How to (better) Protect Email

Last week we alerted our insurance colleagues to multiple instances of spear-phishing as they relate to a new trend toward using OneDrive as a means of spreading phishing attacks. Today I’d like to take a few minutes to provide you with some easy ways to help protect you and your company against phishing attacks.

The goal of these types of phishing attacks are two-fold: one, they want your email username and password, or two, they want to give you malware. In the past six months, Cyber Defense Institute has seen both, with devestating consequences.

For those in the Insurance industry, we’ve been told by the DFS superintendant that: “ the majority of successful breaches… have involved phishing attacks, social engineering threats, and issues relating to password composition and security and email security.” The superintendant goes on to say:

More specifically, a significant number of the events reported to DFS involved breaches that stemmed from employees providing credentials in response to attractive emails that trick a user to provide confidential information. In these cases, the intruder sends a legitimate-seeming e-mail to a company's employee or employees. These attacks are carefully planned to appear from a source that the employee will trust, perhaps even appear to be an email from a customer or client of that employee and a subject that will peak their interest. The employee is prompted 2 to enter his or her e-mail credentials, and the intruder gains access to the company's e-mails on the system, which can contain consumers' personal identifying information.

If you’re interested in seing what the whole attack looked like, look at this article I previously posted

So, we know the threat is real, but what can we do about it. Here is a list of specific, actionable things you can do to protect yourself:

Security Awareness Training

One of the best things we can do is train our employees on what to look for in a phishing email. In our opinion, this training should be ongoing and multi-faceted. We sell KnowBe4 security awareness training because we can provide our users with frequent phishing tests, weekly security newletters, training content, and much more,

What to do

Ensure you provide frequent Security Awareness Training. We recomend bi-weekly phishing tests, quarterly or even monthly training videos, and weekly newsletters. We also recomend conversations in meetings, and having an teamwork approach to questionable email.

If you don’t have a robust program, contact us and we can get you a quote for KnowBe4, or click here for more information on KnowBe4, including a free trial.

Two-Factor Authentication

After security awareness training, two-factor authentication is incredibly reliable at protecting your email. If you have Office 365, two-factor authentication is FREE and it is not as burdensome as you may think. You are not required to enter a code from your phone every time you open your email. That’s a misnomer.

In reality, you enter the code ONCE for Outlook, and you enter the code ONCE if you use the Outlook app for your phone. If you log into Outlook Web Access or any of the other Microsoft 365 products, you can configure Microsoft to remember your login for any number of days.

What to do

For Office 365, here is the docuemntation: https://support.office.com/en-gb/article/set-up-2-step-verification-for-office-365-ace1d096-61e5-449b-a875-58eb3d74de14

For G-Suite: https://support.google.com/a/answer/9176657?hl=en

For hosted Exchange you will need to add an OAUTH provider such as Duo, and taht’s way outside the scope of this post

Don’t Store Sensitive Data

You can’t fully control what comes into your inbox, but you can control what you do with that data. Having sensitive data in your email can pose a serious threat. If your email is compromised and it contains sensitive information, the data usually has to be considered breached, and therefor reportable. If you don’t have sensitive emails, you don’t have a breach (however, in DFS world you still have to report a compromised email account).

What to do

  1. Don’t SEND sensitive information through email such as credit card numbers, health information, SSNs, etc.

  2. If you RECEIVE sensitive email:

    1. Delete the email

    2. Contact the sender and ask them to not send sensitive data. Ask them to encrypt it, fax it, or use a “proper channel”

  3. Implement Data Loss Prevention (DLP) technologies. I admit this isn’t always easy for small companies, but some Anti-Virus and Email Protection products include this feature. Ideally, your spam filter should be able to look for, and block sensitive data such as credit card numbers, SSN’s health information or even account numbers.

Advanced Threat Protection

Default spam filters that come with Office 365 and Gmail provide some coverage, but not enough. Exchange offers no protection. With Advanced Threat Protection or ATP, your spam filter will do additional checks on your incoming email such as “clicking” on the links and opening any attachments to see if they’re safe. I admit, ATP isn’t able to get around the OneDrive attack that opened this post, but it’s still important.

What to do

For Office 365 add “Advanced Threat Protection” to your account. It’s $1 per user, per year (https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-atp )

For G-Suite, enable the :enhanced” protections (https://support.google.com/a/answer/7577854?hl=en )

Alternatively, purchase a spam system such as Barracuda, Sophos, or ProofPoint

Anti-Malware

Make sure you have agood anti-virus protection. And by good, I mean one that you purchased. Ideally, it should be centrally managed (cloud is better), and have Advanced Threat Protection and web protection. In the case of the attacks from last week, my anti-virus and firewall’s web protection blocked one of the two attacks. 50% is pretty poor, but it’s a start.

What to do

  • Purchase Anti-Malware that includes web protection

  • Purchase so called “Next Generation Anti-Malware.” Other terms include “Deep learning”, “Endpoint Detection and Response”, etc.

  • Add Advanced Threat Protection to your firewall that looks for bad URLs

Example of Next Generation products include Sophos Central with Intercept X, Carbon Black., Cylance, or TrendMicro XGen

Anti-Spoofing

Some of these attacks take advantage of misconfigured (or non-configured) DNS records that are meant to prevent spoofing. By properly configuring Anti-Spoofing on your email domain spammers can’t send emails that look like they came from your domain. This has two benefits: you can’t receive emails that spoof your domain, and the rest of teh world can’t either.

What to do

Configure SPF, DKIM, and DMARC dns records for your email. Explainign these are far outside the scope of this post, but pass it along to your system administrator. If you’re really interested, here is a post that explains it all: https://www.bettercloud.com/monitor/spf-dkim-dmarc-email-security/

Office 365 Secure Score and Login Branding

If you have Office 365, Microsoft offers “Secure Score” which is set of scored configuration options that better protection your email and Office 365 environment. By making suggested changes, you increase your score and therefore increase your security.

Also, Microsoft allows you to “brand” your Office 365 login page with your company logo and custom background. This is extremely helpful because phishing emails target you by making the login screen look like Microsoft’s login page to get you to enter your password. However, if you’ve branded your login screen, users will know to look for your background picture and logo. Here’s an example of how Cyber Defense Institute brands our logon page, as well as what it looks like unbranded

Branded

Branded

Unbranded

Unbranded

What to Do

For Microsoft Secure Score, go to https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide

For branding instructions, go to https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding

Audit

If an account is compromised, audditing of the account is going to be extremely important to determine if a breach occured, and what data was accessed. Without auditting, it must be assumed that all sensitive data in a compromised email account has been breached, and therefore reported. With auditting, it’s possible to contain a compromised account to just that, and not a breach (although it;s reportable if you’re DFS regulated).

What to do

For Office 365, https://docs.microsoft.com/en-us/office365/securitycompliance/enable-mailbox-auditing

For G-Suite it’s already on

For Exchange, https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mailbox-audit-logging/mailbox-audit-logging?view=exchserver-2019

OneDrive Insurance Phishing Scam

This Friday (4/26/19) we investigated a phishing campaign for one of our insurance clients and we learned quickly that it spanned at least two other CNY area insurance companies.  For that reason Jim and I thought it was appropriate to blast out an ad-hoc "alert" to all of our insurance contacts.
 

Details

Here's what we know so far:

  • It appears that the email accounts of some of our local insurance colleagues have been compromised

  • The bad actors are then spamming everyone in the user's address book (mostly insurance colleagues)

  • The email is a file share request from Microsoft's OneDrive

  • The incredible thing is in at least one case the file being shared is named "3rd Party Service Provider"

  • The text of the email is short and sweet, something like "please open the document"

  • The sender has "BCC'd" you, in other words, the "From" and "To" are both the same

In this case, "Think, Don't Click"

Here is a sample:

Phishing Scam



What if I clicked?

  • If you clicked on the OneDrive link, you're probably OK.  Clicking on the OneDrive link takes you to a PDF in OneDrive that is the phish.

  • However, if you clicked on the link from the link you might be in trouble!

If you clicked on the link in OneDrive:

  1. Change your email password immediately

  2. If it's been more than, say, 30 minutes you might've been compromised and will need to have your account checked for signs of intrusion. 

  3. Either call us immediately, call your IT support staff, or check the following:

    1. Check your Sent Items for emails you didn't send

    2. Check your Deleted Items for emails you didn't send

    3. In Outlook, click "Recover" at the top of your Deleted Items and check to see if there are emails you didn't send

      1. If there are no emails in your "Recover Deleted Items Folder" you've probably got a problem

    4. In Outlook, click "File" then "Manage Rules & Alerts" check for rules you didn't create

    5. In Outlook, click "File", then click the link next to Account Settings that says "Access this account on the web"

      1. Once there, make sure the "The new Outlook" slider in the upper-right corner is on

      2. Then click the settings "gear"

      3. Click "View all Outlook Settings" at the bottom

      4. Click "Forwarding"

      5. Ensure your email isn't being forwarded

Stay safe and have a good weekend.  If you have questions please contact us, we're here to help!

Check your Antivirus

We’ve been involved with multiple organizations in the past three weeks that have responded to a serious security incident that was exacerbated by a lack of up to date anti virus. Each case took a very different turn:

  • one required significant effort by the company, their IT vendor and a forensic analysis by CDI;

  • the second is looking at probably $100,000 in lost business and professional remediation services;

  • a third instances caused a hospital about 80 hours of IT work, and countless time in lost productivity;

  • and the fourth business is trying to figure out how to pay $30,000 in Bitcoin, and how to stay in business.

The Common Threads

31115332341_b6db2b18f1_z.jpg

In each of these three cases, the company had premium, traditional antivirus, all from reputable vendors. However, in each case, at least one system, and in some cases many, were not properly protected. During the investigation of these companies, some systems had no antivirus, and some had out of date antivirus. In one case, the licensing had expired and the company was not receiving updates.

In all four cases, antivirus did not protect the systems and did not detect the issue. In two of the cases, Security Incident and Event Monitoring (SIEM) solutions detected and alerted the problem AS IT HAPPENED. In the other two cases, hours or even days went by before someone noticed the issue.

In almost every case, a email phishing attack was the culprit. This reinforces the cliche that you’re only as strong as your weakest link.

What you should do

Here’s a checklist you should perform right now, before it’s too late:

  • Verify that your antivirus is licensed and up to date

  • Check every computer, including especially your servers, to make sure that antivirus is enabled for real-time protection and is up to date

  • If you have more than 10 PC’s or server’s you should have a centrally managed antivirus solution that allows you to see what everything is up to date/protected (Symantec, TrendMicro and Sophos Central are good options).

  • Always PAY for antivirus. Free antivirus isn’t good enough. Trust us, your business depends on it.

  • Run Windows Updates

  • Again, if you have more than 10 machines, you should be using Windows Server Update Services (WSUS) or a similar product to centrally manage windows updates (it’s free folks with Windows!)

  • Remind every employee of the importance of using caution with emails and potentially dangerous websites. Limit casual web browsing.

  • Check your backups! Test that you can restore data.

Over the next few weeks you should:

  • Look into “Next Generation Anti-Malware” products. These provide additional coverage beyond what the “traditional” antivirus companies provide

    • Malwarebytes, Sophos Intercept X, Carbon Black, etc. all fall into this category

  • Perform phishing exercises and security awareness training

    • Call Cyber Defense if you are interested in such a product/service

  • Review, update, and tabletop your incident response plan

  • Get a copy of your backups off site. Preferably 30 miles away or more.

  • Call Cyber Defense with any questions. We’re here to help prepare you for a big incident, but can get you started if something bad does happen.