by Orlando Scott-Cowley 30th of April 2015

A Little Trust in Humans = A Major Email Security Issue

It was reported earlier this month that Russian hackers accessed President Barack Obama’s email system inside the White House. When asked to comment on the attack, Deputy National Security Advisor, Ben Rhodes, said: “We do not believe that our classified systems were compromised.”

Regardless of whether or not an email system is classified, the fall-out of a cyber-attack can be dire.
Regardless of whether or not an email system is classified, the fall-out of a cyber-attack can be dire.

Regardless of whether or not an email system is classified, the fall-out of a cyber-attack can be dire. After the recent barrage of data breaches in the U.S. – spanning the retail, entertainment and healthcare industries, and now the government – it’s time for organizations to take action when it comes to email security, specifically, making employees aware of existing threats. Here’s why:

The White House hack was triggered when a compromised email account in the State Department was used to send a spear-phishing email to an individual in the White House and the executive office of the President. The State Department was aware of the breach and forced its network offline to try and rid themselves of the hackers.

Some are drawing the conclusion that human error was at fault – exploiting individuals in the White House allowed the hackers to pivot their network access into a more sensitive and secure network than the one they initially compromised. In complex long-con attacks like this, where threat actors are resident on a network for long periods of time, it becomes almost inevitable that someone will eventually (and unknowingly) help them reach their ultimate goal. Trust is built quickly by email, and it is likely the attackers exploited the trust of having a @state.gov email address to gain access to the White House and POTUS. This use of a trusted third-party is getting more common, and something I’ve written about previously.

What worries me about Rhodes’ statement is; he’s hinting about the security of the classified systems at the White House. No doubt checks have been made to ensure there are no obvious compromises. But just as humans were used to move from the State Department to the White House, the same could surely be true of a further attack inside the White House to gain access to the classified systems. It wouldn’t take too much effort on the part of hackers to move from the unclassified to classified systems. Exploiting the weaknesses in humans once is easy, with only a little trust to abuse, but given a lot more trust, elevating privilege internally becomes very simple.

Humor me for a moment. If I was an attacker, and had been successful, I would have made sure that Mr. Rhodes and his colleagues from the FBI and Secret Service would never detect my presence. So while Rhodes does not believe his classified systems have been compromised, I’m sure he is still hunting for intruders.

Given the complexity of this attack, against what could be one of the most protected governments in the world, it would be fair to say that there’s no amount of technology that can keep out skilful and determined hackers. Do we give up on the technology? Or perhaps revert to pen and paper or typewriters? Of course not.

Making humans aware enough to not react to the social engineering in a spear-phishing email in the first place should be a top priority of any CISO, CIO and IT manager. Deploying a new spear-phishing gateway is important but may not be enough. You need to make sure users – humans – understand the risk, the threat and how to detect the presence of an attack.

Once you achieve this understanding you’ll have deployed a key part of your security infrastructure - your own human firewall. And it’s humans who are your key protection against these new and emerging threats. 

by Brandon Bekker 23rd of April 2015

Stand Together to Fight Cybercrime in South Africa

Cybercrime in South Africa has increased drastically, costing 0.14 percent of GDP or around R5.8 billion between 2013 and 2014, according to McAfee’s Global Cost of Cybercrime Report. Tackling this threat to our country needs a collaborative approach between the public and private sector armed with the right technology and public education. 

Both Government and private institutions have a role to play in addressing cybercrime. The next step is to pool all the available resources and form a united front.
Both Government and private institutions have a role to play in addressing cybercrime. The next step is to pool all the available resources and form a united front.

In The South African Cyber Threat Barometer, Craig Rosewarne, MD of Wolfpack Information Risk explains: “Government cannot combat crime alone, and key partnerships across multi-industries in South Africa are vital to our country’s success going forward.” 

According to Rosewarne, both Government and private institutions have a role to play in addressing cybercrime. The results of which can be used to initiate policies and guidelines to prevent similar attacks in the future. Such insights could help us upgrade our security systems for improved monitoring and analysis – an area currently needing some specialized ‘TLC’.

An interesting bellwether in this government-private landscape is the U.S. Earlier this year, Barack Obama announced his new, intensified stance regarding the management of cybersecurity, which outlines standards that companies operating infrastructure should follow in order to protect from cyberattacks. This executive order has sparked debate around the world – including in South Africa. The US is now focusing on developing an order that will make it easier for private companies to share information about cyberattacks with the government, which will ensure a safe and accessible way to highlight a threat before it hits elsewhere. 

In South Africa, the threat is beginning to be taken seriously by the government as well. However, even though the South African Police Service has introduced an electronic crime unit, it acknowledges that there is a lack of awareness and education about the risks associated with cybercrime in general, as well as the importance of  reporting suspicious cybercrime activities.  

The South African Cyber Threat Barometer points out a number of collaborative initiatives that need to be considered in the South African context. To start, government, with the support of a team of private sector collaborators, needs to implement relevant cybercrime and identity theft legislation to officiate the rules on what is actually punishable. The next step is to pool all the available resources, both public and private sector, and form a united front of cybercrime warriors with clear roles and methods for collaboratively fighting the problem.

Of course, every superhero unit needs financial backing, and though some efforts have been made in the past, government still needs to place cybercrime nearer the top of its priority list. Perhaps with some encouragement from the private sector, the government will pull out ‘the big guns’ and increase their focus on improving the policies and units we already have in place as well as develop new bodies to address the issue. 

While this happens, Mimecast will continue to play its part in protecting customers from the threats they face and educating the wider market about the risks and steps we can all make to mitigate them, and by doing so, better protect ourselves, and our wider economy and society.

For more information on Mimecast’s email security, please click here and download our solution brief. 

by Dan Sloshberg 14th of April 2015

Introducing Mimecast Secure Messaging

Email wasn’t designed for sending sensitive or confidential information yet it remains the most common form of communication in business. Meanwhile, traditional approaches to encryption have been costly and complex.

Credit card details, personal identifiable information and financial data are regularly put at risk when shared over traditional email services.

The result has been that employees regularly disclose sensitive, personal or confidential information to the outside world – often by accident but sometimes even maliciously. The price is the loss of business reputation, valuable intellectual property and customer confidence. Not to mention the risk of potentially expensive legal action.

This is why today we’re announcing the launch of Mimecast Secure Messaging. This new service is designed to help employees confidently send and receive sensitive or confidential information via email.

Recipients access messages via a secure Web portal, fully customized and branded with the sender’s company name, colors and logo – helping ensure brand recognition and recipient confidence.

Here are just three scenarios where Secure Messaging would make a difference:

  • Publicly listed organizations may need to share information about financial results or mergers and acquisitions via secure communications to avoid potential compliance and regulatory breaches.
  • In healthcare, it is crucial to keep Protected Health Information private and in support of the Healthcare Insurance Portability and Accountability Act (HIPAA). Data leaks could damage reputations and customer or patient privacy and confidence – and could result in a legal dispute.
  • Manufacturers should safeguard blueprints from competitors. Exposure of valuable intellectual property could destroy competitive advantage built from years of development and research.

Secure Messaging is part of Mimecast’s wider cloud email security suite; working alongside gateway, DLP and content controls to help organizations meet compliance regulations, including PCI-DSS, HIPAA and GLBA.

Email security is an essential part of your overall security strategy. It protects users from new and emerging email threats and enforces security controls on information flows. Technologies including anti-virus and anti-spam cover the external threats, but you must also enforce controls on the email flow from within your organization.

In the wake of continued high-profile data breaches, email users now expect to see a higher level of protection to be confident that appropriate measures have been taken to safeguard their sensitive data.

Consider the emails that your organization sends to customers, suppliers and prospects. Will your recipients be satisfied by your security approach?

by Mounil Patel 31st of March 2015

Healthcare Industry: It’s Time for New Email Security Policies

The U.S. healthcare industry is the latest victim in a series of massive cyber-attacks. Most recently, Premera Blue Cross, a not-for-profit insurance provider, underwent a cyber-hack that reportedly exposed the medical and financial information of 11 million members. Last month, Anthem, the nation’s second-largest health insurer, was the target of one of the biggest data breaches ever reported, with cyber-attackers gaining access to the medical records, social security numbers, income data and home addresses of as many as 80 million members.

This string of targeted data breaches proves that no industry is safe from the attention of cyber criminals. And now, more than ever, email security should be top-of-mind for all organizations.

The healthcare industry, in particular, has a unique set of challenges to consider when it comes to IT infrastructure – specifically, email security.
The healthcare industry, in particular, has a unique set of challenges to consider when it comes to IT infrastructure – specifically, email security.

The healthcare industry, in particular, has a unique set of challenges to consider when it comes to IT infrastructure – specifically, email security. Budget is a known hurdle, as most healthcare organizations have allocated the majority of their IT dollars to improving systems to manage electronic patient records and systems to meet Healthcare Insurance Portability and Accountability Act (HIPAA) compliance.

The focus and spend on systems to support HIPPA compliance coupled with little-to-no IT resources means data security often isn’t prioritized. The economics of this decision are changing. The Target breach settlement of $10 million, in response to a class action suit, will likely open the doors for similar class action suits against other major organizations with large-scale breaches.

It is important to remember that healthcare information is one of the most personal and sensitive types of data – people care deeply about who can access this. There is a high expectation that healthcare data is protected, and this expectation is often held to a higher standard when compared to other industries.

Today’s sophisticated attacks combine social engineering and spear-phishing to penetrate organizations’ networks and steal critical data. Most of the major data breaches that have occurred over the past year have been initiated by this type of threat. The only defense against this level of attack is a layered approach to security. Email security solutions that might have been adequate several years ago often lack features to protect against these spear-phishing attacks.

By following these easy steps, email security no longer has to be costly or complex for the healthcare industry. Make sure you have:

- Broad Spectrum Email Security: Malware protection needs to go beyond email attachments and include the destination of any embedded email. Effective spear phishing protection needs to happen at the time of the user click to ensure that malicious sites are identified based on the browser platform being used.

- Transport-level Encryption: Emails should be encrypted during transmission between email servers to provide protection from interception.

- Secure Webmail: The most secure approach is some form of secure webmail delivery, in which the message is stopped at the gateway. The recipient of the email gets a delivery notification with a link that is used to access the original email. Secure webmail delivery solutions typically require a password to access the email which adds another layer of security to message access, giving worried doctors peace of mind. Ideally, the solution will also track recipient access.