A solid defensive strategy in sports, is a strategic decision not taken lightly by coaches and can change the outcome of a game. For example, in basketball a coach has to decide whether the team should play a man-to-man defense where each player guards an opponent’s player or a classic zone defense where the team divides and defends specific areas on the court. Each one has its strengths and weaknesses. The more aggressive coaches believe the best defense is a good offense. The same philosophy can be applied to IT strategies and decisions to protect a company’s information. In this case the CIO is the Coach and the players are applications and data.
Last month the Milwaukee Bucks basketball team notified the FBI and IRS that they had a breakdown in their defense allowing the bad guys to score one for their team…(or two if we’re keeping to the basketball analogy). Except this time it was not on the court but in the data center…which has become the chosen arena for the bad guys.
According to the statement issued by the Bucks,
… our company was the victim of an email spoofing attack that occurred when a request was recently made by an unknown impersonator of our president for 2015 employee W-2s. Unfortunately, that information was provided by an employee before it was determined that the request was made from a spoofed email address.
A spoof attack is the act of impersonating something else to compromise the security of the target. It can be very simple, such as entering someone else’s name in the ‘from’ line in an email. Some mailing software allows this and only contains the real sender information in the source code of the email. Other attacks could involve multiple steps designed to make the most of the opportunity:
- Research – The hacker learns as much as possible about the organization so that he can select the best method of attack. This can include traditional research about the company as well as online investigations, social engineering, and other methods.
- Phishing – Once the hacker has identified a target and created an attack, he attempts to gain more information or network credentials through a phishing attack. Using the Bucks as an example, a hacker may have attempted to use a phishing attack to get the President’s email credentials. When this failed, the hacker could have moved on to a spoof attack, where he used an email address that was similar to the President’s.
- Advanced Persistent Threat (APT) – Deploying an APT on the target network requires multiple steps and usually depends on successful research or phishing. The attacker deposits an APT on the target network and keeps it in stealth mode for as long as possible. During this time, the APT will attempt to map the organization’s data and defenses, and send this information back to the attacker. In the case of the Bucks, the APT may have confirmed who had access to the information desired by the attacker.
At this time, there is nothing to indicate that the security incident with the Bucks was anything more than a simple spoofing attack.
However, and since the Bucks are chalking this up to “human error,” a pair of diligent eyes can always serve as the best defense. But, in this case, the Bucks were using a man-to-man defense that broke down and allowed the bad guys to score. What the Bucks needed was a strategy that provides both defense and offense at the same time…or what’s referred to as advanced threat detection. A proactive set of eyes watching and learning how the other team works and proactively blocking shots before they’re taken. While this would lead to a penalty and foul shots, you can never have too many players in the data center. Traditional defenses in the data center are no longer effective.Most social attacks today enter through the email system, usually as a familiar looking email from someone you know. Click To Tweet
Organizations of all sizes need to look to newer, more advanced offenses to build a solid defensive strategy. Most social attacks today enter through the email system, usually as a familiar looking email from someone you know. A defensive technology being deployed to stop the bad guys is Advanced Threat Detection or ATD. ATD in the data center means using behavioral, heuristic, and sandboxing technologies to protect against zero hour, targeted attacks and ransomware like Locky and CryptoLocker. ATD automatically scans email attachments in real-time; suspicious attachments are detonated in a sandbox environment to observe behavior. In addition to blocking the attachment, the results should then be integrated into a centralized data base to provide protection for all other customers.
Below are a few tips to ensure you are doing your part to help protect sensitive data at your company:
- Your IT department will never ask you for your password or any sensitive data, and your HR department already has your Social Security Number. If you get a suspicious email from someone asking for your credentials, don’t be afraid to call your IT or HR department regarding anything that doesn’t seem right.
- Would your boss really send an email requesting you to transfer money to a bank account somewhere, or introducing a “lawyer” who is going to be handling some high-dollar-value transaction? Of course not. Use common sense. And verify anything that sounds suspicious by calling a known contact. Review the actual email address to where your reply is going. Is it a domain owned by your company? Is it Hotmail, Yahoo!, or Gmail? There are many other “free email account” domains, and among them are CEO.com and President.com. Look closely, because they picked that name carefully to look as much like your company’s real domain as possible.
- How likely is it that the friend who sent you an urgent plea about being stranded in a foreign country would actually be traveling there without your knowing about it? Research the “stranded traveler scam” – you’d be surprised how many victims actually fall for these attacks, despite the obvious tells known.
- Your nephew’s lawyer will not be using email to contact you for bail money. Period. Someone asking you to send money via MailGram or Western Union?
- Microsoft Office never has been configured to run macros automatically. Thankfully, in current versions of Office, macros are disabled by default. This is a good thing. Dangerous threats such as “Crypto-locker” often use macros in Office documents to infect PCs. They send this malware disguised as resumes, bills, invoices, etc. If you open an Office document that is asking you to enable macros, be aware.
- If you receive a suspicious email at your place of business, you should report it to your email administrator. The administrator will use the information to improve company defenses against these attacks. Additionally, you can report the email as spam to your email service provider, or file a complaint with the Internet Crime Complaint Center (IC3).
Barracuda provides powerful email security technology solutions designed to protect your users from spam, virus, spoofing, phishing, spyware attacks and advanced threats. Barracuda leverages its global threat intelligence across all network threat vectors – including network, user, web applications, remote access, mobile and email. With more than 150,000 customers worldwide, Barracuda has a comprehensive view of the global threat landscape. The company aggregates its security intelligence into actionable information to provide comprehensive anti-phishing Link Protection and Advanced Threat Detection capabilities for its email security customers – including protection against malicious, phishing and malformed URLs and targeted attacks spread through email attachments. Visit our corporate website to learn more.