Tuesday, 4 January 2022

CxO Fraud More Dangerous Than Ransomware

CEO Fraud

Whilst ransomware has been making headlines lately, cyber criminals have been using the cover of the pandemic and the increase in remote working to commit what is known as “CEO fraud”.  CEO fraud is not about dodgy accounting practices or money laundering. The term refers to cybercrime that involves cyber criminals masquerading as high-ranking organisation executives to trick staff into conducting fraudulent transactions. It is also known as business email compromise (BEC) or email account compromise (EAC) as the fraud is usually conducted through email. Recent trends indicate that cyber criminals are also impersonating other board-level executives such as chief financial officers (CFO) and chief operating officers (COO), hence the term CxO.

As mentioned, CxO fraud is normally conducted through email. This is done using a combination of phishing and spear phishing techniques. Phishing is a type of social engineering attack where cyber criminals attempt to trick a person into revealing confidential information. This could be credentials, personal information, or account numbers. Phishing messages are normally “cast” out to a broader audience in the hopes of “getting a bite”. Spear phishing usually targets a specific individual or group. More effort goes into making the message believable using information found through previous phishing campaigns, social media sites and company websites.

Social engineering plays a large part in the success of CxO fraud. To an unsuspecting employee, emails are coming from a senior-level boss claiming urgent action. The CxO is often on holiday or in a meeting and not in a position to go through normal channels. This can put the employee into action without questioning the validity of the request, as time is of the essence, and they do not want to disappoint their boss.

Why should we be concerned about CxO fraud and email compromise in general?

  • According to the UK Government’s Cyber Security Breaches Survey 2021, around 79% of 654 business and charities reported some type of phishing email over the last 12 months. Reports of ransomware accounted for roughly 6%.
  • According to the Verizon 2021 Data Breach Investigations Report, phishing was present in 36% of breaches in 2020. Ransomware was present in around 16% of breaches.
  • According to the U.S. Federal Bureau of Investigation’s (FBI) Internet Crime Report 2020, BEC/EAC accounted for over $1.8 billion in losses in the U.S. in 2020. Ransomware only accounted for $29.2 million.

It takes more than a silver bullet to mitigate the risks of these attacks and reduce exposure. A multi-pronged approach is required and involves the following three pillars:

  • Employee Education - increase employee awareness so that they know about CxO fraud and how to identify an attack.
  • Documented Processes – document and implement processes that require an out-of-band response. An out-of-band response is another means to validate the request. For example, if a CxO sends an email to authorise a payment, have a process in place where the CxO is called on a known number to verify the authorisation.
  • Technology - use email authentication protocols such as Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to protect your domains and prevent email spoofing. If possible, augment these protocols with email scanning solutions that can automatically detect CxO fraud attempts.

It is often the threats reported in the media that we pay close attention to. However, we should use all sources available to us to get a better picture of the threats that may impact our companies. Although ransomware is grabbing the headlines now, it is not necessarily the biggest threat we should be worried about.

Tuesday, 17 March 2020

Cyber Hygiene During COVID-19 Planning

Cyber Hygiene During COVID-19 Planning

May I take this opportunity to inform you that during these troubled times we are here to help you maintain the highest Cyber-Security Resilience against pernicious multiple attacks from opportunist and professional Criminal Hackers whilst ensuring your Policies, Processes and Procedures are absolutely fit for purpose.

During this unprecedented pandemic, organisations are facing many challenges with the risks of COVID-19 disrupting business as usual activities, increasing pressure on more remote working, and the extra time needed in implementing Business Continuity Planning. All while still wondering how this situation will affect your overall business now and moving forward.
It is important that executing Business Continuity Plans are at their most effective. In the last 3 weeks, we have seen a massive increase in COVID 19 cyber-attacks. How well are you prepared to defend these successfully? Attackers will always leverage a crisis to deliver phishing attacks, ransomware, denial of service and attempt to gain unauthorised access. As the Chinese word for Crisis means danger and opportunity respectively, wherever there is danger there are those that will seek to benefit.

There are things that you can do now to ensure that whilst you are executing your business continuity planning so that security considerations are also being made:

  • Educate users on the risks of the numerous COVID-19 phishing attacks. Don’t click on any links or open attachments that report to be from WHO ( The World Health Organisation), HMRC, of your Government without first verifying this is from them. Better still, only trust information from verified sources such as news outlets or government information pages.
  • Check VPN’s have no known vulnerabilities and ensure these have been security tested to ensure an attacker cannot bypass the controls and gain unauthorised access.
  • Ensure that MFA (Multi-Factor Authentication), has been enabled for all remote users, to reduce the likelihood of credentials phishing/stuffing.
  • RDP (remote desktop protocol) should not be exposed to the Internet, but if in these circumstances it is, ensure those services are fully patched and that MFA is enabled, and enhanced monitoring and controls should be enabled.
  • Messaging should be provided to all users about reporting incidents and the urgency of doing this. Information should include who and how to report these, including what information to share.
  • Incident response plans should be tested against a remote situation, especially if attacks like ransomware and denial of service are executed against an organisation.
  • Penetration testing should be conducted as well as any other critical information security exercises to ensure any open doors or vulnerabilities are addressed. Ideally internal network testing should be conducted via a VPN to test what an attacker could do if they were able to gain access through the VPN.
ZeroDayLab is here to help. We understand that during this time where everyone is focusing on Availability, we are also ensuring we help you protect the Confidentiality and Integrity of your critical informational assets.
The dedicated and loyal team at ZeroDayLab are at the front line of defence and want to ensure you, we are agile and experienced in Incident Management. We want to provide all our loyal clients with the very best technical and commercial support you need to protect your employees, suppliers, clients and overall business with focussed initiatives where you need them most.

Wednesday, 18 December 2019

Top-3 Predictions for 2020: Cyber Threats and How to Protect

Written by Stuart Peck

2019 has been an eventful year, with a never-ending barrage of high-profile breaches, large scale malware campaigns, change in the tactics of ransomware, all leading to a ramp up in criminal and fraudulent activities.

The third-party attack vector has been leveraged more this year than, say, in 2018, with a massive increase in the abuse of third-party libraries, namely Magecart. However, as stated last year the attack vectors remain vastly the same as they have always been - human error, configuration issues, weaknesses in the supply chain and, unsurprisingly, patching problems!

Although there have been improvements in detection and response capabilities in many organisations, mistakes are punished by attackers leveraging automation and bots, to quickly and efficiently utilise known weaknesses at scale, allowing for a foothold on their target’s assets.

So, as I attempt to do my best Nostradamus impression, and predict what 2020 has in store for us, it is important to note that while attackers are constantly changing tactics and procedures to keep us all on our toes, at the core they stick to what works, because if it’s not broken, why fix it?

Here are my top 3:

Cloud Security Misconfiguration (Here Again for 2020)

Although great strides have been made to improve the security of critical assets in the cloud, organisations still haven’t fully embraced the protection available, or worse, have misconfigured environments allowing attackers to capitalise on this.

There have been many incidents in 2019 that highlighted this: with Capital One in the US being one of the biggest victims. We are still seeing open repos with vast amounts of customer data unencrypted and available to anyone, weak admin credentials with no MFA, private keys posted in GitHub repositories… the list goes on.

Human error is a factor that the cloud sadly won’t fix, only expedite, with significant consequences for organisations that don’t embrace the Sec in ‘DevSecOps’! With increased governance around protecting the privacy and security of PII (Personal Identifiable Information), those fully adopting the benefits of the cloud also need to fully enforce the security controls.

Ransomware Punishing Victims More

2019 saw less volume of ransomware variants than in previous years, but a change in tactics by
attackers, focusing mainly on manual hacking techniques to gain unauthorised access, then focusing on destroying the backups to enhance the chance of payments.

This has been a technique that has been adopted widely due to the success of SamSam and seems to be the playbook of choice. With greater detection of C2 servers, attackers are favouring offline encryption of data, databases, and virtual servers which allows attackers to go undetected longer. This technique is clearly paying off for attackers given the frequency of governments and companies falling foul to this.

But for 2020 there is a worrying threat emerging; the theft of sensitive data as part of the ransom demand, designed to coerce the victim into payment. Although there have only been a few campaigns found to adopt this technique, such as ShadowKiller in South Africa in October, it won’t be long before others follow suit.

Collaboration Third-Party Apps Targeting

With so many people using collaboration apps such as Slack and Jira it makes for an interesting attack surface. Many of these services are used in Operational IT and/or Development sprints, and usually contain a lot of information that is useful to an attacker. Collaboration tools are usually seen as trusted third parties, and therefore sensitive information is usually exchanged. In some cases, I have even seen private API keys exchanged in a Slack channel.

It’s important to ensure that collaboration tools are locked down, accounts are protected, and policies enforced to reduce the likelihood of attackers gaining unauthorised access to this information.

Not all bad news though, there are some really simple things you can do now, and throughout 2020 to reduce your exposure:

  • Conduct regular education and training of your employees to reduce exposure to phishing, social engineering, and help give them the skills to perform basic cyber hygiene. Also, where possible, ensure 2FA is enabled - it really does reduce the risk of common attacks.
  • Conduct regular Ethical Hacking Assessments on your risky assets, especially those that are public facing. Check cloud and internal networks for misconfiguration - the quickest win to prevent abuse from attackers. Also test those integrations; understand how and where you are exposed.
  • Train Developers and Operational teams (DevOps) on secure coding and deployment principles. Ensure these are documented through a defined set of procedures and policies. Also ensure developers are using secure coding frameworks, and not using risky third-party libraries, or untested open-source objects.
  • Conduct incident response scenario testing as this can be vital to understanding how you might perform in that perfect storm and will highlight where improvements can be made. Increasing your ability to detect, react and most importantly respond is something we all should be doing on a regular basis.

In 2020 there will most likely be new threats, vulnerabilities, exploits and attackers emerging on to the scene - there is every year! What’s important is to be mindful of identifying your blind spots and developing the appropriate strategy that is balanced for the size of your organisation and information (and assets) you are looking to protect from unauthorised access. Technology and automation will help, but without the right balance of people (skills and training), and processes there is always the risk of misconfiguration or human error.

Wishing you a good festive break and prosperous new year!

Wednesday, 27 November 2019

Deal or No Deal Brexit |The Impact on EU GDPR

Photo credit: https://www.bighospitality.co.uk/Article/2019/08/21/Beyond-Brexit-are-restaurant-supply-chains-ready-for-no-deal

Written by Steve Giachardi

On 25th May 2018, data protection moved from the shadows into the spotlight. Suddenly, businesses of all sizes were at risk of huge fines for failure to comply with the new law, marketeers were in fear of contacting people without their consent, small businesses were rapidly adding cookie warnings and privacy notices to their websites - explaining what they did with your personal data, and larger companies were creating whole departments to respond to an anticipated deluge of data access requests. The media focus throughout the whole “GDPR is coming” furore was of course the massive fines - €20 million or 4% of your annual turnover, whichever is greater… And, lurking in the corner, was Brexit.

What will be the impact of Brexit on GDPR? Will Brexit mean that GDPR will no longer apply?

The simple answer is nothing will change – at least for the foreseeable future. GDPR will still apply to companies in the UK as it does to all companies that are in possession of data belonging to EU citizens.

If the UK leaves without a deal, the UK Government has prepared the EU (Withdrawal) Act 2018 (EUWA) which retains the GDPR in UK law. The purpose of the EUWA is to ensure that the fundamental principles, obligations, and rights that organisations and data subjects have become familiar with will stay the same. The EU Withdrawal Act gives the government the power to make appropriate amendments to ensure that GDPR works effectively in a UK context.

But what does this actually mean for your business? It’s all very well understanding that the government has a bill that sounds like a Star Wars character, but what impact will a no-deal Brexit have on your business?

Transferring Data – Inside and Outside the European Economic Area (EEA)

The UK Government has published guidance, stating the following about transferring data between EEA (European Economic Area) states: “The UK will recognise all EEA states, EU and EEA institutions, and Gibraltar as providing adequate levels of protection for personal data”. This means that personal data can be freely transferred between those states following the UK’s exit from the EU.  

For the transfer of personal data outside of the EU, this will continue with countries or territories that have an existing adequacy decision already in place such as Japan, Canada, Israel, and the United States.

Brexit will have no immediate impact on existing data transfer between your business and your trading partners.

If you are an organisation that has Standard Contractual Clauses (SCC) in place between you and your trading partners, these will continue to be valid. There will be no need for an interruption in the flow of data between organisations. Moving forward, the UK Information Commissioners Office will be empowered to issue new SCCs, as opposed to the EU, after the UK leaves the EU. But again, essentially, nothing really changes.

The biggest questions, I guess, are those around Data Controllers / Data Processors. Will there be an impact on leaving the EU? Will this change the status of my organisation? Again, the answer is no. The UK Government states the “responsibilities of data controllers across the UK will not change”. But the decision on whether your business is a Data Controller, or a Data Processor, is still decided by establishing who determines what data should be collected and what that data is going to be used for.

EU GDPR – Friend or Foe?

Interestingly, the EU GDPR has had an influence on data protection regulations, especially relating to Personal Information beyond Europe, and in a refreshingly good way. The UK Data Protection Act 2018 amendments released last year aligned the privacy and data regulation with the GDPR. ISO/IEC, the Swiss based International Standards Organisation, released an extension to the ISO/IEC 27001 certification, ISO/IEC 27701 which focuses on security techniques specifically around Personally Identifiable Information (PII). The extension looks at the controls relating to both Controllers and Processors and the impact of those controls on PII. The incoming California Consumer Privacy Act is another piece of legislation that seems to take its lead from the GDPR.

The magic, or beauty, of the GDPR is that it transfers the power from the organisation to the person (the data subject). In truth, the exponential growth of the internet into every corner of our (working) lives has happened with a zeal for the possible. The idea that data, especially identity, would become more valuable than gold was unthinkable when the internet was launched. We all created data back then - whether it was our first website, or those posts in the text chat forums - we were leaving behind evidence of our identity. Now, trying to regulate what happens with our data is very much closing the stable door while the horse is galloping into the next valley!

The Power (and Responsibility) of Personal Identifiable Information

The attempt by the GDPR to rein in the use of PII, to restrict what companies can and can’t do with the data that we, in whatever capacity, share with them is to be welcomed. That it creates an unwelcome extra level of diligence on organisations highlights that the correct governance and procedures weren’t in place from the beginning.

The adoption of the internet has been fuelled by the advances in the infrastructure that supports it. The whole new working paradigms of Infrastructure, Software and Programs “as-a-service” has only been possible with the spread of fibre broadband to reliably deliver these services. Office365, Amazon Web Services, Google Cloud, Salesforce, Slack - none of these everyday business programs would be possible without reliable internet.

All these services need your identity for you to be able to access them. PII is the new firewall. Your identity is the edge. That’s why it’s so important that companies take care of the usernames, email addresses, bank details, national insurance numbers, driving licence numbers, and passport numbers that we provide.

That’s why there’s a need for GDPR and that is why, after Brexit, there will still need to be good PII protection by default in organisations that deal with data belonging to EU Citizens.

Brexit changes nothing – for now, at least.