Mails with suspect links may be filtered out, but that depends on your firewall, mail gateway and computer controls, both at work and (if personal devices are ever used for business purposes) at home.
This is a carefully worded article because I don’t want to demonize execs (not just because they usually pay my wages). These are men and women who are working at the hard edge of business, often round the clock and under dramatic pressure. But expensive accidents, like the one above, are happening.
It won’t happen to you?
Maybe, but this is expert social engineering designed to play on one or more of the strongest con merchants’ hooks…
…and a subset of all social groups, irregardless of seniority and intelligence, will slip up.
Executives just 10.4%?! Why bother reading on? Because this graph doesn’t highlight the quantity and sensitivity of data each group can access. Overlay that context, for a business that puts reasonable limits on what end users can see and it’s suddenly a scarier picture.
A Google survey last year showed that phishing emails pointing to realistic target sites were successful 45% of the time and the 2015 Verizon Data Breach and Incident Report (DBIR), proves that this threat isn’t going away.
As part of research for the report 150,000 e-mails were sent by two of Verizon’s security awareness partners. Here are some highlights of results.
- A typical phisher gets his first response 1 minute and 22 seconds after sending a batch of mail
- Mails often aren’t sent in isolation. A campaign of just 10 e-mails yields a greater than 90% chance that at least one will be clicked. It doesn’t take long. There is a 50% chance of at least one recipient clicking on a phishing link within an hour.
- 70-90% of all malware was unique to a single organisation, significantly reducing the likelihood that gateway and endpoint malware protection will recognise nasties and stop them.
- More generally, Verizon estimated that intentional or unintentional human actions enable up to 90% of ALL data breaches
- Departments such as Communications, Legal, and Customer Service were far more likely to actually open an e-mail than all other departments.
To quote the report on the aim of Phishing in Cyber Espionage (over two thirds of attacks in this category relied on it):
“The user interaction is not about eliciting information, but for attackers to establish persistence on user devices, set up camp, and continue their stealthy march inside the network”
This is not primarily (or even substantially) an IT problem.
Board members’ mailboxes are battle grounds of useful, useless, urgent and ignorable content. It would be easy to let something fall through the net and all it takes is one click. Not only that, the inconvenience of some security controls conflicts with the flexible and prompt access most senior staff need.
Do any of these practices or behaviours sound familiar?
Links below take you to pertinent advice and news;
- Sharing access and passwords with assistants to keep things simple. Necessary, but often not limited to just what’s needed, reviewed or updated if circumstances change.
- Asking for concessions on password complexity/expiry to help ease problems with remote working
- sReusing passwords for accounts that protect sensitive data.
- Falling back on solutions like Dropbox or USB devices to transfer large quantities of documents or data because email size limits are too small, or corporate approved methods are time consuming and complicated.
- Taking briefcases full of confidential documents home to review and sometimes leaving them (and your laptop?) in the car when refuelling, or overnight.
- Occasionally using personal webmail accounts to get data out of the company (perhaps VPN is playing up, or the company laptop/remote access token isn’t convenient to use)
- Assistants managing exec mailboxes who may be at more risk of being taken in by phishing mails (especially ones that expertly play the time or fear card to increase perceived urgency to deal with them).
- Frequently working on planes or trains without being especially careful about eavesdroppers or shoulder surfers
- Leaving devices in checked-in baggage, on out of sight luggage racks or in hotel rooms
- Being permitted to bring personal devices into work as an exception to general policy, or without allowing the same network access limitations and other controls normal BYOD users are subject to
- When urgently needing to contact the office, jumping onto the nearest available public WiFi, without using VPN, to access corporate webmail, or quickly messaging a colleague from a personal email account
- Leaving Bluetooth or WiFi switched on after using a smartphone, iPad, laptop or new wearable device
When security is seen as hobbling productivity, ways around are found (the root cause of many unintentional insider driven breaches). Almost every staff member at every single firm will say “How high?” when a board member says “Jump!”. It is the responsibility of the board to use that power selectively.
Use your security team. The vast majority of companies have at least one business realist in their security function (or if you don’t, you can always contact us). Invite that person in and describe your work challenges and frustrations. There are any number of creative ways to enable you to work effectively, without you becoming one of the vulnerabilities security staff work so hard to fix.
Schedule a security confessional
Use us the same way you use your accountants and lawyers; to find you efficient ways to work safely and compliantly. Solutions shouldn’t be gold-plated, but they do need to reflect the fact that you handle the strategic information equivalent of the crown jewels.
So, perhaps it’s a meeting to book soon? A confidential chat between you, your executive assistant and that experienced security pro. Bring out your workaround dirty laundry and find out if there is a better way.