« Back to News
Mar 9, 2021

Blog: How to Address Ransomware, Phishing, & Business Email Compromise

Blog post written by Chamber member Garland Sharratt, Consultant in Cybersecurity / Information Security & Resilience

You’ve almost certainly heard of ransomware, phishing, and business email compromise, and you probably have a general idea of what they are – enough to be worried -- but how well do you understand the risks these threats create and how to protect your organization?

Let's start with the simplest threat, phishing to steal credentials. Phishing is mostly delivered through email and this type of phishing generally aims to fool the recipient into giving up their account credentials – userid and password -- using a fake login page. Using the stolen credentials, the attacker can obviously perform an account takeover of the cloud service account in question, but they will also likely be able to use credential stuffing to take over other accounts owned by that userid, because most people reuse passwords between accounts. (Reusing passwords is one of the worst things that users can do from a security point of view.) 

There is a related threat, a server-side attack, that involves an attacker stealing obfuscated credentials from the cloud service itself and then using cracking to recover the passwords. This attack works because most people choose passwords that are not strong. What makes a password "strong"? It's sufficient length, sufficient randomness, and sufficient character types complexity (the mix of uppercase, lowercase, digits, and symbols).

Business email compromise (BEC) requires the most effort for the attacker. In a typical compromise, the attacker will get access somehow to an email account for an organization head or financial head and will monitor the email traffic for a while. When ready they will send a fake email to an employee requesting a wire transfer to some outside destination.

The last, and probably most important, threat we'll discuss is ransomware. This is a type of malware usually delivered through phishing emails. A user will typically be fooled into executing a file attached to an email or to clicking on a link in an email and downloading a file, resulting in a compromise of their device by the attacker's malware. Ransomware encrypts the infected computer's files in place and then demands a ransom payment to provide the decryption key; and the ransomware will typically try to spread to other computers in the organization. Increasingly, though, ransomware does more than encryption: it will send a copy of the victim's data to the attacker's server before encrypting it, and the attacker will threaten to publicly release the data if the ransom is not paid.

If we analyze the four threats in detail and look at how to mitigate the resulting risks, it turns out that we need two different sets of mitigations, aka security controls.

The Type 1 controls address the primary risks of account takeover and credential stuffing, and financial loss for BEC:

· user security awareness training;

· proper use of passwords;

· a password manager;

· proper use of the password manager, including using it to autofill login pages;

· two-factor authentication (2FA); and

· for BEC, setting up a proper verification process for financial transactions.

The Type 2 controls are targeted at the primary risks of device compromise (by malware) and destruction of data (by ransomware):

· user security awareness training;

· an email anti-spam/malware filter;

· security hardening of devices, especially computers, including the use of antimalware and anti-ransomware software; and

· data backup.

User security awareness training is listed first for both type of controls because it's usually the most important control that organizations can put in place. An organization is only as secure as the least security-conscious user.

The above is a highly condensed version of the full post on my blog; refer to the original for important details that wouldn't fit here. And please join the KCC Business Smarts webinar on March 24 where I'll be talking in detail about Type 1 controls.

 

Blog written by: 

Garland Sharratt

Consultant in Cybersecurity / Information Security & Resilience
CISM, CCSK, CIPP/E, MBA
Kelowna, B.C., Canada

VISIT HIS WEBSITE