by Orlando Scott-Cowley 24th of March 2015

The Human Firewall: Why the Humans Might Be the Answer

Half the problem with protecting your enterprise from every hacker, phisher, visher and botnet herder is the helpful part of human nature, that wants to be…helpful. We’ve known for a very long time that the vast majority of successful cyber-attacks rely on this helpfulness to achieve their goal. We know that social engineering plays a significant role in these attacks, from the most complex right down to the most ‘mundane’ phishing email; and our attackers know this too.

Senior executives and government officials often use one email address as a catch-all for personal and business email, side-stepping security risks.
It’s only when you start to get humans thinking for a fraction of a second longer than normal before performing a task, running an attachment or clicking a link, have you started to drive a behavior change in them.

I sense that enterprise cyber security has reached a turning point that will solve this problem.

For years, we’ve been talking about the de-perimeterization of the network, as end users and cloud services make the corporate firewall less relevant. CIOs and IT Managers I’ve spoken to have long been trying to shoe-horn their existing cyber-security into this new model, but have been losing the battle. The ubiquitous nature of connectivity and mobile computing was not so much the straw for this poor camel, but the entire haystack.

So, this is where I sense a pivot occurring, in the way we think about enterprise cyber-security; one that leaves those legacy ideas on the LAN and introduces a more task-orientated set of security rules. Rules that consider how the humans’ use our enterprise services and how those same humans are exploited. And importantly, rules that change the game in our favor, as opposed to the business-as-usual cyber security arms race we suffer under.

Of course, security professionals have been asking for more training for their human users since the dawn of the ILOVEYOU virus, but sadly this has always been low on the priority list for the budget controllers in businesses.

Security and IT professionals also know there is no single technology solution that will protect humans either. Sadly, until very recently, that’s about as far as the conversation went. Enough budget would be allocated for ‘reasonably regular’ (i.e. every six months, if you’re lucky) security training – and we’d all cross our fingers that no one would do anything stupid.

But they did, and they still do. Humans click links, especially in emails, and there’s no way of stopping them from doing that. So we’ve begun to learn that a new approach is needed here. An approach that is the foundation to the wider pivot I mentioned above. If technology can’t completely help us, and in isolation security training isn’t effective anymore—maybe the answer is in the last place we would have looked a few years ago? In the humans.

It’s after all our users who have become the front line for attackers looking to gain access to your network and we know this is because the humans are easier to hack than the code they write. So instead of constantly hardening our code and infrastructure why don’t we start to harden our humans?

Invoke a Human Firewall to help protect our businesses and de-fang the threats that target them. We know that our routine security training doesn’t work and we know our technology is less effective—so why not use the technology to help train users in a more real-time manner, or at the point of click in an email. Subtly warn them they might be able to experience something malicious, and block them if it does turn out to be a watering-hole or drive-by attack. But help them understand the risks, educate them constantly and in new and exciting ways, not once or twice a year in traditional training session.

It’s only when you start to get humans thinking for a fraction of a second longer than normal before performing a task, running an attachment or clicking a link, have you started to drive a behavior change in them. It’s this behavior change that we need to encourage, one that makes them a tiny bit suspicious of those emails that look ever so slightly odd, one that means they’re more aware than we could have ever hope for.

This behavior change is what invokes your human firewall, it’s the only way you’ll protect your humans from themselves, and it’s the only way we might be able to solve our cyber-security woes. 

by Orlando Scott-Cowley 19th of March 2015

Blurred Lines: When Personal and Business Email Converge

The political world has been making global headlines around trouble over email usage. Former U.S. Secretary of State, Hillary Clinton, has been scrutinized for deleting 31,830 emails. Why?

The emails were stored on a private, home-based server during her time at the U.S. State Department, and a single account was being used for both personal and government-official email communication. When asked about the controversy, Clinton said she thought it would be easier to use one email address. Former Florida Governor, Jeb Bush, was caught using his private email address to discuss confidential security and military issues. And according to a New York Times article, it took Bush more than “seven years to comply with a Florida public records statute” on email disclosure.

Senior executives and government officials often use one email address as a catch-all for personal and business email, side-stepping security risks.
Senior executives and government officials often use one email address as a catch-all for personal and business email, side-stepping security risks.

This attitude toward using one email address as a catch-all for personal and work communication is common, especially when it comes to senior-level government officials and corporate executives. There are, no doubt, many individuals in senior positions around the world who believe their seniority gives them the ability – and sometimes right – to side-step established corporate policy and procedure. This is exaggerated by the fact that, in many cases, junior staff members are tasked with setting up this one-off functionality, and they are not likely to call out the security risks to senior-level executives and officials (or simply say “no”).

There’s one thing the Clinton and Bush email controversies should teach us: Seniority shouldn’t be a reason for allowing or perpetuating the breach of any corporate policies. One for all, and all for one. Everyone within an organization should adhere to the same rules, policies and standards when it comes to email usage. Otherwise, a false sense of security takes hold, and mistakes can be made. For instance, data can be easily deleted, lost or leaked without a trace when outside the control of the corporate IT team. When an email server is installed at a residence versus a secure data center, there is no clear distinction between personal and work email, nor are there the same guarantees of security and privacy. This drastically increases the likelihood of confidential documents and messages reaching the inboxes of the sender’s personal network – and there are no security and retention policies in place to track, protect and retrieve the wrongfully-transmitted data. In a post-Snowden and – NSA world, we should doubt the security of anything outside the best standards of established technology.

There’s also a compliance issue to consider. Official IT administrators likely can’t access data that resides on an at-home server in the same way they would with a server in their own data center, which will compromise e-discovery requests. This also complicates subpoenas and other legal requests for information – if the data doesn’t reside in a government or corporate data center, who rightfully has access to it? Who has the right to delete email archives? Without clearly-defined policies, the answers to these questions remain unclear.

by Orlando Scott-Cowley 13th of March 2015

The Vault Is Dead: Why On-Premises Email Is History

Customers are increasingly trading in their old, bloated, expensive on-premises email archives for cloud services. Over time, these last-century technologies will take their place in the history of computing – the world, technology and the needs of customers have simply moved on.
Old, bloated and expensive on-premises email archives are being swapped for for cloud services.

Old, bloated and expensive on-premises email archives are being swapped for cloud services.
Old, bloated and expensive on-premises email archives are being swapped for cloud services.

Early adopters of email archiving have been staring angrily at their on-premises vault and watching it grow since the end of the last century. As wholly on-premises installations, these solutions were designed to alleviate the long-term email storage problems associated with Microsoft Exchange 5.5 and their rampant PST generation habits. IT departments quickly found that storing email on the primary mail server and stubbing it back to end users’ in-boxes meant their Exchange environment was more stable and efficient.

About 20 years ago, when the concept of an email archive first emerged, IT professionals couldn’t predict what an email archive of the future would look like. They certainly had no idea how large an email infrastructure could get. As users continue to send and receive massive amounts of email, and as attachment sizes continue to grow, old vaults have reached their storage capacity and as a result, demand more new hardware to manage the overflow of data.

The scalability of on-premises archives has been doomed from the beginning, as its growth is at the mercy of allotted IT budgets. IT teams have run out of patience trying to support this now vintage solution.

Then there’s the actual effectiveness, utility and usefulness of on-premises vaults. Historically, email archiving has been the domain of the IT administrator, and in some instances, legal counsel or compliance teams. Generally, the vault would have been deployed to solve either a storage management problem on Exchange, or a compliance and e-discovery problem affecting the business. Neither of these scenarios has any direct benefit for employees whose email is being stored after all – and it is these people who are demanding more of these solutions in today’s corporate environments.

The cloud has become the standard for new archives. The rare ‘greenfield’ email archiving sites where businesses are just setting out on their email retention journey are predominantly in the cloud. Why would you install a cumbersome, expensive and time-limited on-premises archive today, when there are many simple, scalable, innovative cloud alternatives.

Using the cloud for email archiving gives you significant competitive advantages, like:

- More frequent innovation, technology enhancements and features

- Faster upgrade cycles

- Perpetual storage

- No longer tied to the LAN

Then, of course, you have the needs of employees to consider. Never before have they demanded access to so much information, on so many devices, from so many different locations. The rise of consumer cloud and BYOD coupled with the collapse of the network perimeter means employees can’t be chained to their corporate networks anymore. On-premises archives simply don’t support this modern, on-the-go style of working. But in the cloud, access is ubiquitous, data is within reach, and mobile devices are supported. Keeping employees productive and in touch with their corporate memory on a mobile device is hard to do without a cloud archive that can deliver personal archive content through an app.

So there it is. You’re likely tired of your historic enterprise email vault because it’s old, cumbersome and no longer serves a relevant purpose. You’re likely sick of continuing to sign checks to the vendor for yet more storage. It is an expensive habit you surely want to break. The good news is, there is an alternative in the cloud that brings you up to date – and leading industry analysts agree. I recently discussed the benefits of the cloud over on-premises email archiving with Gartner Research Director, Alan Dayley.

Click here to watch the webinar.

by Orlando Scott-Cowley 23rd of January 2015

Phishing - the Speculative Long Con

There’s been a spate of phishing attacks this month seeking to uncover the user credentials for users of various hosted email services. Gmail, Outlook, Yahoo and AOL have all been targeted.

While some reports of the Outlook.com phish seem to have incorrectly claimed it was sent to all 400 million users of the service. Intruth the phishing email was sent to a handful of email addresses in the hope that some would be users of the popular Microsoft service, and be duped into providing their user credentials.

Phishing hacker The most damaging hacks can start with just a simple phishing attack

We don’t yet know the ultimate goal of the attackers, but we do know they have identified both consumer and business email accounts that use these services. And, that they’re hoping to gain access to that service by duping someone into giving up their user credentials with a convincing looking, but malicious, login page.

Look carefully at the Outlook.com example, and you’ll start to uncover the art of a well-crafted and targeted spear-phishing attack. What we’re seeing, thanks to Chris Boyd and Malwarebytes, could be the start of a well thought out campaign that’s hunting for something quite specific, in effect, the beginnings of a long speculative con. So far, we’ve seen a number of Outlook.com email addresses being targeted, in a seemingly random way, as well as some collateral fallout to other email domains.

The worst case scenario is the attackers know who they are looking for; the best case is that this is random. What’s likely to happen next is that the newly compromised account will be used to target someone, or something else, in order to add an air of legitimacy. The attackers are likely to use a further spear-phishing technique that tricks their target into clicking a link that downloads a malware dropper to their computer.

Once we’re at that stage, we can assume it’ll be game over for the target: their computer will have been compromised, the RAT will likely have given the attackers access, and they’ll be making off with data or moving onto their next target.

All of this could take hours, days, weeks or even months, but be sure the attackers have the patience to wait it out.

For enterprise users, this type of breach could be catastrophic (see Sony Pictures). What starts with a simple phish can end in a whole lot more trouble. Enterprise users are generally well protected by their IT teams, but URIs (URLs in emails) are still not as protected as they should be. Consider how often you click a link in an email without thinking about it, assuming that the IT team have deployed enough protection to keep you safe. In reality, the Outlook.com phish, as well as most other types of spear-phishing, are likely to have made it past your enterprise email security gateway. This is exactly what attackers are relying on – they know a malicious file will never get to you, so they try to trick you into clicking their link.

Therefore, protecting the link is the only real way to defeat this threat, and for the enterprise that means adding another layer to the security stack. A layer that can re-write the link and scan it for malicious end points as it’s delivered to the end user. For business users of Office 365 this means a similar layer of security over and above the already useful Exchange Online Protection.