From Michelangelo to ransomware
Last month’s Mr Chow ransomware attacks serve as a timely reminder that security should be at the top of any business IT strategy. Ransomware is on the increase, at least according to the FBI and while it is not all email borne, it is an example of how sophisticated hackers and criminals are getting with technology.
Certainly the recent spear phishing attack at sports anti-doping agency WADA was a clear indication of the lengths attackers will go to creating detailed and personal emails to hoodwink targets.
Clearly, email is still one of the biggest threats to business security and will continue to be so for a very long time.
In some ways it’s no surprise.
Email use is as healthy as ever.
According to research company Radicati Group’s Email Statistics Report (PDF) 2015-2019, over 205 billion emails were sent and received every day last year.
A six percent increase is expected this year and although numbers vary dramatically from report to report, it seems to average out that around one billion of those emails are spam or malicious emails.
Back to the ’70s
In security terms email is of course just the delivery vehicle but it has history.
Computer viruses date back to the days of the mainframe and early IBM PCs in the 70s and 80s but it wasn’t until the increased proliferation of email in the late 90s and 2000s that email started to really kick off as a security threat.
The Michelangelo virus, Melissa worm and Anna Kournikova virus all became synonymous with computer security threats during the internet boom and dotcom years.
Spam email was rocketing too.
In fact, according to Professor Alan Woodward from the Department of Computer Science at the University of Surrey, all that we see on email is exactly what has happened on regular snail mail.
The big difference is that it can be done on a massive scale, and you can deliver electronic payloads that once opened are harmful, unlike the normal spam mail you get through the letterbox.
“I have to say I think things have become a great deal better.
In many ways junk mail filters on corporate mail servers like Exchange are something of an unsung success story,” he says. “Sadly it takes only a few to get through to cause problems but these servers are routinely blocking vast amounts of junk, spam, phishing and malware.”
It’s a good point. We often forget about the good work and how quickly security firms react to new threats. Of course, email is not about to disappear from business either.
It’s too useful and is a good way of storing a messaging dialogue but as Woodward points out, it’s not the only messaging form that can be open to abuse.
“I’ve seen scams only this week using WhatsApp, and phishing using SMS,” he says. “If anything I suspect people who have learned about the dangers of email will end up learning all over again (probably the hard way) that other messaging vehicles can be used to deliver a variety of attacks as well.”
For businesses this is a perennial problem.
Threats from email are as old as, well email and keeping pace with any technology change is a constant challenge.
Security is however a unique challenge with increased remote working, a variety of devices with an ability to roam networks and an increasingly sophisticated cybercriminal.
Prevention, as security firms have been saying for years, is better than cure.
Ask US presidential candidate Hillary Clinton.
She is something of an email security expert now, especially when it comes to understanding the consequences of not taking email security seriously.
After being caught using a personal email server for official communications while acting as the US Secretary of State, Clinton has also been hacked, supposedly by the Russians.
She is not alone of course. Large businesses and government departments, as well as well-known names, are consistent targets for hackers.
Consequently, says Joe Diamond, Director of Cybersecurity Strategy at Proofpoint, “Customers demand more from their security solutions today more than ever before.
That’s why we see security in board level conversations.
Visibility about who is attacking you, what they are using, who in the organization they are targeting… and even understanding whether your organization is being singled out or caught in the crossfires of a broad attack campaign, are all insights to help organizations respond.”
So are people doing enough to protect themselves?
“I think companies can do only more of what they are already doing,” says Woodward. “Use of up to date mail servers, anti-virus and so on is an obvious point.
Education is equally important, especially with BYOD muddying the waters. One has to be careful to educate users that not all mail clients are the same.”
Education or lack of it has of course led to human error enabling threats to sneak through cyber defences.
Interestingly the number of security breaches reported to the Information Commissioner’s Office (ICO) has doubled this year, up to 2,048 from 1,089 in 2015.
Around 70 per cent of these reports were due to human error.
“It does suggest that the protection is best done at the server but that is not always possible,” adds Woodward. “Plus if one person is hacked their system can send emails that will appear perfectly valid to any automated system, so the human in the loop has to be on guard.
I don’t think any technology is leading the charge but what you are seeing is a more sophisticated scoring system for spam emerging and some of that is being supplemented by heuristics.
The systems are learning from what you delete, what is junk.”
The human factor
Nevertheless tech can only do so much.
As Woodward says, it only takes one or two to get through and cause havoc.
Throw in the fact that cloud-based email services are growing and you can see potential for greater damage if businesses don’t act. Research firm Gartner reported earlier this year that even worldwide enterprises are seeing increased use of cloud email services, noting that 13 per cent surveyed claimed to have cloud-based email.
This will only increase although maybe not at the rate Microsoft is predicting.
So what impact if any will this have on security?
“The risk with cloud-based email is the same as one of its major benefits – it’s easily accessible from anywhere in the world,” says security expert blogger and analyst Graham Cluley. “If users have chosen a weak password, or made the mistake of reusing a password across different sites, then it won’t be an enormous surprise if their webmail is targeted by an online criminal.
To reduce the chances of such an attack being successful, webmail users should enable additional security measures (such as 2FA).
And obviously, stop re-using passwords or choosing weak, easy-to-crack passwords.”
Will we ever get to a point where email is no longer a major vehicle for security threats or is it just a case of as long as email is popular; it will always be a target because users will always make mistakes?
“It’s inevitable that people will click – curiosity and the desire to help are human nature,” says Proofpoint’s Diamond.
“I think email will continue to be one of the major vectors of online attack for years to come,” says Cluley. “If email were invented today it would be laughed out of the room, because of its inherent lack of security features such as encryption.
But it’s already here, and just about everyone has an email address and is using it every day. We can roll out security fixes as much as we like to make our technology more secure, but we can’t patch the bug in people’s brain which makes them click on a fake invoice attachment, or open a craftily socially-engineered link.”
Nothing new under the Sun
Yes the human error thing.
So are we perhaps over estimating the cyber criminals, giving them more credit than they deserve in terms of sophistication? If it’s just a matter of human error then perhaps the cyber criminals are beatable?
“The truth is that the majority of attacks people encounter are not revolutionary,” adds Cluley. “They’re just variations on the same malicious email attachment/dodgy link that we have seen time and time again over the last 20 years.
The typical criminal doesn’t need to reinvent the wheel because the old attacks continue to work so well.”
As if to drive home the point, last month Gugi, a bank account raiding trojan, was reported to have sidestepped the latest Android 6 security features.
Although not a bog standard hack, the premise is the same. Plant a bit of malware via email and let it work its way across connected devices.
Simple; so simple in fact that the rate of malware is increasing and at an increasing rate.
“It is possibly the fastest form of attack,” says Woodward. “It is easy to do and the return is terrific, so criminals love it.” So what should businesses do to protect themselves? An obvious point of course is making sure the relevant security software is in place and importantly, is kept up to date.
The same goes for all software drivers and versions of operating systems.
“Educate users not to open files that they are not expecting,” says Woodward. “Practice your ABCs – Assume nothing.
Believe no one, and Check everything should be drummed into users – personally I preach ABCD – if in any doubt Delete.”
Part of the education is also preparation for when things go wrong.
At some point the law of averages says a business will be hit, so preparing staff is essential to ensure damage limitation.
Backup policies should be in place, as well as quick reporting procedures.
Woodward adds that businesses should think of this in the same way they would think of contingency planning for other eventualities.
“Incident management and response are specialisations so if you need to, get some external help, but do that at the planning stage and don’t leave it until you are attacked,” he says.
And if the ransom demand comes?
“I would stress that you should never pay the ransom – despite what some high profile organisations have done it is the slippery slope,” he says. “The moment you pay you will end up on a “suckers” list and even if the same criminals don’t target you again some of their delightful colleagues will.”
It’s a heavy price to pay.
Speaking at the CBI Conference in September, Matt Hancock, Minister for Digital and Culture bigged-up the Government’s Cyber Essentials scheme and outlined the scale of the threat facing businesses in the UK.
“Businesses are being attacked for their finances, their intellectual property, their customer data,” he said. “Our latest research shows one in four of all businesses experienced a cyber breach or attack in the past 12 months.
A quarter of large firms are hit at least once every month.
That impacts not only on their cash flow – the cost of individual attacks can be enormous – but on their brand and reputation.”
We get the point.
Cyber-attacks are a complete pain and should be taken seriously but businesses are surely not stupid enough to forego security measures? In this age of increased threats and attacks, email is still the main means of delivery.
That must say something about how businesses treat cyber security and in particular how staff, regardless of whatever good intentions they have will always be a potential door to the network. ®
From Michelangelo to ransomware