Canary In A Coal Mine

Why Canaries?: Beginning in 1911 and all the way through 1986, coal miners would bring a small bird, usually a canary, into the mine with them.  During the blasting, the miners could be exposed to carbon monoxide or other poisonous gases.   The canaries were brought down into the mine as an early detection device.   Because the canary is much more vulnerable to airborne gases, the canary would die upon the first detection of poison.  If the miners found a dead canary, danger was in the air and it was time to get out.

Canary Tokens: In the cyber world, “canary tokens” or canary files are used in a similar manner – to see if danger is in the air.  A canary token is a digital file that contains a tracker and a trigger.  The idea is to put these files throughout your file system with enticing names like “passwords” or “HR Salary List” or something similar. If an attacker would access the system and open the file, the trigger would go off and the tracker would be able to annotate the general location of the hacker to you via email.  The general idea is that you now know if someone is snooping around on your device and you can protect yourself from the intrusion.

Try It: You can try this on your home or work computers for free. provides different types of canary tokens for your use.  You select the type of file, provide your email for notification, and a reminder where you will be putting the token.  I recently tested this and the site was able to pinpoint my location as accurately as to my neighborhood, not just the city. 

Deception: This is one aspect of an active (or proactive) cyber defense called deception.  Deception, as the name implies, is looking to deceive or fool the attacker causing the attacker to make noise as to be detected, and subsequently allowing the user to protect the assets. 

Honeypots: In some organizations, IT departments may put out a fake server on the network called a “honeypot.”  The server would not have any of the usual security protections thus purposefully making it an easy target for the hackers.  The server would be full of fake files and a labyrinth of directories to traverse.  No one in the organization has a reason to be on the server, so the only reasons to be on the server are mischievous or nefarious.   This gives the cybersecurity department an insight into the tactics and procedures that they need to defend against.  It also wastes the hacker’s time.  If the hacker is busy in the honeypot, he is not attacking your real assets.

HoneyNets: A “honeynet” is similar to a honeypot, except that it is an entire network of honeypots.  Larger organizations with critical assets may employ a honeynet to distract the hackers and cause them to make noise on the network.  Setting the traps throughout the network allows for the early detection the organization desired. 

Early Detection Is A Must: Just like the coal miners of the twentieth century, the cyber world needs the early detection of danger that the canary provides to stay safe.  

Put On Your Cyber Armor Before Your First Cup

Knights Prepare: In the early Middle Ages, knights spent hours getting ready for battle putting on their armor with the help of a squire.  There were hooded coats, trousers, gloves and shoes made of chain mail. Add the helmet, shield, and sword, and they were ready for war.

Cyber Protection: In order to be safe in the cyber world, computer users need to be prepared for the cyber battle that we did not request. We need protection.   Here are two examples of attacks and how to defend your home or business.

Ransomware Attacks: To avoid having to pay the ransom for your data held hostage, your organization should be backing up data nightly or more often if operations require.  In that case, you will only lose one day’s worth of data plus the time and resources it takes to restore your infected system.    

Suncrypt: This happened to Haywood County School District in North Carolina.  Their computers were attacked by Suncrypt ransomware.  They did not pay the ransom because they had backups, however, they had to delay school for a week to restore everything.  Suncrypt uses a Windows admin utility called “PowerShell” to send a file to execute on other computers in order to rename and encrypt every folder on the infected computer. The hackers now have your data hostage.

Could It Have Been Avoided?: What could the school district have done to avoid the infection altogether? 

Admin Privileges: First, the person who clicked on the phishing email had “administrative” privileges.  Cybersecurity has a concept called “least privilege” where a user has a least amount of privilege to do her work.  All internet browsing and email reading should be done as a non-admin user.  It is critical to only use admin privileges when performing admin functions (configuration and installation).

Outbound Powershell: Second, the computer security policy allowed the use of outbound PowerShell.  The system policy should have disabled outbound PowerShell capability. Powershell is the new favorite of hackers.  According to   eighty-seven percent (87%) of common malware uses PowerShell. This one change to your system can block much of the current malware.

Controlled Folder Access: Finally, for this particular attack, and those like it, the entire attack would have been thwarted if the systems had a simple setting enabled called “Controlled Folder Access.”  This feature allows only authorized applications and users to modify folders.  This would have completely blocked Suncrypt.

Phishing Attacks:  Phishing is getting very complex.  There are new targeted phishing campaigns where emails are sent to company users claiming to be from the IT Department.  The emails explain that certain sent emails were quarantined and provides a link for the user to login and review the files.  The link takes you to a screen that looks exactly like the company login.  The hackers grab the user’s credentials when they attempt to login and fix the problem.

Don’t Click It: The lesson here is to always hover over any link.  Do NOT click the link without checking it.  When you hover over the link, the details of the link show in the bottom left-hand corner of your browser or pops out on your email application.  Verify the entire link carefully. Hackers can be creative with their domain names making them similar to the real domain names. So look closely.   When it comes to links, hover, hover, and hover again. 

Put Your Cyber Armor On: So, along with that first cup of coffee or tea in the morning, remember to put on your cyber armor before you check your emails.

Defending the Castle of Gondor

The Defense: The brutal battle of the Pelennor Fields in The Lord of the Rings epic, is instructive for cyber defense. Gandalf, the White Wizard, was charged with defending Minas Tirith, and the majestic Castle of Gondor. The castle was constructed with a series of concentric castle walls for protection.  During the attack of Dark Lord Sauron’s minions, Gandalf tried to hold ground.  Eventually, the first wall was breached, so Gandalf ordered his army back behind the next wall.  The situation was bleak, but moving behind the next interior wall bought them time as they waited for Aragorn to come with reinforcements.

Cyber Defense: Cybersecurity for your organization is a lot like defending the Castle of Gondor. You need to slow down the attackers before they get to your critical assets. Protection in layers in the cyber world, much like that concentric castle, is called “defense in depth.”  An article from Force Point ( defines it well. “Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information.”  With cyber DiD, like with the Castle of Gondor, if one set of defenses fails, there is another mechanism in place to impede the attack.  Sometimes the cyber DiD is called the castle defense due to the parallels between cyber warfare and physical warfare.

Make It Tough: The goal of DiD is to slow down the attacker and get them to make “noise,” so they can be detected, and the user can get reinforcements.  Unlike Gondor, where the siege was quite obvious, cyber-attacks can go undetected for weeks and even months.  This is where your cyber-layered defenses can help to slow the attacks down and make some noise.

Controls: We discussed controls last week.  A control is an action, a device, a procedure, or a technique that removes or reduces a vulnerability. Controls, when used in depth, can make severe vulnerabilities hard for attackers to take advantage of, or exploit.

One Is Not Enough: In the cyber world, there is no single control that can successfully protect against every single type of attack.  For your network, the expensive firewall is not going to stop everything, nor will the next- generation anti-virus.  You need to have a layered cyber strategy that includes preventive, detective, and deceptive controls to protect your network. 

Layered Defenses: A layered defense would start with the basics of firewalls and anti-virus/anti-malware, but it might also include an intrusion prevention system, end-point detection, centralized monitoring, encryption, web application firewalls, and access control lists, to name a few.  Besides these technical controls, you can also add procedural and policy controls – a set of rules to follow, and the proper way of doing things.  In addition, you can work on human security by adding cybersecurity training to your layered defense.  Human security is critical, as all the leading-edge technology is helpless if the end user provides the hacker the keys to the kingdom. 

Held Out Long Enough: Aragorn brought the Army of the Dead to save Minas Tirith from Sauron’s army. When it came to their defense-in-depth strategy, the sum of the protective layers was much greater than what was offered by each individual component. Just like the Castle of Gondor, your cyber defense needs overlapping and redundant defenses.  If the attackers make enough noise, you may have time to get reinforcements in place.

Your Computer is Sick

Sick Computer: Your computer is sick. Not sick in a good way. Many people believe that when they buy a brand new computer, it was designed and configured with security in mind, but it wasn’t. It was designed and configured with usability in mind. Years ago I worked for a small Wireless Internet Service Provider (WISP) in Ogden Utah. Once the owner told me that whenever a customer called his technical support line for help, the company lost the profit they would have made from that customer for the entire month. The margins were that small.

Shiny, But Not Secure: When you buy a shiny new computer, the manufacturer wants you to be able to easily set it up yourself. They have gotten much better about secure setup than they used to be. Indeed, your Microsoft Windows 10 Operating System is much more secure than the previous Windows versions, but there is still a balance that the manufacture is trying to strike. They don’t want you to call tech support.

Usability vs Security: Security is a spectrum with usability on one end and security on the other. The closer you get to security, the further you move from usability.  That is where the problem resides. YOUR goal may be to have the most secure computing experience, but the company that made your computer and the Operating System want it to be usable so you don’t call tech support.

Most end-users simply don’t have the experience to securely configure their computer. It takes time to become enough of an expert in the field to securely configure your PC or Mac. Hiring someone to secure your computer is very costly as well.

Preventive Measures: Secure configuration of your computer is preventative. You are trying to prevent threats from causing harm to your computing assets. The ways a threat can cause harm are called vulnerabilities. Bugs in software are one example. Things that reduce vulnerabilities are called “controls”. A software patch (or update) is a control to reduce the vulnerability of a software bug.

Asset, Control, Threat: You can think of it this way. It’s not unlike putting in a chain link fence (the control) to keep the javelina (the threat) out of your garden (the asset). You are not naïve enough to think the fence will keep tiny birds off the peach tree. That’s not what the fence was designed for. So you add a different control designed for birds. Many people will place a large fake owl close by. It’s a deceptive control to fool the birds into thinking a predator is lurking.

Real Life Example: Your house has controls to reduce the vulnerabilities a burglar might use to break in. Locks on the doors and windows. But a determined burglar can still get in if they have the opportunity. You may have installed motion sensors to alert the police in the event of a break-in. That’s a detective control to further reduce the vulnerability your preventative controls may fail to mitigate.

Prevention Always Fails: In the face of an advanced threat, prevention always fails. Eventually. You should consider installing some detective controls to alert you when they have.

Options: Lastly, prevention and detection are not your only recourse. You can get out in front of this dilemma by introducing a deception control. As an example, every time you visit a website, your browser announces to the web server a tremendous amount of valuable information, namely, what browser, and what Operating System you are using. This is usually enough information for a threat to deploy an attack. But you can change your browser settings to lie about it. Then when you visit a compromised website, the threat will deploy the wrong attack. This deception technique isn’t 100% foolproof, and it may cause some of your favorite websites to not display properly, but it’s something you should look into.

It’s a Risk Call: Like the WISP I worked for back in Ogden, profits are on the line. The vendor of your computer is more concerned with you having a usable experience. It’s up to you to make it secure by adding deception and detection controls to your quiver.

Dwelling on Dwell Time

OPM Hack: Sierra Vista is a military town. Therefore, many of us have personal or family ties to the military. I’m sure that many of you were in the same boat I was during the summer of 2015 when we found out about the Office of Personnel Management (OPM) breach. Hackers had exfiltrated (the technical term used when hackers pilfer data) the personal information for almost 20 million people related to the security clearance background investigation applications. The attack occurred in two phases.  The first phase, called X1 by Congressional investigators, started in November, 2013.  OPM discovered it in May, 2014. The hackers had stolen very little documentation.  Before OPM could clean up the mess, the hacker obtained credentials and installed key-loggers and other malware to create a “backdoor” on May 7, 2014.  This second attack, known as X2, went unnoticed for over 11 months.  That boat I mentioned earlier? The one we were in together? It was leaking. And in the water? There were sharks.

How & How Long: While the sharks explored the OPM network they escalated their privileges so they had access to more and more information.  In December 2014, they plundered 4.2 million personnel records.  In March of 2015 they stole fingerprint data.  It wasn’t until mid-April 2015 that security personnel identified the unusual activity.  For over a year, the attackers had set up shop on the OPM network. Imagine how much damage an attacker can do to your organization with almost a year of dwell time!

What is Dwell Time: Dwell time, AKA “the breach detection gap”, is the period of time between malware executing within a network, when it is detected, and when the hemorrhaging is stopped.  During this time, adversaries have access to your organizational assets. Certain types of malware and cyber-attacks require a great deal of dwell time to escalate privileges to achieve their objectives.  Detecting the presence of malware early is critical to minimizing damage and protecting your assets.  In the cyber ocean of malware, avoiding the sharks is ideal, but early detection is a must! According to Ponemon Institute’s 2017 Cost of Data Breach Study  (, there is a 25% increase in the average cost of a breach found after 30 days. 

A Chain-Link Fence: Hoping anti-virus and anti-malware programs will protect you against all of this is like hoping your chain-link fence will stop mosquitoes. Anti-malware detects “signatures” of known malicious files.  However, today’s malware can easily modify its signature thereby appearing normal to antivirus engines. And attackers are creating new, advanced malware daily. Avast, McAfee, and the gang still catch most simple malware, but you need more advanced security to protect yourself from the uglies.  Similarly, firewalls and intrusion detection systems are another layer of protection. OPM had those too. The big one still made it through. It wasn’t enough.

Protect Yourself: To protect your organization, consider installing endpoint detection “agents” on your laptops and servers.  Endpoint detection agents monitor your system for unusual activity and notify the security operations center.  Some tools even offer endpoint deception, where the attacker opens a “canary” file. We call this a cyber tripwire. The canary file traps the hacker in a virtual network separate from the real network. There the hacker may wander around investigating fake data and fake networks, unbeknownst to him (think of the holodeck on the U.S.S. Enterprise). Shortening the malware dwell time for your organization means reduced risk of a breach, of a malware outbreak, or of being trapped in a botnet scheme or ransomware.  Early detection sure is better than remediation!  Ask OPM, where they will spend over $350 million in credit monitoring services alone.

Rise of the Cyber Lamb Chops

Sock Puppet Fame: In the 1950s, a ventriloquist, named Shari Lewis, put a sock on her hand and became famous. Lewis created the persona of a 6-year-old sheep, named “Lamb Chop,” that spoke the punch-line to her jokes. A sockpuppet helped her rise to fame with a very popular 1990’s children’s program. Fame and fortune from a sock!

Cyber Sockpuppets: Social media today has thousands of sockpuppets. No, Lamb Chop hasn’t taken over. A sockpuppet is a phony online identity using “real” accounts for the purpose of deception. Originally, this term referred to people who responded to their own blog posts, or authors who applauded their own books, while criticizing their competition. Nowadays, sockpuppets are used for a wide range of objectives. They are used to shower praise on a person or organization or to antagonize them; they are used to manipulate public opinion, to circumvent restrictions and suspensions, or get others banned from web sites. For instance, Utah Senator Mitt Romney acknowledged operating a secret Twitter account, “Pierre Delecto,” in order to defend himself against criticism — his sockpuppet.

Impact: The impact of sockpuppets would be marginal, except for the fact that nation-states create armies of sockpuppet bots to divide people and dispense misinformation. A single operative may monitor hundreds of sockpuppets, and an organization may use hundreds or thousands of operatives. The bot may simply “re-tweet,” “like,” or “re-post” a divisive headline or comment. 

The Difference: While a human Twitter user may post a few times a day, a bot may tweet hundreds of times per day, all day, on a specific topic. One study by USC analyzed election-related tweets sent in September and October 2016 and found that 1 in 5 were sent by an automated sockpuppet. Some social media platforms have developed software to identify and block bots, so puppeteers have developed something called Cyborgs. These Cyborg accounts mix human subtleties with the 24/7 work ethic of a bot. These are much harder to identify.

U of A: Awareness of threats is a step in the right direction. Michelle Menninger, a student in the University of Arizona’s Cyber Operations program recently made this comment to me,

“Technology opens up an entire world to my kids that could easily destroy their innocence. Being in the Cyber program gives me the opportunity to speak openly with them about the dangers of technology and allows me to be in control of it, instead of letting technology control us.”

Nation States Involved: Nation-state actors use technology to attack the U.S. and spread misinformation in order to destabilize our republic. An article on Wired calls the Russian campaign of disinformation “Active Measures” ( Their objective is to get Americans to argue about an issue – any issue, as long as it’s divisive. These sockpuppets may appear as someone trusted in your community to draw you into the fray and make you think there is an actual human behind an idea or a movement. They spread lies or half-lies, innuendos, and fake news. They are looking to degrade civil discussion of a given topic and inflame opposing views. For these actors, a divided America is much less of a threat than a united one. 

Be Alert: We are all susceptible to these propaganda campaigns on social media. With all the re-posting and re-tweeting, sometimes it is hard to find the origin of a comment. However, awareness that a sockpuppet army, whose intent is to manipulate public opinion, is out there may provide some protection from taking the bait.

So, the next time you are on social media responding to a post that got your blood boiling, keep in mind that you may be arguing with “Lamb Chop.”

Beware of the Dark Web

Lord of the Flies: Imagine a world where children are left entirely to their own guidance and education. One where the only instruction they ever receive is from peers. What kind of a world would that be?

Internet Born: When the Internet was born, it was called the DARPANET. Initially its creators tried to maintain control over its growth and development, but as it grew, that control became untenable. Eventually, a dark side emerged there.

Surface, Deep, Dark: The Internet can be subdivided into: the Surface Web (that which you can Google), and the Deep Web.  You may be surprised to hear that most of you regularly visit the Deep Web.  Accounts such as Facebook, Twitter, or your company network that require sign-in credentials are not index by search engines and are a major part of the Deep Web.  Estimates put the Deep Web as over 95% of the internet.  The Dark Web is a subset of the Deep Web that is intentionally hidden, requiring a specific browse to access. No one really knows the size of the Dark Web, but most estimates put it at around 5% of the total internet.

Dark Web: The Dark Web is best known as a place for illegal and nefarious activities.  You can buy drugs, guns, credit card numbers, credentials, and hacked Netflix accounts.   You can buy malware or pay hackers to breach your competition for intellectual property.  There are even E-Commerce sites. Dark Web commerce sites have the same features as any e-retail operation, including ratings/reviews, shopping carts and forums.  However, sellers have been known to suddenly disappear with their customers’ crypto-coins without providing the service.  The old saying, “There is no honor among thieves,” applies.

Legal Activities: Not all activities on the Dark Web are illegal.  Around half of the Dark Web is used for legitimate activities.  It allows political dissidents to communicate anonymously with journalists without fear of persecution. People go to the Dark Web for mundane activities like joining a chess club or to exchange recipes.   Facebook even has a presence called BlackBook.  The New York Times has a presence.  The Dark Web attracts those that are interested in being anonymous.

The Onion Router: The most common way to get on the Dark Web is through an anonymizing browser called a Tor (the onion router). The Tor browser routes your web page requests through a series of proxy servers operated by thousands of volunteers around the globe, rendering your IP address unidentifiable and untraceable.  It is difficult to find your way around as there are no indexed search engines.  The experience is unpredictable, unreliable, and often incredibly slow.

Why Should I Care: This is all very interesting, but I am not interested in a seedy journey to the Dark Web.  Why should I care?  The Dark Web is full of Personally Identifiable Information (PII) and password credentials recovered from breaches and sold, or just dumped to a site.  Large identity theft companies, like Experian, offer services that search for your information on the Dark Web and notify you of their findings.  Companies can look to their trusted security advisor to obtain a Dark Web monitoring service that tracks your company domain.   For your own email address, you can check for yourself at   Enter your email address to see if your credentials have been caught in a breach.  If so, it is time to change passwords and verify your account information.

Self Governance: In the novel Lord of the Flies, a group of boys is stranded on a deserted island. Their attempt at self-governance is a disaster. A dark side emerged. Civilization eroded and chaos reigned. Kind of like the Internet.

Business Owners: Red or Blue Pill?

The Choice: The choice is yours. Continue to read this article, and you choose the red pill. The true nature of existence will be revealed. Leave now, and you’ve chosen the blue one. You will remain blissfully ignorant. This article isn’t intended to terrify you. However, at the end of it, you might wish you’d chosen blue instead. Sometimes truth is a bitter pill. 

The Ransom: In July, 2019, on a sticky summer’s day in Rockville Center, NY, the IT administrator for the school district had a message pop-up on his monitor: “Your data has been encrypted.” He frantically pulled the plug on the infected computer.  He limited the damage, but key files were being held for ransom.  Fortunately, the school district had cyber insurance. The insurance company paid almost $100K to get the decryption key from the attacker.  

A Different Result: Contrast this with the recent ransomware payment by University of California at San Francisco (UCSF) of $1.14M, where they did not have any cyber insurance to pay the ransom.  The cost of the ransomware and recovery came from the university’s pockets. 

Cyber Insurance: Cyber insurance is protection against the CONSEQUENCES of cyber attacks. This includes data breaches, and ransomware.  The insurance covers the costs of:  the investigation and forensics, notification and identity recovery for clients, restoring compromised data, and system downtime.  Some policies cover losses from social engineering and, like the policy held by the school district mentioned above, cover the cost of a ransomware attack.  Like other insurance policies, some items are not covered, such as the loss of future profits and theft of intellectual property.  

Just a Piece of the Puzzle: You may consider cyber insurance a part of, but not a replacement for, your cybersecurity business strategy.  Insurance companies have been known not to pay out if they find negligence on the part of the insured. Covered companies are supposed to implement industry best practices, policy, and training.  Some underwriters will require company-wide training programs prior to issuance of the policy. 

What About Me: You might be wondering, “Does my business need cyber insurance?” If you lived in a flood plain, would you get flood insurance?  Your business “lives” on a cyber flood plain. One out of every five cyber attacks are against small- and medium-sized businesses.  Of those that suffer an attack, over 60% cannot recover from the residual financial loss.  So, it’s not only big companies that need it.  Small businesses have been flooded right out of business from cyber attacks, when not properly covered.  

Transfers Risk: Cyber insurance transfers the financial component of cyber risk from your company to the insurance carrier.  If your organization deals with a reasonable volume of Personally Identifiable Information (PII) or Protected Health Information (PHI), you should look into insuring it.   The cost of an attack could shut your doors.  So, if you are a health provider, a utility, or a government organization, it would be sensible to get a quote.  If you run an AirBnB or a small-repair shop, you may be OK without it.  Several local organizations have been impacted by cyber attacks, so don’t think it only happens in the big cities.   Calculate the risk. If your company was attacked, what would be the impact?  There could be stiff penalties from the Department of Health and Human Services — or worse, government scrutiny! So, is your organization prepared for the risk of the cyber world?  Would you be like Rockville Center or  like UCSF?  Consider the options, then … choose wisely.

Replacing the Irreplaceable

Dinosaurs Are Back: In 1993 Dinosaurs came to life.  We were assured they were in a controlled environment. Dennis Nedry was the underappreciated system administrator/programmer/network engineer/aspiring dinosaur cloner.  Paid less than he thought he was worth, Dennis struggled to make a living. Eventually, he turned on Jurassic Park owner John Hammond and stole prized dinosaur embryos, intending to sell them to a rival theme park owner who had failed to clone his own. To facilitate his crime, Dennis leveraged his unique position to shut off the security controls that protected the park. He was the only one with the knowledge to control the system. If Dennis had not possessed a criminal mind and to preserve the security of the park, he should have been required to do two things:

  1. Document his processes.
  2. Educate his coworkers.

Identify Risks: As a business owner, you may like risk. Risk means opportunity. But sometimes risk also means, well, risk. If, on the other hand, you DON’T like risk, you may also dislike change. But “change averse” does not equate to “risk averse”. Change is good when your current business practices carry unseen and unprofitable risk. One unseen risk that should be glaringly obvious is an employee who knows all the intricate workings of a spreadsheet, a system, or a network, and is unwilling or unable to share the knowledge (Nedry, dressed like a loyal minion).

Best Practice: One critical best-practice in cyber security is job rotation. Job rotation is just that. Rotating employees through different jobs on a somewhat regular basis. While it’s different for each company, it may be as frequent as every two weeks, or as far out as every few months. A challenge with this procedure for small businesses is your staff may be so small that everyone wears many hats, thus you are rotating by default; or the complexities of each role may make it prohibitively burdensome to train everyone sufficiently to have each person proficient in each role. It may seem like tiring work, but the security and productivity benefits will pay off. Such a goal will make everyone more valuable to you, yet none will become irreplaceable. In truth, some employees are really valuable, while others do little more than execute their own self-preservation strategic plan. They are nothing but a bottleneck between you and successful growth.

Self Preservation: Self-preservation is an inherent human trait. It is inherent in every living thing, really. You need to be aware of the risk this can pose to your business. You may have an employee who is acting out of self-preservation instead of looking out for the success and growth of your business.

What to Look For: According to a Forbes article, there are ways to spot the self-preserving employee:

  • They are embroiled in drama.
  • They complain–about everything.
  • They seek attention.
  • They gossip.
  • They don’t simply perform their jobs without a need to draw attention to their professional or personal challenges. 
  • They see a need to remind others of how challenging the task might be.
  • They call attention to the fact that someone else didn’t complete their task.

Single Point of Failure: I’m not suggesting you have a self-serving Dennis Nedry lurking among your IT staff. But experience has proven over time that having a single point of failure in the form of an irreplaceable employee is no less concerning than a cloned T-Rex run amok. For Jurassic Park, the warning signs were there. Ignoring them resulted in a business disaster. Implementing a job rotation procedure could have mitigated the threat.

Gone Phishin’

Happy to Help: An entry level accountant, “Sebastian”, receives an email from his CEO. Sebastian is excited the CEO recognizes him and needs his help on a major acquisition. The CEO requests a wire of 50 million Euros immediately sent to a bank account for the acquisition. Sebastian quickly executes the transfer. He feels like a hero. He can almost smell that promotion.

Oops: Unfortunately for Sebastian, and his large Austrian aerospace company, FACC, the email was not from his CEO. This was one of the most profitable phishing expeditions ever. The company could only recover 20% of the funds.  The CEO was fired and most likely, Sebastian. 

Phishing: Phishing is a type of cyber-attack that uses email to trick the recipient into doing some particular action or providing private information.  The term was coined in 1995 as a variant of fishing and refers to the “bait” used to get the victim to “bite.”   There are several variations of phishing.  Whaling refers to targeting high-level personnel in an organization.   Spear phishing refers to a phishing attack targeting a specific group of people like the military, a specific company, or certain professionals.

More Complex Today: With the techniques used today, it is not always simple to identify a phishing attack.  Although the Nigerian Prince scam, with its poor grammar and misspelled words, is still around, there are new scams that look extremely legitimate and appear to be from legitimate organizations. 

What to Watch For: Here are some methods to skillfully spot the phishing email. If an email is asking for personal information or asking you to verify details like bank or credit card information, don’t take the bait.  Established companies never ask for sensitive information. Be cautious of emails presenting dire warnings and potential consequences which require urgent action. Some examples might be a warning that an account of yours has expired or has been hacked.  Similarly, be wary if there is an urgent deadline to go along with the dire consequences.  Another common phishing tactic is to offer large financial rewards. This could be winning a lottery that you did not enter or being the prize-money winner for a bogus contest. If it sounds too good to be true, it probably is. 

What Next?: Now that you are starting to smell something phishy, how do you determine what to do? First, don’t click on the provided link, if there is one.  Hover over the link and look at the bottom left corner of your browser or email client.  It should show the full web address.  Some bogus web addresses will have extra words or letters added which do not belong to the legitimate address. Carefully scrutinize the address. (For example, g00gle is not the same as google.)  Also, beware of short URLs (hyperlinked website addresses).  Hackers can hide their true address inside a tiny URL link.  When you get an email that seems like it really came from your bank, for example, mentioning dire consequence and an urgent deadline, call the bank using a number YOU KNOW is good, or check the official website. (Google the website; don’t click the link in the email to determine if the email is legitimate.)  Many spear phishing attacks can be thwarted with policies requiring a second method of approval prior to email requests for funding (which Sebastian should have looked for).

Protection: To protect your business, you should look at increasing your cyber defenses. This may be something like using email services that stop most phishing attempts. Businesses can use email certificates to digitally sign emails so recipients can verify they came from you.  

The Keys: Training and awareness are the key.  There are services you can leverage that provide phishing training. It’s even better if the training also includes simulated phishing attempts targeting your employees to determine how well the training is sinking in.

Perhaps if “Sebastian” from FACC had the proper training, he might still be enjoying his employment there – along with his CEO.