E-Mail security breaches: A cautionary tale.

This past week, I heard from a business colleague who heads up a firm that operates in the IT sector. It isn’t a large company, but its business is international in scope and its entire employee workforce would certainly be considered tech-savvy.

Nevertheless, the company suffered a serious security breach affecting its e-mail system … and it took nearly one week of investigation, diagnosis and repair to deal with the fallout. Ultimately, the system was secured with everything restored and running again, but it took much longer than  expected.

What had happened was that an unknown attacker obtained the user ID and password for one of the company’s e-mail accounts, and used those credentials to log on to the mail system as the legitimate user. The attacker then changed the contact name on the account to a fake U.S. telephone number – we’ll call it “+1(4XX) 6XX-9XXX” – and launched a program from his/her/its host computer (hosted by Microsoft and located in in a different country than the affected user) which sent out thousands of e-mails having the subject “Missed call from +1(4XX) 6XX-9XXX” and an attachment that looked like a harmless audio file containing a voicemail message.

This type of phishing attack is well-known, and it would be dangerous to open the attachment (no one at the company attempted to do so). The company’s e-mail server eventually blocked the account because it exceeded the maximum outgoing e-mail limit, but strangely enough the administrator was never notified of this fact. The company only discovered the breach after the user called in to complain about receiving thousands of “failed delivery” messages. It took the better part of a full business day just to piece together what was going on, and why.

The attacker also installed a rule on the compromised account which moved all incoming email to an obscure folder. The rule was cleverly disguised, making it easy to overlook and hence more time-consuming to find and remove.

This friend advised that there are a number of “lessons learned” from his company’s experience, which should be considered for implementation by businesses of all sizes everywhere:

1. Implement security policies requiring strong passwords (big, long, hard-to-guess ones) and frequent password changes (once every 90 days or more frequently). In the case of this particular company, its password strength policy was up to snuff but it wasn’t enforcing rotation. That changed immediately after the breach.

2.  Require multi-factor authentication (MFA). This is where a user doesn’t merely enter a password to log on, but also has to enter a one-time code sent via SMS or a smartphone app. It’s inconvenient, but regrettably it’s the world we live in today. In the case of this particular company, it hadn’t been using MFA. They are now.

3.  Be vigilant in reminding users NEVER to click on links or file attachments embedded in received e-mails unless they absolutely trust the sender. Some larger companies have “drills” which broadcast fake phishing emails to their employees. Those who click are identified and sent to “dum-dum school” for remedial training.

Failing that, companies should adopt policies wherein any employee who receives anything via e-mail that looks like particularly clever or tempting phishing, to notify the company about it immediately for investigation.

4.  Discourage users from logging on to their mail accounts from public locations using unencrypted WiFi. It’s easy to sniff WiFi signals and it’s even easier to read the data in unencrypted signals, which appear as plain text. Typically, if the WiFi connection requires a passphrase to be entered in order to connect, then it’s encrypted WiFi. If not … watch out.

5.  Monitor the e-mail server at least once each day to discover any security breaches or threats, since those servers may not always notify administrators automatically. The sooner a problem is discovered, the quicker and easier it will be to contain and kill it.

6.  Require users to archive messages in their Inbox and Sent Items folders regularly.  The moment an attacker is able to access an account, he/she/it can easily retrieve and quickly download all the messages on the server, and those messages could contain confidential or sensitive data. Therefore, taking this action will move those messages to each user’s device and purge them from the central server.

I’m thankful that my friend was willing to share his experience and suggestions for how to avoid a similar breach happening at my own company. Based on the “lessons learned,” we performed an audit of our own procedures and made several adjustments to our protocols as a result – small changes with potentially large consequences.  I suggest you do the same.

Fake e-mails: A small percentage … but a big number.

Recently released statistics by e-mail security and authentication service provider Valimail tell us that ~2% of e-mail communications worldwide are deemed “potentially malicious” because they’ve failed DMARC testing (domain-based message authentication, reporting and conformance) and also don’t originate from known, legitimate senders.

That’s a small percentage — seemingly trivial.  But considering the volume of e-mail messages sent every day, it translates into nearly 6.4 billion e-mails sent every day that are “fake, faux and phony.”

Interestingly, the source of those fake e-mails is most often right here in the United States.  Not Russia or Ukraine.  Or Nigeria or Tajikistan.

In fact, no other country even comes close to the USA in the number of fraudulent e-mails.

The good news is that DMARC has made some pretty decent strides in recent times, with DMARC support now covering around 5 billion inboxes worldwide, up from less than 3 billion in 2015.

The federal government is the biggest user of DMARC, but nearly all U.S. tech companies and most Fortune 500 companies also participate.

Participation is one thing, but doing something about enforcement is another. At the moment, Valimail is finding that the enforcement failure rate is well above 70% — hardly an impressive track record.

The Valimail study findings came as the result of analyzing billions of e-mail message authentication requests, along with 3 million+ publicly accessible DMARC records. So, the findings are meaningful and provide good directional indications.

But what are the research implications? The findings underscore the degree to which name brands can be “hijacked” for nefarious purposes.

Additionally, there’s consumer fallout in that many people are increasingly skittish about opening any marketing-oriented e-mails at all, figuring that the risk of importing a virus outweighs any potential benefit from the marketing pitch.

That isn’t an over-abundance of caution, either, because 9 in 10 cyber attacks begin with a phishing e-mail.

It’s certainly enough to keep many people from opening the next e-mail that hits their inbox from a Penneys(?), DirecTV(?) or BestBuy(?).

How about you?  Are you now sending those e-mails straight to the trash as a matter of course?

Data breaches: Target is just the tip of the iceberg.

Target data breachI’m sure we aren’t the only family who’s had to suffer through the aftershocks of Target’s infamous Great Thanksgiving Weekend Data Breach that occurred in late 2013.

According to news reports, as many as 40 million Target credit cards were exposed to fraud by the data breach.  And as it turns out, the initial reports of nefarious doings were just the beginning.

Even after being given a new credit card number, my family has had to endure seemingly endless rounds of “collateral damage” for more than a year since, as Target’s very skittish credit card unit staff members have placed card-holds at the drop of a hat … initiated phone calls to us at all hours of the day … and asked for confirmations (and reconfirmations) of merchandise charges.

Often, these unwelcome communications have occurred on out-of-town trips or whenever someone in the family has attempted to make an innocuous online purchase from a vendor based overseas.

It’s been altogether rather icky — in addition to being a royal pain in the you-know-where.

But our experience has hardly been unique.  Consider these scary figures when it comes to data breaches that are happening with businesses:

  • On average, it takes nearly 100 days to detect a data breach at financial firms. 
  • It takes nearly 200 days to do so at retail establishments.

Those unwelcome stats come to us courtesy of a multi-country survey of ~1,500 IT professionals in the retail and financial sectors.  The study was conducted by the Ponemon Institute on behalf of network security and software firm Arbor Networks.

The next piece of unsettling news is that, even with the long “dwell” times of these data breaches, the IT professionals surveyed aren’t optimistic at all that the situation will improve over the coming year.  (Nearly 60% of those working in the financial sector aren’t optimistic, as do a whopping ~70% in retail.)

It’s doubly concerning because companies in these sectors are such obvious targets for hack attacks.  The reason is simple:  The amount and degree of customer data stored by companies in these sectors is highly valuable on the black market — thereby commanding high prices.

It makes it all the more lucrative for unscrupulous people to make relentless attempts to hack into the systems and extract whatever data they can.  IT respondents at ~83% of the financial companies reported that they suffer more than 50 such attacks in a given month, as do respondents at ~44% of the retail firms.

The impact on companies isn’t trivial, either.  Another study released jointly just last week by Ponemon and IBM, based on an evaluation of ~350 companies worldwide, finds that the average data breach costs nearly $160 for each lost or stolen record.  And that’s up over 6% from a year ago.  (The Target breach cost substantially more on a per-record basis, incidentally.  And for healthcare organizations, the average cost is well over $350 per record.)

dbWhat can be done to stem the endless flood of data breach attacks?  The respondents to this survey put the most faith in technology that monitors networks and traffic to stop or at least minimize these so-called advanced persistent threats (APTs).  More companies have been implementing formalized incident response procedures, too.

As Dr. Larry Ponemon, chairman of the Ponemon Institute has stated, “The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable.”

Clearly, more investment in security tools and operations would be advisable.

Anyone else care to weigh in with opinions?

Are small businesses under increasing risk of cyber-attacks?

cyberWhen it comes to cyber-security, high-visibility data breaches get all the press, which is understandable.

But small businesses are also victims of cyber-attacks.  And sometimes those events can be financially devastating.

Now a newly published survey quantifies the extent to which small businesses are at risk.  The National Small Business Association polled nearly 850 U.S. small business owners (most with annual revenues between $500,000 and $25 million) in August 2013).  The NSBA survey found that nearly 45% of the respondents’ businesses had been the victim of cyber attacks such as malware, spyware or banking Trojans.

The average cost of these cyber attacks was reportedly nearly $9,000 – with some dollar amounts going much higher.

Separately, another study shows that a record number of cyber attacks targeted small businesses in 2012.  Verizon’s Data Breach Investigations Report examined 855 data breaches and found that over 70% of them involved victim companies with fewer than 100 employees.

Verizon’s 2013 report is showing a continuing increase in cyber attacks on small business, meaning that 2012 was no fluke.

What’s going on here?

According to the Verizon study’s conclusions as well as comments from security experts like Vikas Bhatia, small and medium-sized businesses could be doing a better job of “offensive defense.”

Among the mistakes commonly observed in small businesses are these:

  • Lack of conducting regular backups of business data
  • Neglecting to store backed up data offsite
  • Failing to test data restore functions on a periodic basis
  • Neglecting to keep antivirus software up to date, including software patches and updates
  • Practicing sloppy password protection behaviors (using plain-language passwords … using identical passwords across multiple accounts, etc.)
  • Not understanding cloud-based data storage and what outsourced providers’ liabilities are (and are not) for protecting data

There’s no question that cyber-security continues to be a big challenge – and probably a growing one – for many companies.

But it’s also pretty evident that many businesses could be doing more to protect themselves from the heartburn (and financial fallout) along the way.