There are always speculation and “leaks” from staff or contractors (incident response firms maybe) telling how the bad guys got in. Many sources say social engineering via phone, email, Teams or via their supply chain. No, this is not zero days seen in Stuxnet or unseen malware at all. Just some online research and good acting or writing skills against staff or to staff at supply chains.
Many folk say users are the weakest link and are stupid which is unfair. Even a well trained general employee or seasoned cyber security bod (informal for body) will fall for something in time. Take a solicitor for instance, he/she has a specialist topic in law and is great at that. He/she is not good at IT and less so at cyber security awareness. A cyber security bod is not good at law, so it is unfair to put employees down.
Four defences I will cover in this article which still lack in low level detail. No, I will not be covering “normal” items like SIEM/SOAR/patching/EDR/XDR etc. Not to say these are not needed.
Training
We have all joined a company and on opening our email for the first time seen a long list of CBT (computer-based training) modules assigned to us. Diversity, cyber security, data protection, corruption, money laundering are to name a few. Most of these will have little relevance to us and the trick is to fly through the content, and attempt the quiz to pass it. I am sure many people reading this article will admit to doing this.
Running through these quickly or slowly adds little value to the individual, and it just keeps your manager & HR manager at bay. Training should be part of the culture not just a one hour once a year activity. To do it properly the messaging should be everywhere. Posters in the canteen, posters in toilets, mascots, free toys to take home, jokey stickers, free pizza lunches to attend training sessions, messages on laptop wallpapers or screensavers and more.
Still training is not the be all and end all, and as I said before people still fall for traps. Training tries to change the mindset and does not enforce controls. Take a speed camera, if it goes off, it flashes, scares you and sends a ticket. Imagine if it overrode your cars controls or shot your tyres so you stopped or slowed down? Training does not offer the latter so we will move on.
Firewalling
Perhaps firewalling on the network layer is somewhat done well at most companies but from experience layer seven firewalling is not. Great, RDP & SSH are closed but what about the web applications front-end or worse, backend for administrators?
A quick search of Google (site:service-now.com) for Service Now instances shows tons of Service Now SaaS instances and most are universities. Two more alarming non-educational establishments are:
https://nttdata.service-now.com/jp - NTT Data of Japan
https://cern.service-now.com/service-portal - CERN of Geneva
The NTT website is all in Japanese so let’s look at CERN. Phone numbers, FAQs, service status, email addresses inc. information security and tons more. Way too much info in my view. The question is why I can get access to this in England as a non-employee of CERN.
These websites can be used to glean information and be targeted in phishing operations.
To sum it up such websites should only be accessible in your offices or over a VPN. Use layer seven or layer three firewalling to achieve this. Even if someone captured an active credential it makes it harder for the bad guys to login.
Phishing resistant two factor authentication
Yes, 2FA has increased in popularity though in many cases it a tick box and the cheapest option is used. The cheapest option being Google Authenticator or Microsoft Authenticator. Both options do add decent 2FA but can still be “requested” by phishermen in the form of the six digit ever changing code or asking a user to approve a push notification.
SMS or email are not any better and can be intercepted or requested. What is the better option then?
Spend money on physical tokens. Remember the less talked about security triangle? Not the CIA triad but cost/security/usability triad. Higher spend equals higher security but is generally less user friendly.
Yubikey like keys can produce a stronger/longer OTP which is hardware based but can still be requested. The better option is Security Key/FIDO2 authentication.
How do they work? When such hardware tokens are initialised a public/private key pair is made. The public key is shared with the cloud provider, and the private key remains at your end on the key. When you login with your username/password, the browser asks to access the physical token often with a PIN or fingerprint check, and a challenge/response happens. The latter means the user never sees the code transmitted, thus they cannot pass the secret onto a phisherman.
The downside? Cost and you need to always carry tokens with you. Great security has downsides of course. Microsoft/Google authenticator maybe easy and cheap to use on an Android or iPhone but it has its flaws.
Online intelligence
To quote the WW2 War Advertising Council, “Loose lips sink ships”. Nothing much has changed since WW2 apart from different media forms of course. Carrier pigeon has changed to email, and more. X (I still call it Twitter!), Facebook, Instagram, CVs, job boards and especially LinkedIn are digital treasure troves. What kind of snippets can you find on such platforms?
- List of clients
- List of suppliers
- List of products used, i.e. what EDR they use
- List of product versions, i.e. Joomla 5.3.1 which is outdated
- Who their manager is
- Locations
- Work trips
- Future conferences
- Security clearances
- And a ton more
Your firm should have policies which say what can be shared on socials and ideally a team which scans the net for what employees reveal.