Reports are telling us that this year already more than half of British firms have been a victim of a cyber-attack and average losses are up 61% compared to 2018.
Two most popular methods of cyber-attack these days are email fraud and ransomware. Email fraud which comes in three varieties – either stolen/cracked password where someone impersonates the genuine user to extract money, ‘whalephishing’ where the criminal uses social engineering to impersonate a company principal and directs someone in the finance department to ‘make a payment quick or we lose this deal’.
Given that one can determine the MD, FD or others in the finance department from LinkedIn, it is not that difficult to get an email to the right person. Add Facebook to the mix and the criminal can see when the MD or FD is on holiday and target a junior person in the accounts department with the ‘make a fast payment’ email.
The third type of email fraud is a simple confidence trick of sending an invoice payment request to a large list – spamming but with an invoice for payment – this has been effective and has a very low cost for the criminals – it is simply a numbers game for them.
What can we do technically to prevent this?
At the very least a SPAM filter would ensure that your mail system is not accepting emails from known blacklisted addresses or senders. However, a SPAM filter alone will not prevent the phishing emails as there is no actual malicious payload (e.g. a Virus or Malware) contained in the message, nor any SPAM dictionary wording to differentiate this from an actual genuine invoice.
There are email technologies not yet widely in use such as SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) which together build towards DMARC (Domain-based Message Authentication, Reporting & Conformance) which can help with your email delivery.
At a minimum, you should train staff to inspect the reply to address for validity. There are several services offering a phishing test for your users, where a reputable service provider will attempt to phish your users for you.
In short, a fraudulent email requesting money or information will likely pass through a SPAM filter and be delivered to an inbox somewhere, as there is not enough difference between it and a genuine email requesting payment etc… for any SPAM filter to be able to make a decision to block it, so please do check the reply to address. Technologies such as SPF, DKIM & DMARC will help, but checking the reply to address and a follow up phone call to confirm is the low-tech way to ensure you stay safe.
Also worth looking at are message classifier products – these will denote if an email arrives from an Internal or External source with colour coding, making the phishing much more difficult.
Ransomware is still around and encrypting company data with abandon. This has proven to be a business killer in some cases.
What can we do to actually prevent this?
Ransomware is ultimately a (Malicious) program that runs on a machine in your network that encrypts all the data it can access. The best approach to prevent this is to only allow a list of programs you have authorised to run in your network. Windows has a feature called Group Policy (in Domain Setups) that can enforce an allowed list of applications, which in theory would prevent this issue. In practice this is somewhat more cumbersome than it sounds, as adding or removing to the list has variable levels of success – we find changing the Windows Group Policy works only in part and someone usually has to have their profile re-created to use the desired application. This is also a simple list of application names, Ransomware developers can rename their program to Winword.exe or Outlook.exe and Group policy will allow it to run.
Something more advanced like the Threatlocker application would check the Digital Certificate, the Program Size, the Location it attempts to run from, and the hash value (used to check file authenticity) before allowing the program to run. You would also benefit from a web portal for viewing, reporting and controlling what is running in your network.
Also included in the Threatlocker Suite is a Storage Control Suite that gives transparency on who is accessing what data in your network – you can see if Bill in the warehouse is spending his day accessing the Accounts Folder, or is Steve in Sales is copying the Customer Database to a USB drive before taking a job with your biggest competitor. You can control who can access what, and prevent them from copying your data to a USB drive.
At a bare minimum, ensure that you have offsite backup (offline so the Ransomware cannot find it) available each night to give you a way back from Ransomware.
For more information on Threatlocker see: www.arcitsolutions.co.uk/ or call 01782 200987
