In tennis, you never want to commit an unforced error. These are the worst kind of point-costing blunders a player can commit – the completely avoidable, self-inflicted ones that have nothing to do with the skill of the opponent or the excellence of their shot.
Losing to an exceptional opponent is not (really) something a tennis player can control, but losing because of an untimely, unforced error, or a series of them, is a different story.
If you've ever worked in information security, you can probably see the parallel.
Every day, you fight talented opponents of your own – sophisticated cyber-criminals who constantly evolve their methods to exploit any and all vulnerabilities you may have. And every day, you and your peers are losing battles to these criminals, who can exploit both your unforced errors – self-inflicted failures of your cybersecurity technology – and create clever schemes that trick your users.
These attackers have a strong track record – more than half of U.S. small businesses now say they have been victims of a cyber attack, according to the National Small Business Association (NSBA). And an overwhelming majority of these attacks – 91 percent – begin with email-based phishing and elaborate, highly targeted spear-phishing schemes.
These attacks are so effective because of the simple fact an IT department can't completely control all of its users, all the time – they're too unpredictable, and it only takes a mistake by one user for a breach to be successful. However, what an IT department can control is the technology it uses to protect its email systems from spear-phishing attacks. Failure to do so is an unforced error that could cost you.
You certainly wouldn't be alone. Secure Mentem President Ira Winkler, speaking at RSA Conference 2015 in San Francisco, said that even though users get the blame following a successful spear-phishing attack, it's usually a failure of technology that allows the socially engineered email bait to arrive in their inboxes in the first place.
Technology should be your first – and second, third and beyond – line of defense. If a malicious email is neutralized by your spear-phishing defenses long before it even reaches your employees' inboxes, they won't even have a chance to facilitate the attack unknowingly – users can't click on links or download attachments that they never see.
That's where Target Threat Protection (TTP) comes into play. With this technology in place, CIOs, CISOs and IT department heads gain the peace of mind that their users are protected against targeted spear-phishing attacks. Even if – or perhaps, when – a user clicks on the wrong link or downloads the wrong attachment, IT departments will know they have a fail-safe in place to end the attack before it spreads.
As Winkler said during his RSA session, "there is no such thing as a perfect countermeasure," and he's right. But TTP will reassure you that you have the technology you need to create a first line of defense.
To learn more, please see our new whitepaper, "The Spear-Phishing Attack Timeline" which walks through the stages before, during and after a spear-phishing attack and provides a minute-by-minute look at how these attacks can be prevented.
A few weeks ago, I made a trip across the pond to one of the biggest U.S. security events of the year, the RSA Conference. The 400+ exhibitors pulled out all the stops, unveiling new products, displaying elaborate booth décor and giving away all sorts of prizes.
Attendees that stopped by Mimecast’s booth had the opportunity to spin a prize wheel for any number of giveaways, ranging from an American Express gift card to a golf tee, along with learning more about our recently-launched Secure Messaging service. At RSA, the market need for Secure Messaging was validated by the positive conversations we had with booth-goers and media and analyst influencers, including this one I had with ISMG Editor Tom Field.
There were a few recurring themes I noticed during conversations at the show, including during a keynote given by Microsoft’s Corporate VP of Trustworthy Computing, Scott Charney. For one, companies continue to see the value and benefits of migrating data to a third-party cloud provider. At the same time, though, they demand a certain level of control over their data and security measures. Scott likened this feeling to some people’s tendency to drive their own car to their desired destination, as opposed to flying there. In order to help companies strike a balance, the industry calls for complete transparency and “technically enforced trust boundaries.”
This sentiment is not unlike how we’ve designed Secure Messaging. With it, companies can set certain policies, such as a date in which a message will expire or a rule against the recipient being able to print a message. Visibility is also key, so we’ve made it easy for senders to track who’s read their messages and even recall them, if required. In addition, the message never leaves the Secure Messaging portal, so the sender retains control of the data the entire time.
Further to what Scott spoke about, and as re-affirmed in our Secure Messaging service, control is not just critical for helping IT administrators sleep soundly at night. It is control that allows companies to keep tabs on who has access to their data and lessen the chances that they are a victim of a breach. The trick here, though, is to not sacrifice the user experience in the process – for example, an employee should be able to send a secure email from his or her inbox without any clunky, productivity-hindering extra steps.
As was mentioned more than once at RSA, hackers are only becoming more advanced. It’s the industry’s job to adapt and innovate in order to mitigate the risk of malicious attacks, both for the protection of our data and our customers’ data.
It was reported earlier this month that Russian hackers accessed President Barack Obama’s email system inside the White House. When asked to comment on the attack, Deputy National Security Advisor, Ben Rhodes, said: “We do not believe that our classified systems were compromised.”
Regardless of whether or not an email system is classified, the fall-out of a cyber-attack can be dire. After the recent barrage of data breaches in the U.S. – spanning the retail, entertainment and healthcare industries, and now the government – it’s time for organizations to take action when it comes to email security, specifically, making employees aware of existing threats. Here’s why:
The White House hack was triggered when a compromised email account in the State Department was used to send a spear-phishing email to an individual in the White House and the executive office of the President. The State Department was aware of the breach and forced its network offline to try and rid themselves of the hackers.
Some are drawing the conclusion that human error was at fault – exploiting individuals in the White House allowed the hackers to pivot their network access into a more sensitive and secure network than the one they initially compromised. In complex long-con attacks like this, where threat actors are resident on a network for long periods of time, it becomes almost inevitable that someone will eventually (and unknowingly) help them reach their ultimate goal. Trust is built quickly by email, and it is likely the attackers exploited the trust of having a @state.gov email address to gain access to the White House and POTUS. This use of a trusted third-party is getting more common, and something I’ve written about previously.
What worries me about Rhodes’ statement is; he’s hinting about the security of the classified systems at the White House. No doubt checks have been made to ensure there are no obvious compromises. But just as humans were used to move from the State Department to the White House, the same could surely be true of a further attack inside the White House to gain access to the classified systems. It wouldn’t take too much effort on the part of hackers to move from the unclassified to classified systems. Exploiting the weaknesses in humans once is easy, with only a little trust to abuse, but given a lot more trust, elevating privilege internally becomes very simple.
Humor me for a moment. If I was an attacker, and had been successful, I would have made sure that Mr. Rhodes and his colleagues from the FBI and Secret Service would never detect my presence. So while Rhodes does not believe his classified systems have been compromised, I’m sure he is still hunting for intruders.
Given the complexity of this attack, against what could be one of the most protected governments in the world, it would be fair to say that there’s no amount of technology that can keep out skilful and determined hackers. Do we give up on the technology? Or perhaps revert to pen and paper or typewriters? Of course not.
Making humans aware enough to not react to the social engineering in a spear-phishing email in the first place should be a top priority of any CISO, CIO and IT manager. Deploying a new spear-phishing gateway is important but may not be enough. You need to make sure users – humans – understand the risk, the threat and how to detect the presence of an attack.
Once you achieve this understanding you’ll have deployed a key part of your security infrastructure - your own human firewall. And it’s humans who are your key protection against these new and emerging threats.
Cybercrime in South Africa has increased drastically, costing 0.14 percent of GDP or around R5.8 billion between 2013 and 2014, according to McAfee’s Global Cost of Cybercrime Report. Tackling this threat to our country needs a collaborative approach between the public and private sector armed with the right technology and public education.
In The South African Cyber Threat Barometer, Craig Rosewarne, MD of Wolfpack Information Risk explains: “Government cannot combat crime alone, and key partnerships across multi-industries in South Africa are vital to our country’s success going forward.”
According to Rosewarne, both Government and private institutions have a role to play in addressing cybercrime. The results of which can be used to initiate policies and guidelines to prevent similar attacks in the future. Such insights could help us upgrade our security systems for improved monitoring and analysis – an area currently needing some specialized ‘TLC’.
An interesting bellwether in this government-private landscape is the U.S. Earlier this year, Barack Obama announced his new, intensified stance regarding the management of cybersecurity, which outlines standards that companies operating infrastructure should follow in order to protect from cyberattacks. This executive order has sparked debate around the world – including in South Africa. The US is now focusing on developing an order that will make it easier for private companies to share information about cyberattacks with the government, which will ensure a safe and accessible way to highlight a threat before it hits elsewhere.
In South Africa, the threat is beginning to be taken seriously by the government as well. However, even though the South African Police Service has introduced an electronic crime unit, it acknowledges that there is a lack of awareness and education about the risks associated with cybercrime in general, as well as the importance of reporting suspicious cybercrime activities.
The South African Cyber Threat Barometer points out a number of collaborative initiatives that need to be considered in the South African context. To start, government, with the support of a team of private sector collaborators, needs to implement relevant cybercrime and identity theft legislation to officiate the rules on what is actually punishable. The next step is to pool all the available resources, both public and private sector, and form a united front of cybercrime warriors with clear roles and methods for collaboratively fighting the problem.
Of course, every superhero unit needs financial backing, and though some efforts have been made in the past, government still needs to place cybercrime nearer the top of its priority list. Perhaps with some encouragement from the private sector, the government will pull out ‘the big guns’ and increase their focus on improving the policies and units we already have in place as well as develop new bodies to address the issue.
While this happens, Mimecast will continue to play its part in protecting customers from the threats they face and educating the wider market about the risks and steps we can all make to mitigate them, and by doing so, better protect ourselves, and our wider economy and society.
For more information on Mimecast’s email security, please click here and download our solution brief.