Orlando Scott-Cowley
by

Phishing – the Speculative Long Con

There’s been a spate of phishing attacks this month seeking to uncover the user credentials for users of various hosted email services. Gmail, Outlook, Yahoo and AOL have all been targeted.

While some reports of the Outlook.com phish seem to have incorrectly claimed it was sent to all 400 million users of the service. Intruth the phishing email was sent to a handful of email addresses in the hope that some would be users of the popular Microsoft service, and be duped into providing their user credentials.

Phishing hacker

The most damaging hacks can start with just a simple phishing attack

We don’t yet know the ultimate goal of the attackers, but we do know they have identified both consumer and business email accounts that use these services. And, that they’re hoping to gain access to that service by duping someone into giving up their user credentials with a convincing looking, but malicious, login page.

Look carefully at the Outlook.com example, and you’ll start to uncover the art of a well-crafted and targeted spear-phishing attack. What we’re seeing, thanks to Chris Boyd and Malwarebytes, could be the start of a well thought out campaign that’s hunting for something quite specific, in effect, the beginnings of a long speculative con. So far, we’ve seen a number of Outlook.com email addresses being targeted, in a seemingly random way, as well as some collateral fallout to other email domains.

The worst case scenario is the attackers know who they are looking for; the best case is that this is random. What’s likely to happen next is that the newly compromised account will be used to target someone, or something else, in order to add an air of legitimacy. The attackers are likely to use a further spear-phishing technique that tricks their target into clicking a link that downloads a malware dropper to their computer.

Once we’re at that stage, we can assume it’ll be game over for the target: their computer will have been compromised, the RAT will likely have given the attackers access, and they’ll be making off with data or moving onto their next target.

All of this could take hours, days, weeks or even months, but be sure the attackers have the patience to wait it out.

For enterprise users, this type of breach could be catastrophic (see Sony Pictures). What starts with a simple phish can end in a whole lot more trouble. Enterprise users are generally well protected by their IT teams, but URIs (URLs in emails) are still not as protected as they should be. Consider how often you click a link in an email without thinking about it, assuming that the IT team have deployed enough protection to keep you safe. In reality, the Outlook.com phish, as well as most other types of spear-phishing, are likely to have made it past your enterprise email security gateway. This is exactly what attackers are relying on – they know a malicious file will never get to you, so they try to trick you into clicking their link.

Therefore, protecting the link is the only real way to defeat this threat, and for the enterprise that means adding another layer to the security stack. A layer that can re-write the link and scan it for malicious end points as it’s delivered to the end user. For business users of Office 365 this means a similar layer of security over and above the already useful Exchange Online Protection.

by

Obama’s 30-Day Breach Warning Is Just the Beginning

2014 was a tough year for global computer security. New advanced threats, like spear-phishing, have been grabbing the headlines. Barely a week went by without news of a breach, and few companies are starting the year without a nagging sense of vulnerability.

It’s no surprise, therefore, that this week President Obama unveiled plans for three new laws aimed at better protecting citizens’ data. The ‘Personal Data Notification & Protection Act’ proposal establishes a 30-day notification requirement from the discovery of a breach.

Blast furnace

Hackers used spear-phishing to breach a German steelworks and cause massive physical damage

But much like similar proposals that have been hotly debated in Europe over recent years, this law is not enough to combat the growing threat on its own. The legislation may help ‘bring peace of mind’ to consumers but it’s just closing the door after the horse has galloped away with your data. Yes, consumers should be warned to change their passwords and check bank statements quickly in light of a breach, but of most importance should be the opportunity for affected companies and law enforcement to work together to identify and shut down the hackers for good. In short, this legislation will do little to tackle this and help prevent the breaches in the first place.

The danger from advanced threats and data breaches just got less digital and more real. In December, the German government revealed details of a sophisticated social engineering and phishing attack that reports say caused “massive damage” to a steelworks’ blast furnace.  According to Wired magazine, we’ve not seen confirmed physical damage from a cyber-weapon since Stuxnet, the virus revealed in 2010 that ravaged centrifuges in Iran’s nuclear facilities.

So, if Target, Home Depot and ICANN taught us anything, it’s that security needs to be a top priority – and IT teams should be even more cautious. With their elevated administrative privileges, IT often becomes the primary target for attacks, as they allow an easy pivot point to gain access inside the network.

These phishing attacks could have been prevented with greater pre-emption of human nature. The bottom line is: without the right protection in place, it’s inevitable that one of your employees (even someone in your supply chain) will, sooner or later, receive a seemingly innocent email and click on a dangerous link. For companies without appropriate security and employee education in place, this year will likely be a repeat of the last.


Expert Webcast and Live Q&A – Forrester Research analyst Rick Holland and Mimecast’s Steve Malone share essential advice to protect your business against spear-phishing and targeted attacks.

Join us on Wednesday, January 21 at 11am Eastern (1600 UK, 1800 RSA).

Register Free Here. Webinar now complete.

by

Empower Your Mobile Users with an Active Archive

An enterprise information archive should be much more than cheap storage and data resiliency, or place to hunt for (or lose) long forgotten evidence in the event of an eDiscovery case. In fact, the enterprise archive, be it for email, files or IM conversations, now has a vital role to play in increasing employee productivity, rather than just being a dark and dusty vault where data goes to die.

Businesswoman searching archive on the move

Boost employee productivity with an active archive

As analyst firm Ovum predicts enterprise end-user mobility will be top of the CIO agenda in 2015, ask yourself how quickly can your users find that two-year-old email or vital attachment while on the move? It’s worth considering how a lack of mobility will affect client response times or employee satisfaction in your organization.

The good news is that the move to better and brighter times has already begun. In its Magic Quadrant for Enterprise Information Archiving 2014, Gartner predicted that by 2019, “75 percent of organizations will treat archived data as an active and “nearline” data source, and not simply as a separate repository to be viewed or searched periodically.” For enterprise CIOs, this means we’ve got roughly five years to think about uncovering value in the vast quantities of data we store for undefined purposes at an undefined point of time in the future.

But balancing the information needs of an increasingly mobile workforce with secure and highly-available services often present a major challenge, particularly for traditional on-premises IT environments. As your data volumes grow exponentially, and you bank more valuable data, many businesses are looking to the cloud to solve these demands.

Elastically scalable storage, predictable subscription costs, performance, ubiquity of access and high availability are important factors but the real advantage here is increased flexibility around scale and style of deployment as well as use of these services. Cloud archives can more easily accommodate connections to live Outlook services, SharePoint and third-party APIs. Moving the email archive to the cloud makes it easier to allow employees to search all of their data through their phones and tablets, a simple victory that is largely unsupported by on-premises archive vendors. All of these reasons mean an ‘active archive’ can only exist in the cloud; the limitations to performance, scalability, access, security and usage are too great when the archive remains on-premises.

Cloud archiving vendors are also the only type of technology vendor who are going to have a product roadmap that aims to create new and innovative ways to bring your data to life. Most cloud firms roll out changes, improvements and new features on a continuous delivery schedule so there is always something new to delight your end users. By contrast, older less agile, on-premises technology vendors are usually stuck to a rigid multi-year release cycle that imposes significant burdens on your technical team – re-indexing your archive because of new ‘engines’ or search providers is a great example from two of the market leaders of on-premises archive technology. We don’t want to do that again in a hurry, that’s for sure.

Having an active archive for your enterprise information offers the business a single, secure repository in the cloud in which all your corporate memory can be stored is a simple, yet highly effective and strategic way for the long term retention of your data. For your end users, simply supporting their use of mobile devices will be a significant coup in what is seen as a stodgy and un-cooperative application service. But, continuing to delight them with ways of experiencing and interacting with that data today and into the future will at last give them a way to find more productive ways of working.

If you’re stuck in the past and trying to break free from the aging and outmoded on-premises archive, this video may help you. I recently sat down with Gartner research director, Alan Dayley, to break down the benefits of the cloud over on-premises email archiving.

WATCH the video.

by

Target Breach One Year On: Email Is at the Heart of Supply Chain Security

One year after the Target data breach, there’s never been a better time to consider how vital email security is to maintain the sanctity of the supply chain. Email, by its very nature, directly connects companies large and small together creating opportunities for hackers to turn suppliers, partners or customers into unwitting victims of malware.

An obvious example of these dangers to the supply chain can be found in the Target breach which ran from November 27th – through December 15th last year and exposed credit card and personal data on more than 110 million consumers. The breach at Target appears to have begun with a malware-laced email phishing attack sent to employees at a heating, air conditioning and refrigeration firm that did business with the nationwide retailer.

Target logo

Traditionally businesses have used security scanning or gateway services to make it harder for traditional spam or phishing attacks but these only usually protect users on the network and corporate managed devices. But determined attackers are increasingly using a combination of sophisticated social-engineering and targeted or spear-phishing emails in their attacks.

Securing your relationships with suppliers and third parties is quickly becoming a top priority for those who have learned a lesson from the Target breach. Since the evolution of BS7799 part 2, into its current form of ISO27001, considering how to secure suppliers’ systems and imposing your security controls on those third parties has been a key part of security best practice. It is, therefore, not a new idea, that we ought to ask our suppliers how they store, process and secure our data, transactions and connections.

At Mimecast we have elected to adopt ISO 27001 as the cornerstone of Mimecast’s Information Security Management System as it is globally recognized as the best framework to demonstrate audited and continual improvement and on-going security management. Recent additions to this framework (ISO 27001:2013) added greater emphasis on keeping supply chains secure. But this isn’t a guarantee of security, it’s only part of a much wider scope of protection, both theoretical and technological.

I also believe protection must be available to employees no matter the device used to access corporate email systems and without adversely affecting user experience.

For example, our own Targeted Threat Protection service immunizes all embedded links by re-writing them to point to Mimecast’s global threat intelligence cloud. This real-time security check protects against delayed exploits or phishing techniques that direct people to good websites at first, only to arm their dangerous payloads afterward.

Enterprises must protect the user when they actually click, so in the (un)likely event you experience the same fate as Target, you’ve supplied the best protection technologically available. This last line of defense has become the only defense against those who seek to abuse the trust we have in our business relationships.