Like Malware on an unsuspecting server, I sat in the background of the video call and listened to Brad Moore, IT Security Manager at BTG discuss the current threat landscape, the motivations of cyber criminals and what we can do to protect ourselves from cyber attacks.
What immediately caught my eye was the whirlwind of numbers reaffirming the severity of a growing, evolving cyber crime industry that I knew little about.
We were hit with such stats as 144 million new malware samples identified in 2019, an average $1.27 million requested by a cyber-crime group leveraging compromised business email accounts and more than 22,000 new security vulnerabilities disclosed during the year.
This left me with the impression that cyber crime is no longer a rogue link you accidentally stumble across while surfing the net, but highly targeted and sophisticated attacks crafted by organised groups intent on exploiting weaknesses for their own gain.
Brad then went on to highlight the most popular attack vector of cyber crime today: Email. A common theme during the session, email was reinforced as a favourite vessel for cyber criminals to use to target individuals and organisations alike.
The session then moved onto real life examples of criminals using targeted emails to actively steal credentials, install malware, and send fraudulent requests using imposter emails, and compromised email accounts.
Gone are the days of obvious cues such as poor grammar or spelling mistakes. One example he shared came from a real, known sender’s address in an existing email thread that contained a malicious attachment.
The only giveaway was the supplier hadn’t received an email from the contact in a while and smelt something ‘phishy’.
It was becoming abundantly clear that email attacks are more sophisticated than ever. Cyber criminals are creating convincing imitations and using social engineering tactics such as conveying urgency in tone, posing as authority figures and performing research to make the emails seem more believable.
Another common tactic is using Word and Excel documents to infect systems with malware. Watch out for unsolicited Office documents asking you to enable macros.
When in doubt (if you know them) always verify with the supposed sender. Or just don’t open it.
Brad also suggested using trusted services such as HaveIBeenPwned to check if your email address is included in any known data breaches, understand what data may have been exposed and take steps to rectify e.g. changing passwords, and looking out for phishing emails.
Digressing from email, Brad then shifted to focus on other threats to watch out for. He highlighted the risks of using the same passwords across multiple accounts and using critical internet and remote access services without enabling multi-factor authentication (MFA).
Brad recommended using unique passphrases for every login, made all the easier by a secure password vault.
Then came mention of unsecured data in open cloud services, compromised accounts used to gain access to corporate cloud services, lost or stolen laptops, and mobile storage devices..
Besides using MFA, secure configurations and encryption, Brad also suggested having secure, offline backups that can’t be targeted and destroyed in a ransomware attack.
Brad stressed the importance of regularly patching operating systems and software to mitigate known security vulnerabilities; highlighting that groups have been targeting unpatched VPNs to gain access to networks.
Weaving from systems to those who operate them, Brad raised a common malpractice where general user accounts are given excessive admin privileges (often out of convenience). However, this also increases the risk of breaches, making it much easier for attacks to succeed.
To counter this, he suggested only providing elevated user admin privileges to those who actually need them.
With the clock running out, Brad quickly outlined some other risks including mobile devices, wireless networks and ‘company insiders’.
From the threats to the solutions, here’s Brad’s top 5 cyber security recommendations from the session:
1) Implement better email security ( see below)
2) Create strong, unique passwords and use password vaults and multi-factor authentication (MFA) wherever possible.
3) Regularly patch applications and systems
4) Use strong encryption on portable devices
5) Regularly create and test offline backups
Here’s his top 5 recommendations to help protect against email risks:
1) Regular cyber security training and awareness
2) Be suspicious and directly validate financial request details
3) Ensure you have the correct email sender verification protocols in place
4) Use an email security gateway to detect phishing attacks
5) Don’t send highly sensitive information via email
By Jarron White
So much to cover in an hour session, I’ve compressed it down to just include the highlights. If you would like to learn more about reducing your cyber security risks, get in touch here.
BTG is a New Zealand-based technology service provider creating better connections for growing businesses here and across the ditch. With 80+ staff and 400+ customers across New Zealand and Australia, BTG specialise in expert engineering services, quality IT products and dedicated account management.