All posts tagged Security

By on May 9, 2013

Have Cloud Data, will (can) Travel

passport stampLast month Israeli security forces imposed their right to examine your email at their border crossings; the initial panic was calmed by a clarification from the Israeli Attorney-General stating the specific circumstances for the search. Previously, in 2009, the United States imposed a right to search your electronic devices, and keep them for further examination, at border crossings too—without any suspicions of wrongdoing. Are these signs that our local data is no longer private when we travel?

State sponsored search of your devices, and data, now becomes the latest privacy worry for any international travellers; we’ve always been worried about malicious attempts to gain access to our data, or having our laptops stolen from airport security screening points, but now the case for travelling completely clean is made.

Many technology travellers I talk to have always maintained a set of clean equipment, which is only used on trips outside their native country. Before and after every trip their laptop, smartphone, and tablet get factory wiped and restored from a known good image. This is especially important when returning from a trip to ensure the platforms remain clean – those devices are also replaced more frequently than home devices, and are occasionally stripped to check for “extra hardware”.

Paranoid?

Maybe; but more sensible than paranoid, as we’re in the days of state sponsored hacking such as Flame, Stuxnet and Duqu.

If you’re wondering how you manage to work in such a sterile environment – have a think about how the cloud supports your remote working now. Keeping your data on your local hard drive isn’t the necessity it once was; it seems quite antiquated to me.

Cloud services that allow you to store your data online mean you’re only ever a click away from that data, and given the ubiquity of Internet access these days, that’s never a problem. Of course data stored in the Cloud isn’t beyond the reach of search warrant of subpoena, but at least it’s not local on your device being carried through a border crossing.

Email inboxes should remain empty until you’re safely through a border crossing, and on a known and trusted network. Once you’ve downloaded your recent email remember to remove the account and wipe the device before you leave the country too; there’s no sense taking the precaution for inbound border crossing and forgetting about the outbound.

The same applies to file data, leave your files in the cloud and only access them when it’s safe. Don’t store anything locally unless you can securely wipe the hard drive after use.

From an enterprise IT perspective; CISOs and CIOs should educate their users on how to handle such incidents, and of course draw up a policy for international travellers. It does occur to me that your IT department can help, by disabling your access to ‘their’ services on your devices until you give them the go ahead once safely at your destination. Deleting your stored passwords on devices would also prevent the access of data not stored locally.

For travellers the Cloud should now be as essential as your flight socks and money belt. As someone before me once said – “Don’t leave home without it”.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

,

By on April 4, 2013

Rogue Access Points Make Prime-time with The Doctor

Clara Oswald

Doctor Who: Series 7 Part 2, The Bells of Saint John.

There’s something in the WiFi. You know you’ve made it as an actor and as a security issue when you appear on Doctor Who. If, like me, you tuned-in to (showing my age there, who “tunes-in” anymore?) the new series of Doctor Who last weekend, you may have chuckled at the use of WiFi networks as a medium for evil. Rogue Access Points that upload the soul of their users, leaving them trapped inside a Spoonhead, sorry server, somewhere in London’s Shard building. Kudos to the script writers for the plot, and for renaming servers, spoonheads – I’ll be in the spoonhead room.

“I don’t know where I am… I don’t know where I am…” is a cry most IT managers, administrators and help desk staff have heard in their time; usually from hapless users trying to find their way onto the network or perhaps around their desktop, rather than being trapped inside an evil WiFi network. That wasn’t lost on me, nor was the uploading of souls; something we might think Facebook has in their roadmap–or at least the curating of your own soul. The evil walking WiFi base stations, hoovering up data and people, did remind me of Google Street View cars that were caught hoovering up WiFi networks, but I’m sure that’s coincidental.

Now, while not all WiFi networks are this evil there are certainly many we should avoid. I’m still amazed to see the SSID “Free Public WiFi” whenever I’m on a train or at an airport; while not necessarily unsafe, it does indicate an old an unpatched version of Windows XP is running somewhere – which in itself is terrifying. Others are certainly more dangerous; there’s often a looky-likey network at conferences or near popular coffee shops, designed to trick you into joining and routing your traffic through them. This is just plain unsafe and even on open public networks you should always use a VPN or at least HTTPS connections. Firesheep was an excellent demonstration as to how vulnerable unencrypted web traffic is on open wireless networks.

As IT professionals we’re constantly reminding our users of the security risks associated with the unknown; like free or open WiFi networks as well as clicking links in email. Hopefully now Rogue Access Points have made it to prime-time this job will be a little easier.

I’m waiting to see if there is another episode of Doctor Who dedicated to Phishing emails, or perhaps password sniffing, but in the mean time I’m trying to work out how to change my SSID to that funky font used in Doctor Who.

Remember, if you’re looking for WiFi and sometimes you see something a bit like this, don’t click it.

Stay safe!

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on March 4, 2013

The Evernote Hack – After the Panic

Evernote emailThis weekend Evernote became the latest cloud vendor to have its systems breached; user data including passwords has been compromised. In case this is news to you, a quick recap – Evernote assured us that passwords were correctly hashed and salted unlike LinkedIn, who neglected to salt their passwords. Evernote didn’t tell us whether or not the salts were compromised too. The attack “follows a similar pattern” to others so we can assume some sort of long term APT style compromise.

There are a couple of interesting observations one can make as a result of this last hack.

The usual amount of your-data-in-the-cloud-is-not-secure media hysteria has been dished out; no doubt some Evernote users will be busy deleting their notes as a result, even though their contents are probably as interesting as the ingredients list on a bottle of water. Being an Evernote user (yes, I have reset my password) I can’t help but think this isn’t about data in the cloud, or about the cloud at all; this is more about a target. Evernote was the target in this instance, before them it has been LinkedIn, Facebook, Yahoo, RSA Security, New York Times, Iranian nuclear centrifuges, the list goes on. Once the target has been identified this sort of “coordinated attempt to access secure areas” is likely to succeed regardless of the data’s location. The data could be anywhere; in the cloud, a server on your LAN, one of your users’ laptops (Facebook), a mobile device, a filling cabinet (remember those) or even data left on someone’s desk – the attackers will use whatever means they need to compromise that data.

Secondly, if there is weak security protecting that data, again the location is unimportant. Putting the data in the cloud on a dedicated platform means, as in Evernote’s case, the breach can be monitored and contained by people who’s job it is to do that. There is very little one can do to contain the old school espionage attack that reads secure material from your desk or even from your rubbish bin.

Evernote did the right thing and alerted its users to the hack, emailing them to advise password resets. They did slip up slightly though, by providing a link in the same email that also suggests users should “Never click on ‘reset password’ requests in emails — instead go directly to the service”. But to be fair, this is the first time Evernote has had to deal with this threat.

What this sequence of events really means is that 2013 could be the year that cloud service providers will rebalance their priorities, so that preparedness for attacks will be as important as getting the latest app version out the door, and also that we as consumers realise the importance of our data regardless of where we leave it.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on July 18, 2012

Standardizing the Cloud for Security

Cloud computing is becoming the paradigm shift it always promised to be, even for larger organizations who scoffed at the cloud’s lack of enterprise support or security and thought it was for SMBs only. The promised all-around savings in almost all aspects of IT’s hard and soft costs are driving more and more businesses to adopt the cloud, as it allows them to shift large chunks of budgetary Excel spreadsheet from Capex to Opex.

Over the last few years, the cloud has brewed up a storm in the IT Infrastructure world. The basic idea behind the cloud is to deliver centralized IT services, usually from a third party, to help free up almost all operational and administrative burdens in the local IT department of your business. The cloud is routinely defined as having a handful of essential characteristics; on-demand self-service, broad network access, resource pooling, rapid elasticity and scalability.

The underlying technology behind the cloud is not that different from the systems traditionally within your network; cloud services generally offer platforms that replace onsite services like email, file handling, information management, and so on. The cloud simply uses them like any other platform in its normal communication and every day operation, so there is really nothing new here. We shouldn’t worry about how the cloud utilizes these standards, as being RFC compliant is an essential part of Internet participation.

Providers of cloud services and platforms also subscribe to an evaluative standards model as a way to differentiate themselves and ensure they are providing best practice and recognizable standardized behaviour to their customers. Evaluative standards are used to certify providers’ infrastructure, services and importantly their processes; the most common and well known form of evaluative standards are the ISO family, and the most applicable for this discussion is ISO 27001:2005, or to give it its full name ISO/IEC 27001:2005 – Information technology — Security techniques — Information security management systems – Requirements. These standards are the most obvious areas we can improve on for the purposes of securing the cloud, and to some extent work has already begun.

Continue Reading →

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on June 7, 2012

LinkedIn and eHarmony: a lesson in online identity via email

finger printLate last year I wrote about how important an email address is, and suggested that your email address is really part of your identity. That post seems more relevant today than when I wrote it, as this week we learn that both LinkedIn and eHarmony have had user credentials stolen.

LinkedIn confirmed that some of the passwords stolen do correspond to their users accounts, but that those passwords have since been disabled. Yesterday eHarmony confirmed a similar problem, on their blog. We can assume that for every stolen password the attacker has the corresponding email address, so is able to cross reference user details against cracked passwords. LinkedIn estimated that around 60% of the stolen passwords had already been cracked; this isn’t a surprise given what we know about the commonality and simplicity of users passwords, and the tools available to attackers such as Rainbow Tables.

LinkedIn’s disabling of users’ passwords is a good first step, but the password is only half the problem. Given that the majority of these services require users to login with, or at least register, an email address it is likely that the users credentials could well be valid across a variety of social media sites. I have today seen first-hand proof of this quite close to home, as no sooner had news broken of the LinkedIn hack than one of my colleagues received an alert from Facebook telling them someone had logged in from a new location and device; same email address and of course same password on both sites.

The problem highlighted here, and one that many of us are guilty of, is sharing passwords with many accounts, whilst the common factor is always the email address. Using a different email address for all your digital and social identities is impractical, using the same email address and password is simply convenient but lacks security; we trust our online service providers to keep our identity secure. But we’re learning the hard way that sharing passwords is and has always been a bad idea. Unfortunately RSA Security, Epsilon and HB Gary also found this out a little too late.

Mimecast’s own research released this week tells us that IT departments are worried about the risk presented by social media; fully 59% of IT teams we spoke to believed that social media usage at work increased the risk of corporate information leaks. It would seem that the users’ convenience is also a significant contributory factor to that risk. I would bet that some LinkedIn users probably login with their work email address and favourite password; I shudder to think what other online corporate services that email address might gain access to.

The lesson we should take away from the LinkedIn and eHarmony breach is twofold; we must learn that our email address is now a vital part of our identity and we should consider how it ties us to so many of our online services. Secondly there is a delicate balance between convenience and security. Sharing credentials between online identities means if you lose one you could lose them all. There are a number of tools that will let you generate and store complex passwords locally, then auto submit those passwords as login credentials to websites; whilst that might seem onerous the risk of compromise of all your online identities is small. IT Managers should also take this opportunity to educate their users on the benefits of good password discipline, password complexity and rotation.

Protecting your online identity is a 21st Century problem that one needs to take care of, convenience and laziness are your own worst enemy.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on December 12, 2011

What’s in an email address?

PasswordThere has been much debate recently about the value of email when compared to Instant Messengers and Social Media. I’m not going to reinvigorate that debate here, but the whole passionate brouhaha has got me thinking about what it means to actually have an email address and how important that short string of text has become.

Two words spring immediately to mind when I think about what is actually in an email address, those words describe a process that has quite a profound affect on you as a users of Internet services. Those words are;

           “Password reset”

Your email address, whether given to you by your employer, your ISP (remember CompuServe?), or chosen by your own fair hand seeks to identify you. In many cases an email address is your name, or part thereof, and is generally recognizable unless you’ve taken steps to make it less so.

I have an incomplete thought about this identity; we take this identity for granted, we assume that this identity is true, and we generally don’t question the legitimacy of an email address or the identity of the supposed sender. This of course is exploited fantastically well by malicious senders who are attempting to dupe us out of our financial information or login credentials. As a former penetration tester I can tell you that I’ve always had 100% success with email-based attacks sent from addresses that ‘claim’ to be from someone they’re not, especially if the sender demonstrates a little knowledge of the recipient or subject at task.

But, and here’s the paradox; we understand social engineering and phishing very well, yet we still treat an email address as an identity don’t we?

Often this identity is all you need to carry out that password reset; gain control of an email address or account and you have instant access to a mind-boggling array of personal accounts and information. Often the ‘forgotten password’ link simply asks you for your address, sometimes you may be prompted for more information – ‘mothers maiden name,’ ‘place of birth,’ ‘month of birth’ etc – social media anyone? Some sites even ask you for ludicrous validators like “your preferred internet password.”

I expect that just supplying an email address to a website to request a password reset is a shortcut on that website’s part, they could do more but probably don’t want to over complicate things for you. This is a fantastically naive expectation of identity on a simple, string of text. I suppose the expectation is that the recipient hasn’t had their email account compromised, but no website I’ve ever used has asked that question.

Culturally an email address now makes up a significant part of you identity, in some cases it is 100% you. I suspect without the casual and formal asynchronous subject centric communications currently known as email (to coin a phrase of our CTO) you will find you lose a little of your identity, even if you can no longer reset your <insert website of choice here> password.

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on November 18, 2011

How Does Microsoft Approach Cloud Security?

Doug Cavit, the Chief Security Strategist at Microsoft recently did a great video on Cloud Trust at 10,000 feet.

It boiled down to- Can you trust it and how does Microsoft do Cloud Security? Which raises the obvious question: How does Mimecast compare?

Doug is a really interesting guy- he was the CIO of McAfee for 8 years- protecting them from threats – an important job if you consider what happened to RSA. When he joined Microsoft he worked on the OneCare product team as Microsoft started to become more of a service provider in the security space, so he’s definitely one of those people that’s been on both sides of the table.

In the video he’s answering one of the questions we get asked most: How can I trust my data is going to be safe in the Cloud? And it’s a question we take more seriously than anything else.

The fundamental difference in Cloud vs On-Premise is control.

When your data is on your own equipment, you have ultimate visibility and control over the policies and processes that operate on that data, which means you can be the ultimate arbiter as to how it’s treated. With the Cloud, you aren’t. So how do you deal with that?

With Cloud, you need to trade control for transparency.

That’s the only sustainable way to cede control over something so important- your business data, and in our case, your primary communication method, email.

So we take transparency extremely seriously here at Mimecast, to the point where we have a whole team of people here at dedicated to transparency- helping our customers receive the insight and information from us.

What makes a provider transparent and therefore trustworthy?

Policies are the jumping off point- ensuring these meet your requirements as a customer. Policies are fine, but how do you make sure they are followed into procedures? This has consistently been one of the hardest things for Cloud companies to prove because in an emerging sector like Cloud, standards always lag behind the technology. So we’ve had to forge best practices and procedures through collaboration with organisations like the Cloud Security Alliance, which is helping ISO update the Cloud security controls for ISO 27001. But we’re getting there, and hopefully soon we’ll have the most comprehensive ISO 27001 implementation of any Cloud provider to date.

What about reliability?

This is where the rubber meets the road. To take a phrase from the financial services industry- “Past performance is no guarantee of future results” couldn’t be further from the truth- what has the service provider delivered to date? Are they open about it? What’s their SLA to back it up? And we like to put our money where our mouth is too, with an industry leading 100% uptime SLA.

Thinking more broadly about putting your data in the Cloud- one of the most important things to think about is the actual data- how much risk does it represent? It sounds like a ridiculous question, but classifying the data is such an important part of GRC: you don’t need to protect your marketing brochures the same way you protect your trade secrets. Doug has a great quote from the video “I can’t protect something if I don’t know what it is”.

Thinking about the lifecycle of the data and your relationship with the Cloud provider is critically important-  I talk about Birth, Marriage and Divorce in my presentations. It’s easy to think about the birth and marriage when going to Cloud, but vital to think about divorce, in case you need to get it out at the end. It’s a tough question for structured data, like accounting or ERP but significantly easier for unstructured data like emails. Our customers can download their data at any time.

One thing he doesn’t mention is data sovereignty… where your data is physically located, which is becoming more and more important because of legislative requirements and judicial concerns, like the Patriot Act. Having your data located in the right jurisdiction is critical.

So like Microsoft we take a two step approach to security.

  1. We reduce vulnerabilities as much as we possibly can in software
  2. And recognising that issues will happen- when they do, the key is how you deal with them. Triage, Identify, Learn and Integrate that learning into processes. We’ve been doing that for 9 years- that’s a lot of experience built into our processes.

To top that off you can always reach a human being at Mimecast. Someone to help you resolve your issues and escalating them appropriately. I love that. When I got locked out of my Google Apps account the other day- it took a few days for them to respond to my email…

Having a deeper understanding of Cloud security will enable you to use the Cloud provider to do what they do well – abstracting your IT department away from the complexity of running the service.

So can you trust the Cloud? I think so. Like Doug says, just know what you’re trying to accomplish and make sure the vendor offers you the right amount of transparency.

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on May 19, 2011

The Hidden Security Danger- Don’t Let Email Be Your Downfall

Despite seeming like an age ago, InfoSecurity Europe has only just come and gone for another year… Boy this year is going fast!

I took the opportunity at InfoSec to update my take on Generation Gmail- Why are corporate email users flocking to webmail to get their job done?

Before you can answer that question, it’s important to ask why that’s even a relevant question?

  • It is believed around 80% of corporate Intellectual Property (IP) is contained within email- when it goes to personal webmail you lose control of this
  • If 80% of your corporate IP is in email- that means a lot of your trade secrets are in there too.
  • There are Data Protection and Data Sovereignty requirements to comply with, with legal bodies like The ICO, FSA etc to comply with.
  • Does Personal email comply with anti-malware requirements?
  • Password Policy?
  • Retention and audit policies to enable e-discovery?
  • Legal requirements- like disclaimers and notices (Company Number, VAT etc)
  • What about Data Leak Prevention?
  • Interception by third parties?

The answer, clearly is a resounding NO. And why should personal webmail providers comply? It’s personal webmail – not intended for corporate use.

This is creating a complete nightmare for corporate IT- and despite IT making individuals aware that this isn’t allowed and the risks involved: they’re still doing it….

What’s driving this?

Overwhelmingly, the evidence is pointing to the consumerisation of technology. The increasing use of technology in peoples personal life is making them aware of, and used to, what is possible, and they’re bringing (demanding?) the same technology in their work life. iPhones and iPads are a case in point though our research shows email is becoming the new battleground.

This represents a massive shift- is this the first time personal or consumer technology is driving the business technology agenda? Our Generation Gmail research suggests so- 65% of people say that home and work technology overlaps.

Yet despite this consumerisation- people keep saying “email is dead”. New data I got yesterday from Neilsen (via Hubspot) shows that time spent using email on mobile phones leads almost any other mobile internet use by nearly 4x, at 38.5%. Social Networking is second at a paltry 10.7%.

Clearly email is not dead- it’s the lifeblood of communication. And with mobile shipments surpassing PC shipments for the first time ever this year it’s going to continue it’s ascendence.

What should companies do about it?

It’s a complex answer, dependent on your particular technology situation, location and regulation you’re subject to. There isn’t a one size fit’s all answer. Typically we’ve seen that email hasn’t been a priority investment area through the last few years- with a lot of businesses remaining on Exchange 2003 and 2007 as a way to mitigate against the costs of migration. Users now feel like the corporate email doesn’t compare favourably with consumer webmail- which is right, since the technology is nearly a decade old in some cases. That’s why they’re finding innovative ways to work around perceived obstacles and becoming “workaround workers”.

Policies alone aren’t enough to stop them- they have to feel like corporate email is a better alternative to personal email. They have to want to use corporate email.

So what can companies do?

Typically the majority of migration costs aren’t the Exchange piece- it’s the environment that sits around it. Over the years IT has had to bolt on solutions such as Archiving, Security, Disclaimers, Secure delivery, etc. The list goes on. Managing this complexity through a migration adds to risk and complexity which creates cost. I think IT needs to put themselves in a position where they can migrate, when they’re ready, because Exchange 2010 for example, is a big step up from 2003. Night and day different actually, especially if users are on Outlook 2000 or 2003 and make the move to Outlook 2010.

Don’t let users put you on the back foot with personal email- start putting the steps in place today to get migration ready and get them wanting to use corporate email.

Here’s the deck:

The Hidden Security Danger – Don’t Let Email Be Your Downfall
View more presentations from Justin Pirie

Add your comment (0)

Cloud Strategist
Mimecast

Article Tags

, ,

By on April 25, 2011

10 Signs You Might be a Server Hugger

Some Definitions

Server (sûr’vər) – noun – A computer that manages centralized data storage or network communications resources. A server provides and organizes access to these resources for other computers linked to it.

Hugger (huh’ger) – noun – A tight clasp with the arms; embrace.

I would therefore suggest that if you’re tightly clasping or embracing, with your arms, a computer that provides and organizes data, network resources or other computers – you’re a server hugger, even just metaphorically.

Why

I had never heard of a Server Hugger before; tree hugger maybe. After checking the authoritative tome on the subject, the Little Book of Hugs (of course), I am none the wiser.

This all came about after a meeting where the topic of discussion was mostly Cloud and Email Management in the Cloud; a quick debrief revealed that one of the ‘opposing team’ was a card carrying Server Hugger, and staunchly opposed to all things Cloud. So that got me thinking,

There’s no known cure for being a server hugger, but luckily it is yet to be a terminal problem; unless you include Terminal Services. It’s no bad thing if you are a Server Hugger, even if undiagnosed, just think of all the new concepts and technologies you can offer your employees by adding just a teeny little bit of Cloud to your network.

10 Signs you Might be a Server Hugger

These 10 signs might indicate you’re a server hugger.

1. You enjoy large air-conditioned rooms, lit only by strip lights, devoid of all soft furnishing. The rows of metal boxes or racks will appeal to your organized side. The constant hum and fizz of white noise relaxes you.
2. Using a fingerprint or hand biometrics to gain access to rooms still excites you.
3. You can’t walk past messy or disorganized cabling (of any kind) without tutting and shaking your head
4. When you apply patches to your servers or application you can’t help but think services take longer to start when you watch them.
5. You believe any ‘progress bar,’  especially the blue ones, have built in anxiety detectors. The more anxious you get the slower they go.
6. Blinking green or yellow lights have a calming effect as you look at them, almost hypnotic. Red ones give you that ‘ohno second‘ feeling.You would go out of your way to buy things with blue LEDs
7. You like the feel of cold rackable metal boxes. You touch them often.
8. You’re thinking Cloud is the same as virtualization, something we should take a look at sooner or later, but for now you have users to deal with.
9. You believe there is no security applied to Cloud data, regardless of what the vendor tells you.
10. You have half thought about Aralditing up your users’ USB ports to stop them plugging things in.
11. (One for luck): You worry about all those servers and boxes and applications and green lights and red lights, but secretly you just need a big Cloud hug.

If you or someone you know if affected by this problem or you recognize more than six of the symptoms you should consult us straight away for the only known cure.

Add your comment (1)

CISSP, CCSK
Mimecast

Article Tags

, ,

By on April 7, 2011

Spear-phishing; worryingly accurate for EMC, Condé Nast & possibly Epsilon?

I’m itching to find out exactly how the attackers who broke into Epsilon did it. Speculation so far is pointing at a well crafted social engineering or phishing attack, specifically a spear-phish. Epsilon are remaining tight lipped about the whole saga, but the press release on their website gives us a small clue.

“…an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system”

Unauthorized entry into the email system eh? So you mean someone either gave their username and password away or the system was cracked. The former being the most likely.

The reason I’m so keen to find out exactly how this happened is because Epsilon use a popular hosted security service for their spam and virus filtering, so if the attack was indeed delivered by email there will be some interesting questions being asked. Probably similar to the navel gazing that is currently going on at EMC and Condé Nast, along the lines of ….”given all our protections how did this happen?” If a spear-phishing attack does turn out to be the cause it will have circumvented classic protections – and that is alarming.

Phishing is not new

Criminals have been after our bank, credit card and financial information for years. Initially their use of the English language is what gave them away, but recently the attackers have been using native English speakers to craft their wares in the hope their motives will be less obvious.

Combine this with the 419 crime and advanced fee fraud that has been floating around since the Internet was invented, even before, and you’ve got a wonderful cocktail of mischievousness waiting to catch you out. I’ve lost count of the number of distant Nigerian relatives lost in plane crashes and even closer relatives who are regularly getting whacked by London buses. For the record my grandmother would never email me from hospital after being hit by a bus.  She’s only just getting the hang of her “New” VHS Video player.

The problem

A few weeks ago we wrote about another unfortunate organization that suffered an …ahem… unauthorized entry to their email system. The HBGary incident was overshadowed by a very well executed attack on EMC, specifically a spear-phishing attack. The interesting detail about the drama at EMC is that the first ‘malicious’ email ended up in the users’ Outlook Junk Folders, but was still actioned. The attackers sat back and waited until they had worked their way far enough up the tree, laundering their own actions through the actions of the unsuspecting users’. HBGary was slightly different, in that the user’s password was compromised on a 3rd party CMS application, given the user had the same password on their email account.  In other words, the attacker got lucky.

I have spent many years carrying out discrete penetration tests for customers, where weaknesses that gave up root access to a box were quite common. If not, you simply walked in the front door and took whichever box you wanted. Today phishing plays a major part in these types of tests, and for good reason – socially engineering end users is unbearably easy. A friend of mine who still carries out penetration tests tells me that a well crafted phishing attack is usually all they need these days; in fact she routinely sees success rates of up to 90%. In one case the email was actually forwarded on so the success rate came in at 110%.

What does this mean for you?

There will be more attacks, more disclosures and more embarrassment – why? Because it’s breathtakingly simple to phish your way into an organization.  But don’t let this scare you. Use this knowledge and the recent events to motivate the training of your users.

Importantly, remind them that no matter who they are or what their job function is, everyone is at risk – especially those of you that publish huge amounts of personal data on social networks. If I see you like a particular bar/shop/pizza joint/football team, you can bank on me using that as an angle to get you to do things for me.

After-all who turns down free beer/shoes/pizza/football tickets, especially by email?

Add your comment (0)

CISSP, CCSK
Mimecast

Article Tags

, , , ,
Previous Posts