A criminal will create a fake URL (website) which looks like a legitimate and secure website, but is actually set up to steal sensitive information for malicious purposes.
Criminals will attempt to lure users into visiting the fake URL via phishing emails/SMS/social media. Typically, attackers have targeted financial services for a direct profit gain, however they also employ this tactic in many other scenarios.
For example, recently universities in the UK have been targeted by overseas criminal groups. Attackers are using fake phishing websites which then redirect users to real login screens. By doing this, the attackers can then record any login details used, giving them access to online libraries which may include valuable intellectual property.
Make certain that you know how to defend against phishing. For detailed guidance, check out the entry on phishing from the NCSC's Small Business Guide [ https://www.ncsc.gov.uk/guidance/avoiding-phishing-attacks ].
Always check that the URL of the website you are being asked to log into is what you are expecting (look for misspellings or variations of phrasing, and misleading domain endings e.g. 'orguk.com'). Other signs include a website not behaving in a typical way (odd pop-ups, incorrect links, inconsistent content).
Protect your devices by ensuring that all software is frequently being patched and updated. These attacks exploit vulnerabilities, so make sure to use the latest versions of any software you have, and apply security patches promptly.
Ensure that firewalls have been correctly configured to reduce the ability to visit malicious websites. If you are not responsible for this, ask your IT manager/provider to confirm this has been done.
Install and run Antivirus software - make sure that it's updated regularly.
WATERING HOLE ATTACK
A criminal will identify a website that is frequented by users inside a target organisation, compromise that website, and use it to distribute malicious software to the users.
Watering hole attacks are an example of a supply chain attack, whereby criminals target websites thought to be regularly used by organisations of interest to them. These types of attacks are becoming increasingly successful with the increased use of third party web based services.
A victim may be unaware that malware has been downloaded during their session, this is known as a 'drive by' attack. Alternatively, as they are usually on a trusted site, they may conciously download a file without knowing what it really contains.
Typically, the malware used will be a Remote Access Trojan, which will enable the attacker to gain remote access to a target system to then perform a number of functions e.g. reconnaisance / exfiltrating data / distributing other malware.
Watering Hole attacks are a type of Supply Chain attack, so it's important that both your new and existing suppliers are evaluated for their cyber risk. Consider contractual clauses focused on security, and challenge your suppliers to practice and develop processes for reacting to compromise or data breaches. Note: Cyber Essentials accreditation is a good indicator for a supplier's reputation.
Protect your devices and network by ensuring that everything is frequently being patched and updated. Watering Hole attacks exploit bugs and vulnerabilities, so it is crucial that you are using the latest versions of any software you have, and apply security patches promptly.
Network Security - ensure that your firewalls and any other security products have been correctly configured to monitor and filter web traffic effectively. Monitoring your network for abnormalities is especially key to detecting malicious behaviour. If you are not responsible for this, ask your IT manager/provider to confirm this is being done.
Threats that result from the actions of an employee, former employee, or stakeholder. Insider threats can be intentional or unintentional.
Significant damage can be caused to a company from anyone who has, or at one time had, access to confidential or proprietary information. Insiders have knowledge and understanding of internal processes and structures, making it easier for them to cause incidents. As they already have access to company systems and physical, it can also be much harder for those incidents to be detected; this is a good example of why a company cannot rely solely on security software to detect threats.
If an insider is actively seeking to harm a business, then they may use their login credentials to steal customer data or Intellectual Property, sabotage data or applications, or even expose sensitive email conversations which could cause reputational damage. These types of actors could be acting on personal motives (financial, emotional, or political), for a competitor, or under direction from other malicious parties e.g. extortion attempts.
The unintentional insider threat can be just as damaging. Although there may be no intent to do harm, employees often make mistakes, they can have their accounts compromised, and they can also be socially engineered by attackers to enable malicious actions. Unfortunately, the majority of security incidents can be traced back to human error in some capacity.
Implement good hiring policies - make sure staff are vetted to a suitable degree. This should extend to third-party vendors, sub-contractors and other partners.
Review firing policies - this includes revoking user access to systems before employees are informed that they are being let go, escorting them off premises, and changing any login credentials that they might know of.
Use the principle of 'Least Privilege', which maintains that employees should only have access to data which they need for their role. Reducing the number of privileged staff means fewer staff who can conduct malicious activity, fewer accounts to be hacked, and fewer people to make high profile mistakes. With this in mind, it's important to update employee privileges when they change jobs, so they don't retain access to unnecessary and sensitive data.
Segregation of duties - although you should reduce the number of privileged staff as outlined above, it's also good practice to make sure that business sensitive processes require more than one person to complete them. This can reduce fraud, error, and overreliance on single employees.
Monitor user action. There are software solutions which monitor work sessions and network performance to detect abnormal user behaviour - this can be an option for organisations who have the budget and need to put this in place. Alternatively, if this isn't a suitable option, use the information available to you to observe how staff operate. It may be good practice to analyse business performance at certain times e.g. when certain employees are away on leave/busy financial periods etc.
Implement regular cyber security training - this should cover all manner of threats, including social engineering and associated attacks such as Phishing/Spear Phishing/Business Email Compromise/CEO Fraud. Build a healthy working environment which encourages open communication. Not only can this reduce the likelihood of employees becoming malcontent, but staff will be more ready to discuss any security concerns they might have around their own work and that of others.
BUSINESS EMAIL COMPROMISE (BEC)
A type of phishing attack where criminals impersonate senior executives, or departmental authority figures, in order to socially engineer victims into sending financial or other sensitive information to the attacker.
There are various methods involved in BEC. One method attackers may employ is to use malicious software kits to gain access to a company's webmail exchange service. Once they have this access, they can then intercept invoices and alter payment details, or pose as senior employees to authorise transfers to fraudulent accounts.
Other methods include designing an email to look as authentic as possible. For example, a fraudster may register a domain which looks very similar to a pre-existing legitimate one, and attempt to solicit fraud using associated email accounts. This was raised in a recent ActionFraud report regarding university suppliers. The report highlighted how attackers are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk.
These domains are used to contact suppliers and order high value goods such as IT equipment and pharmaceutical chemicals in the university’s name. The purchase order typically instructs delivery to an address, which may or may not be affiliated with the university. The items are then received by the criminals before being moved on, however no payment is received by the supplier.
- Educate and train staff to be aware of and recognise BEC.Consider running simulated BEC/phishing exercises.
- Agree secure processes between employees internally and externally for your organisation to confirm certain purchases. Consider segregating duties, and make certain that employees know their responsibilities with regard to these processes.
- Ensure that you verify and corroborate all order requests from new customers. Use telephone numbers or email addresses found on the retailers website – do not use the details given on the suspicious email for verification purposes.
- If the order request is from a new contact at an organisation that’s an existing customer, verify the request through an established contact to make sure it is legitimate.
- Check any correspondence and documents for inconsistencies in spelling, grammar and content – this can be a sign that fraudsters are at work.
- Install and frequently update antivirus and anti-malware software to protect against malicious software.
- Consider employing DMARC - a free email authentication solution from the Global Cyber Alliance (online setup can be found at https://dmarc.globalcyberalliance.org)
- Every Report Matters – if you have been a victim of fraud or cyber crime, report it to Action Fraud (either online at www.actionfraud.police.uk or call 0300 123 2040).
IS YOUR WEBSITE SECURE?
With the release of Chrome 68 this week, Google is now taking steps to make the web safer and is marking all websites that are not HTTPS as ‘Not Secure’
With a HTTP site there is no SSL Certificate to encrypt your connection to the web server therefore anything sent over a HTTP connection is in plain text. Passwords, names, addresses, personal and bank details etc. are not encrypted giving an attacker the opportunity for to intercept this information.
So, if your website is still running as HTTP, any of your visitors that are using Google Chrome will be warned with a ‘Not Secure’ message when visiting your website.
By upgrading to HTTPS you also get the added benefit of Google algorithms favouring your website so that your Google ranking will be higher!
If you need more information please give us a call on 01460 271055
INTERNET OF THINGS (IOT) SECURITY
IoT devices are any physical devices that are able to connect to and communicate over the internet. This connectivity allows new opportunities for cyber criminals.
IoT devices such as cameras, home sensors, and even baby monitors have become hugely popular. Unfortunately, security has been an after thought for many manufacturers and consumers. Here are some threats related to IoT devices that you should be aware of.
Weak passwords, and a lack of two factor authentication on many devices can make it easy for an attacker to gain access to your devices.
Lack of Encryption
Unencrypted data, possibly even passwords being sent over the air with no protection (a recent story involved IoT lightbulbs doing just this between each other).
Are cameras showing weak points? Employee screens? Stock levels? An attacker could leverage this for malicious purposes.
Insecure software / hardware / firmware
Some devices are unable to receive updates with security patches. Or, it may be that manufacturers simply do not release updates. This is a huge vulnerability. Similarly, if device credentials are hard coded in (i.e. unable to be changed), then if these are ever exposed then it becomes much easier for an attacker to compromise that device, as well as potentially other devices on that network.
Do you have ports open that shouldn't be? Could the device be compromised to conduct DDoS attacks?
STIMULATE THE MIDDLE AGED
As many organisations want to support mobile, team-oriented and non-routine ways of working, an increasing number of them are looking for assistance in adopting digital workplace technology. A recent Gartner, Inc. survey concluded that only 7 percent to 18 percent of organisations possess the digital dexterity to adopt new ways of work (NWOW) solutions, such as virtual collaboration and mobile working.
Not surprisingly they found that the youngest age group (18-24) are the most likely adopters of NWOW closely followed by the oldest (55-74). The group that were at the low point of the adoption dip (35-44), potentially feeling fatigued with the routines of life as middle age approaches. They were most likely to report that their jobs are routine, have the dimmest view of how technology can help their work, and are the least interested in mobile work.
COOL - I.T.
It seems that the days of snow are finally behind us and that big golden thing in the sky has made an appearance.
It’s time to enjoy the warmer temperatures but have you thought about the effect that the temperature has on your IT Equipment?
You may have seen this error on your Phone or Tablet from time to time and you should always take measures to cool it as soon as possible.
If you are out in the sun get it into the shade and allow it to cool as extended periods of heat can cause faster deterioration of the internal components and shorten the life of the battery. Mobile devices should be kept between 0°C and 35°C
In your server room you run similar risks as extended periods of heat give you a much higher risk of system failure and downtime.
A server should be kept running at between 20°C and 24°C and dangerous temperatures are classed as anything higher than 30°C
If your server room is beyond this limit installation of an air conditioning unit should be considered.
With a Blueloop Packaged Services Agreement we can monitor the temperature for you and take appropriate and safe shut-down action in extreme cases.
A data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unathorised disclosure of, or access to, data.
The reported number and scale of data breaches has continued to increase, with recent examples such as Dixons Carphone and PageUp as examples of larger organisations being exposed. Associated threats are many, including the potential for a number of various frauds using the actual data gained from the breach, or the media awareness around the breach (e.g. phishing/vishing/smishing attempts from attackers masquerading as employees of the affected company, or regulatory authorities etc.).
If an organisation suffers a data breach, then the consequences can be dire. Financial damages can now include hefty fines from the ICO for non-compliance, and the reputational damage can be incredibly difficult to recover from.
The techniques used in many cases are often not particularly advanced. Examples include exploiting unpatched vulnerabilities or spear-phishing, and a large number of incidents have been caused by third party suppliers failing to secure data properly. This highlights the importance of getting basic technical, and procedural security measures right.
A major hardware distributor was the victim of a network intrusion whereby suspects had gained access to the backend of their .eu and .iu domains, through a vulnerability with the company’s webserver. It is believed that the suspect identified the type of webserver which the domains were hosted on using security scanning software tools such as Nmap or Metasploit. Once the type of webserver had been identified, the criminals would have ascertained that the company used the Magento ecommerce payment platform, which is used to manage their online financial transactions. Unfortunately, the Magento software which they use was vulnerable to cross site scripting (XSS), an attack type which we discuss below. This particular vulnerability had been present for over 6 months, and had not been patched.
XSS is a code injection attack whereby an attacker can inject malicious scripts (payloads) into a legitimate website or web application, which are then executed by an end user. The xss would have given the suspect(s) access to the backend of their ie and eu domains, and from there the suspects had brute forced an old admin account which had lain dormant for 2 years. This would have been relatively easy to do, as the account had a weak password.
In total, 138 customers were affected with compromised banking details, which were used in secondary fraud. The investigation identified the route of compromise and also a number of IP addresses, with the suspects using multiple VPN companies to remotely access the victim’s network.
The investigation team was able to trace the malicious file back to a server in Eastern Europe, who had contacted the company using encrypted instant messaging and making payment through the cryptocurrency Bitcoins (BTC).
Through extensive open source enquires and engagement with international law enforcement partners we were able to identify details of the organised crime group behind the attacks and provided this intelligence to overseas law enforcement for them to develop the intelligence and take proactive action against the suspect(s) identified. This investigation highlights the effective intelligence sharing between international agencies to tackle cyber crime on a global scale.
Implementation and Preparation
ITIL (formerly an acronym for Information Technology Infrastructure Library) is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. This process is adopted here at Blueloop for our customers.
Recent publicity regarding poorly implemented system upgrades for the banking industry clearly demonstrates that upgrade and system improvements need to be well planned and tested in a live ‘pilot’ before implementation. Using ITIL’s industry standard for both IT project delivery and IT support provide suitable controls and measures for organisations in a professional and efficient manner.
Why risk business disruption when there are industry tools for IT service to protect your business?
SUPPLY CHAIN ATTACK
Type of attack where security flaws or vulnerabilities are introduced into equipment, hardware, software, or services before they are supplied to, or used by, a target.
Supply chain attacks can be used for a number of purposes, including breaching confidential data, stealing login credentials for further attacks, or even supplying defective equipment to prevent a service from being useable (a denial of service).
One example saw attackers compromise legitimate websites through website builders used by creative and digital agencies. The criminals utilised a redirect script to send people to a malicious domain they owned, where malware was downloaded and installed by users who were browsing legitimate websites.
Ongoing servicing, support, or updates may provide criminals with an opportunity to interfere with a supply chain.
Your Data Matters
GDPR How was it for you? Did the sky fall in?
After the email bombardment and mixed messages that we have all experienced about GDPR, it’s time to take a
step back and reflect on a very sensible campaign that the Information Commissioners Office (ICO) has launched, called “Your Data Matters”.
Their brief is a very straightforward one; “increase public trust and confidence in the way personal data is handled”.
This comes at a time when our confidence on how this data is handled is at low ebb, with a recent Direct Marketing Association (DMA) study showing that 86% of consumers would like more control of how data is held and processed.
The ICO campaign has cross-industry support from companies such as PwC, Sainsbury’s, and the BBC.
Find out about your personal data rights and how to find advice concerning its use by third-parties by visiting https://ico.org.uk/your-data-matters/
Five minutes well spent.
Organisations consider data management and security to be a simple nightly backup but Veeam believe there are 5 steps to data security nirvana and traditional backup is just the first.
- Backup: Back up all workloads and ensure recoverability of data loss or attack
- Aggregation: Manage data backup and recoverability across multiple environments with an aggregated view of SLA compliance
- Visibility: Deliver monitoring, resource optimisation, capacity planning, and built-in intelligence to improve
multiple environment data management
- Orchestration: Move data to the best location across multiple environments to ensure business continuity,
compliance, security, and optimal use of resources with an orchestration engine, that enables disaster recovery
(DR) plans to be automatically and non-disruptively executed, tested, and documented
- Automation: Veeam's idea of nirvana in which data becomes self-managing, via data analysis,
pattern recognition, and machine learning, and so automatically backed up, migrated to ideal locations, secured during anomalous activity, and recovered instantaneously
We are not at the Automation stage yet but it's good to set our sights high.
Blueloop work with Veeam to provide resilient data and system management solutions.
Cyber Intelligence Report
SOUTH WEST POLICE
Regional Crime Unit
A form of phishing where a specific person is deliberately targeted with an email typically containing personal information, purporting to be from a reputable source.
Spear Phishing emails have the same end goal in mind as regular Phishing attacks - they are designed to make a potential victim interact with the email in some way, usually through clicking on a link or attachment. However, they are generally much more difficult to recognise, as the authors include highly relevant information which adds legitamacy to the correspondence.
As an example, criminals often masquerade as vendors and email financial workers with attached invoices relating to recent orders that a company may have placed. Once the attachment is opened, malicious code is executed which can trigger various actions - such as stealing passwords, running cryptojacking software, or taking command of a computer to use in a future botnet for a DDoS attack.
For more information https://www.swrocu.org.uk/cyber.aspx
A Question of GDPR
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies; the key points of the GDPR as well as information on the impacts it will have on business can be found below.