E-Mail security breaches: A cautionary tale.

This past week, I heard from a business colleague who heads up a firm that operates in the IT sector. It isn’t a large company, but its business is international in scope and its entire employee workforce would certainly be considered tech-savvy.

Nevertheless, the company suffered a serious security breach affecting its e-mail system … and it took nearly one week of investigation, diagnosis and repair to deal with the fallout. Ultimately, the system was secured with everything restored and running again, but it took much longer than  expected.

What had happened was that an unknown attacker obtained the user ID and password for one of the company’s e-mail accounts, and used those credentials to log on to the mail system as the legitimate user. The attacker then changed the contact name on the account to a fake U.S. telephone number – we’ll call it “+1(4XX) 6XX-9XXX” – and launched a program from his/her/its host computer (hosted by Microsoft and located in in a different country than the affected user) which sent out thousands of e-mails having the subject “Missed call from +1(4XX) 6XX-9XXX” and an attachment that looked like a harmless audio file containing a voicemail message.

This type of phishing attack is well-known, and it would be dangerous to open the attachment (no one at the company attempted to do so). The company’s e-mail server eventually blocked the account because it exceeded the maximum outgoing e-mail limit, but strangely enough the administrator was never notified of this fact. The company only discovered the breach after the user called in to complain about receiving thousands of “failed delivery” messages. It took the better part of a full business day just to piece together what was going on, and why.

The attacker also installed a rule on the compromised account which moved all incoming email to an obscure folder. The rule was cleverly disguised, making it easy to overlook and hence more time-consuming to find and remove.

This friend advised that there are a number of “lessons learned” from his company’s experience, which should be considered for implementation by businesses of all sizes everywhere:

1. Implement security policies requiring strong passwords (big, long, hard-to-guess ones) and frequent password changes (once every 90 days or more frequently). In the case of this particular company, its password strength policy was up to snuff but it wasn’t enforcing rotation. That changed immediately after the breach.

2.  Require multi-factor authentication (MFA). This is where a user doesn’t merely enter a password to log on, but also has to enter a one-time code sent via SMS or a smartphone app. It’s inconvenient, but regrettably it’s the world we live in today. In the case of this particular company, it hadn’t been using MFA. They are now.

3.  Be vigilant in reminding users NEVER to click on links or file attachments embedded in received e-mails unless they absolutely trust the sender. Some larger companies have “drills” which broadcast fake phishing emails to their employees. Those who click are identified and sent to “dum-dum school” for remedial training.

Failing that, companies should adopt policies wherein any employee who receives anything via e-mail that looks like particularly clever or tempting phishing, to notify the company about it immediately for investigation.

4.  Discourage users from logging on to their mail accounts from public locations using unencrypted WiFi. It’s easy to sniff WiFi signals and it’s even easier to read the data in unencrypted signals, which appear as plain text. Typically, if the WiFi connection requires a passphrase to be entered in order to connect, then it’s encrypted WiFi. If not … watch out.

5.  Monitor the e-mail server at least once each day to discover any security breaches or threats, since those servers may not always notify administrators automatically. The sooner a problem is discovered, the quicker and easier it will be to contain and kill it.

6.  Require users to archive messages in their Inbox and Sent Items folders regularly.  The moment an attacker is able to access an account, he/she/it can easily retrieve and quickly download all the messages on the server, and those messages could contain confidential or sensitive data. Therefore, taking this action will move those messages to each user’s device and purge them from the central server.

I’m thankful that my friend was willing to share his experience and suggestions for how to avoid a similar breach happening at my own company. Based on the “lessons learned,” we performed an audit of our own procedures and made several adjustments to our protocols as a result – small changes with potentially large consequences.  I suggest you do the same.

Computer security measures: A whole lot of heat … and very little light?

Cyber-security ... how effective is it in relation to the all the effort?If you’re like me, you have upwards of two dozen sets of user names and passwords associated with the various business, banking, shopping and social media sites with which you interact on a regular or occasional basis.

Trying to keep all of this information safe and secure – yet close at hand – is easier said than done. More often than not, passwords and other information end up on bits of paper floating around the office, in a wallet … or in (and out of) your head.

And to make things even more difficult, if you paid attention to conventional advice, you’d be changing those passwords every 30 or 60 days, making sure you’re following the guidelines regarding creating indecipherable permutations of numbers, letters and symbols so as to throw the “bad guys” off your password’s scent.

Now, here comes a paper written by Dr. Cormac Herley, principal research analyst at Microsoft Corporation, that calls into question how much all of this focus on password protection and cyber-security is really benefiting anyone.

Dr. Herley’s paper is titled So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In it, the author contends that the collective time and effort involved in complying with all of the directives and admonitions regarding computer security add up to far more cost than the cost of what is actually caused by cyber-security breaches.

[For the record, he estimates if the time spent by American adults on these tasks averages a minute a day, it adds up to ~$16 billion worth of time every year.]

Here’s a quote from Herley’s paper:

“We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice, we find that the advice is complex and growing, but the benefit is largely speculative or moot.”

It would be one thing if this screed was written by some outré blogger operating on the fringes of the discipline. But it’s coming from a senior researcher at Microsoft.

To illustrate his point, Herley summarizes the whole area of password rules, which he contends places the entire burden of password management on the user. To wit:

 Length of password
 Password composition (e.g., letters, numbers, special characters)
 Non-dictionary words (in any language, not just English)
 Don’t write the password down
 Don’t share the password with anyone
 Change it often
 Don’t re-use the same passwords across sites

How much value each of these guidelines possesses is a matter of debate. For instance, the first three factors listed above are not consequential, as most applications and web sites lock out access after three or four incorrect tries.

Changing passwords often – whether that’s quarterly, monthly or weekly – is never often enough, as any attack using a purloined password will likely happen within a few seconds, minutes or hours of its acquisition, rather than waiting days. On the other hand, for users to change their passwords regularly requires time and attention … and often leads to frustration and lost productivity as people hunt around for the “last, best” misplaced password they assigned to their account.

And as for those irritating certificate error warnings that pop up on the computer screen with regularity, Herley contends that most users do not understand their significance. And even if they did, what options do people have when confronted with one of these warnings, other than exiting the program?

As it turns out, there’s not much to fear, as virtually all certificate errors are “false positives.” With certificates as well as so many other issues of cyber-security, Herley maintains that the dangers are often not evidenced-based. As for the computer users, “The effort we ask of them is real, while the harm we warn them of is theoretical,” he writes.

Herley’s main beef is that all of the energy surrounding cyber-security and what is asked of consumers is a cost borne by the entire population … but that the cost of security directives should actually be in proportion to the victimization rate, which he characterizes as miniscule.

An interesting prognosis … and a rather surprising one considering the source.