Introduction: I mentioned in a previous discussion and blog that Knowing Your Cyber System is imperative to protecting your business. This discussion is intended to introduce the concepts of immediate threats experienced by most, if not all, business structures to their cyber environment. There will certainly be additional cyber threat considerations at the business grows and prospers, but these concepts should get you thinking about how to make the business a hard target against attacks.
Main Talking Points:
1. Business Email Compromise (BEC), Email Account Compromise (EAC) scams, and Ransomware attacks continue to cause tens of millions of dollars in losses.
2. Primary attack vectors are BEC, EAC, Ransomware, theft of PII, and Theft of Data from inside and outside actors.
3. The weakest links in cyber defense are e-mails, attachments, and apps.
4. Small Businesses are frequently attacked.
5. Attacks can be motivated towards financial gain, obtaining competitive advantage, or from hostile governments intent on stealing secrets.
6. Potential for corrupt insiders cannot be overlooked.
7. Cyber fraud and cyber crime attacks are often treated as technological problems, but they are also personnel problems.
8. Best mitigation steps recommended by the FBI and U.S. Department of Homeland Security are discussed.
I queried several different sources to gain an understanding of the main cyber related threats to business enterprises, to include the FBI, U.S. Department of Homeland Security, National Institute of Standards and Technology (NIST), Kapersky Labs, CSO Online, and the American Institute of Certified Public Accountants (AICPA). Most tend to agree that the top threats are listed as:
BEC and EAC Schemes
Data Theft (Inside and Outside Threats)
Business E-mail Compromise and E-Mail Account Compromise Schemes:
There are many definitions of Business E-mail Compromise (BEC) schemes to let’s start with the definition used by the FBI: Business E-mail Compromise is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.
E-mail Account Compromise (EAC), according to the FBI is a sophisticated scheme that targets the general public and professionals associated with, but not limited to, financial and lending institutions, real estate companies, and law firms. The EAC scam is very similar to the BEC scam, except that it targets individuals rather than businesses.
Criminals can obtain the necessary information to execute BEC and EAC attacks through social engineering and computer intrusion techniques. Social Engineering is the psychological manipulation of people to perform actions or divulge confidential information. The goal of the criminal actors is to gain access to the internal communication systems of the victim business to surveille the business practices of the payment systems. The scams are usually committed by the perpetrator using a hacked or “spoofed” e-mail address. A spoofed e-mail is created by the hacker to mimic a legitimate vendor e-mail to convince the victim to send money to an account held by the criminal. The financial institutions conducting the wire transfers are using actual funds and therefore, are not exposed to losses. The losses are sustained by the victim company.
Ransomware is a form of Malware that targets both human and technical weaknesses in organizations to deny the availability of critical data and/or systems. When the victim organization determines they are no longer able to access their data, the criminals demand payment of a ransom in exchange for regaining access to their systems. Ransomware attacks are decreasing in number but increasing in variants. Ransomware is also known to infect smart phones, as well.
The top targets of Ransomware are academic organizations, government agencies, healthcare organizations and hospitals, and any organization with sensitive client data such as law firms.
Victims are targeted through e-mails, attachments, or links containing malicious code. Opening corrupted attachments and links results in the encryption of files that restricts access to files, or entire systems, until an extortion payment is received. In addition to siphoning data from the victim, criminals hold the data hostage until payment, often in the form of Bitcoin or other cryptocurrencies.
Executive management will have to decide to pay or not pay the ransom based on the facts of the situation, but, in general, payment of the ransom is not recommended. Paying a ransom does not guarantee the victim will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Paying a ransom emboldens the adversary to target other organizations for profit, and provides for a lucrative environment for other criminals to become involved.
Referring to the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) illustrates that money is not the only target of cyber thieves. Criminal actors sell the stolen PII on underground markets, i.e., the Dark Web. PII is any information about an individual, including any information that is used to distinguish or race an individual’s identity such as name, Social Security number, date and place of birth, mother’s maiden name or biometric records, medical, educational, financial and employment information. Theft of PII often leads to other crimes such as tax-refund fraud, credit card fraud, loan fraud, synthetic identity theft, and others.
According to the American Institute of Certified Public Accountants (AICPA), sensitive data is an attractive target for cyber thieves. The crimes occur when a cyber criminal gains access to the internal cyber system of the victim to steal the sensitive data. Sometimes, these crimes target governments or other large organizations with more resources using a combination of malicious methods to first gain access to an organization’s networks, referred to as an Advanced Persistent Threat (APT). Then, the actor proceeds to monitor activity and siphon data in an undetected manner over an extended period of time.
Smaller businesses are also targeted for the theft of sensitive data. The theft schemes targeted towards businesses can be conducted by actors outside of the company, but also from insiders. Corrupt employees, to include contractors and vendors, have access to the most valuable secrets of an organization. Those bent on stealing the intellectual property will exploit weaknesses in the internal controls to copy, download, and remove the valuable information. They can sell the information to competitors, steal the information to start their own companies, or steal the information to take jobs with competitors. Some are complicit with hostile foreign intelligence services intent on stealing the secrets for use by their respective governments. Businesses should also consider the potential for corrupt insiders to plant malware or viruses to destroy the cyber environment. Some insiders will implant hidden “back doors” to the systems for later access by themselves or complicit actors.
The FBI advises that the insiders are interested in the following areas: Information and Communication Technology; Business information pertaining to scarce natural resources to provide global actors an edge in negotiations with the U.S. Government; Military Technologies, Civilian and Dual-Use technologies in clean energy, health care/pharmaceuticals, and agricultural technology. Motives could include greed or financial need, unhappiness at work, allegiance to another country, vulnerability to blackmail, the promise of a better job, and/or drug use or dependence.
The FBI also advises that certain behaviors of the actors may be missed that could have been picked up ahead of time. Those behaviors and warning signs include:
(1) They work odd hours without authorization.
(2) Without need or authorization, they take proprietary or other information home in hard copy form and/or on thumb drives, computer disks, or e-mail.
(3) They unnecessarily copy material especially if it’s proprietary or classified.
(4) They disregard company policies about installing personal software or hardware, accessing restricted websites, conducting unauthorized searches, or downloading confidential material.
(5) They take short trips to foreign countries for unexplained reasons.
(6) They engage in suspicious personal contacts with competitors, business partners, or other unauthorized individuals.
(7) They buy things they cannot afford.
(8) They are overwhelmed by life crises or career disappointments.
(9) They are concerned about being investigated, leaving traps to detect searches of their home or office or looking for listening devices or cameras.
FBI Recommended Cyber Crime Preventative Measures:
(1) Employee Training – because end users are often targeted, employees should be made aware of the threats, how attacks are delivered, and trained on best practices for good cyber hygiene.
(2) Patch Operating system, software, and firmware on all devices. All endpoints should be patched as vulnerabilities are discovered, which is made easier through a centralizes patching system.
(3) Ensure anti-virus and anti-malware solutions are set to automatically update.
(4) Manage the use of privileged accounts. Implement the principle of least privilege: no users should be assigned administrative access unless absolutely needed; those with a need for administrator accounts should only use them when necessary and should operate with standard user accounts at all other times.
(5) Similar to administrative accounts: file directory, and network share permissions should also implement least privilege. If a user only needs to read specific files, they should not have write access to those files, directories or shares. Configure access controls with least privilege in mind.
(6) Disable macro scripts from office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full office suite applications.
(7) Implement Software Restriction Policies or other controls to prevent programs from executing from common locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the APPData/LocalAppData folder.
(8) Back up data regularly, and regularly verify the integrity of those backups.
(9) Secure your backups. Ensure backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing offline.
The United States Department of Homeland Security provides the following seven strategies to defend control systems as suggestions to protect the cyber environment:
(1) Implement Application Whitelisting – Application Whitelisting (restricting systems from running software unless it has been cleared for safe execution) can detect and prevent attempted execution of Malware uploaded by adversaries. (2) Ensure Proper Configuration/Patch Management – Adversaries attack unpatched systems. A configuration/patch management program centered on the safe importation and implementation of trusted patches will help keep control systems more secure. Use best practices when downloading software and patches destined for your control network. Take measures to avoid “watering hole” attacks (attacker guesses which websites the group often uses and infects one or more of them with Malware). Use a web Domain Name System (DNS) reputation system. Get updates from authenticated vendor sites. Validate the authenticity of downloads. Insist that vendors digitally sign updates, and/or publish hashes via an out-of-bound communications path and use these to authenticate. Don’t load updates from unverified sources.
(3) Reduce Your Attack Surface Area. Isolate ICS networks from any untrusted networks, especially the Internet. Lock down all unused ports. Turn off all unused services. Only allow real-time connectivity to external networks if there is a defined business requirement or control function. In one-way communication can accomplish a task, use optical separation (“data diode”). If bidirectional communication is necessary, then use a single open port over a restricted network path. (4) Build a Defendable Environment. Limit damage from network perimeter breaches. Segment networks into logical enclaves and restrict host-to-host communications paths. This can stop adversaries from expanding their access, while letting the normal system communications continue to operate. Containment provided by enclaving also makes incident cleanup significantly less costly.
(5) Manage Authentication – Adversaries are increasingly focusing on gaining control of legitimate credentials, especially those associated with highly privileged accounts. Implement multi-factor authentication where possible and emphasize strong passwords. Require separate credentials for corporate and control network zones and store these n separate trust stores.
(6) Implement Secure Remote Access. Some adversaries are effective at gaining remote access into control systems, finding obscure access vectors, even “hidden back doors” intentionally created by system operators. Remove such accesses whenever possible especially modems as these are fundamentally insecure.
(7) Monitor and Respond. Consider monitoring programs in the following five key areas:
a. Watch IP traffic on ICS boundaries for abnormal or suspicious communications.
b. Monitor IP traffic within the control network for malicious connections or content.
c. Use host-based products to detect malicious software and attack attempts.
d. Use login analysis (time and place for example) to detect stolen credential usage or improper access, verifying all anomalies with quick phone calls.
e. Watch account/user administration actins to detect access control manipulation.
Have a response plan for when adversarial activity is detected. Such a plan may include disconnecting all Internet connections, running a properly scoped search for Malware, disabling affected user accounts, isolating suspect systems, and immediate 100% password reset. The Plan may include incident response, investigation, and public affairs activities.
Have a restoration plan, including having “gold disks” ready to restore systems to known good states.
Conclusion: The common link in these vulnerabilities is often the lax behavior of people using e-mails corrupted apps. The careless use of e-mails provides criminals the easiest avenue of penetrating the cyber environment. One of the most effective methods of surveilling the cyber systems is to compromise the internal mailboxes of executives and key employees. From this position, the actors can learn about job positions, levels of authority, speech habits, bank accounts, decision making authorities, travel, vendors, customers, and attachments to emails. Such knowledge allows the actor to successfully mimic the language of users to misdirect wire transfers, steal sensitive information, or plant Malware to inflict damage to the system.
No one can prevent all attempts at cyber fraud making it important to recognize that all business structures, regardless of the size, are targets of adversarial actors. Often, cyber-fraud and cyber-crime attacks are treated as technological problems, but they are also personnel problems. Reviewing past cases have shown that the victims failed to have quality preventative measures in place, as well as cases where controls were in place but disregarded by careless employees. Effective defenses necessarily will have to be multi-layered, continuously upgraded, and rigorously tested to offer the best chance to prevent damage or to discover problems at the early stages.