Cyber 321: 21st January 2022 - Cybersecurity Without Insanity

Plain English Cyber in 3 articles, 2 numbers and 1 action.

This week: Could simulated phishing tests really make staff more likely to be fooled by a phishing email in the future? What the Russians have done to one of the world’s most successful ransomware gangs? And what has ransomware and cryptocurrency got to do with North Korea? And what the hell is the metaverse anyway?

This week’s action: Review your approach to phishing test simulations.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.buzzsprout.com/1914497/9925821

All episodes of Cyber 3-2-1 are accessible from this page. You can also listen and subscribe on Apple Podcasts, Google Podcasts or wherever you get your podcasts.

THREE ARTICLES

1: Could simulated phishing tests make staff more susceptible to phishing emails?

The Department of Computer Science in The Swiss Federal Institute of Technology in Zurich recently published findings from “a large-scale and long-term phishing experiment [..] conducted in collaboration with a partner company”. The experiment ran for 15 months and involved over 14,000 employees of the company receiving different simulated phishing emails. It is thought to be the first large-scale and long-term study of the impact that simulated phishing tests have on the security defences of a large organisation.

The study confirmed what many previous studies had concluded. For example

Adding a warning to suspicious emails reduces the likelihood of staff clicking on links within these emails or performing other dangerous actions (e.g. enabling macros on a file attached to the email)
Providing a ‘Report Suspicious Email’ button to staff is an effective way for the organisation to be quickly alerted about suspicious emails that have entered the organisation. 79% of the emails reported by staff were correct, and 40% of these reports were submitted within 30 minutes of the email arriving into the organisation.

However, some findings contradict previous studies.

For example, staff behaviour is not significantly impacted if detailed warning messages are displayed rather than short warnings. So, it looks like we don’t need to invest too much time making these warning banners more descriptive or detailed.

More interesting is the impact of bringing staff who click on a simulated phishing email to a training page, and asking them to voluntarily complete some training. The study found that these staff were more likely to be fooled by subsequent simulated phishing emails, compared to staff who were not shown any training page.

So, on the face of it, immediately informing staff when they have been fooled by a simulated phishing email may actually make them more likely to be fooled by a phishing email in the future.

The authors wonder “whether this is due to a misinterpretation of the training page (i.e., whether the participants thought they were protected from a real attack), or if this is because of overconfidence in the organization’s IT measures in general.”

In other words, perhaps the staff did not realise that the phishing email was a test being run within the organisation, but thought it was a real one from a malicious actor which the organisation’s IT systems were able to identify and block after the staff member clicked on it.

The study recommends further research into the impact on staff behaviour if the training was mandatory. In the meantime, for those of us who deliver cybersecurity awareness training and testing, we need to think about how we configure these tests. The last thing we want to do is lull staff into a false sense of security or make them believe that their behaviours do not matter.

Read more: You can download the academic paper at https://arxiv.org/pdf/2112.07498.pdf. It is discussed at https://www.bleepingcomputer.com/news/security/large-scale-phishing-study-shows-who-bites-the-bait-more-often/

2: Russian authorities shut down the operations a major ransomware gang, following a request from the US authorities

It was recently announced that “The Russian Federal Security Service (FSB) raided and shut down the operations of the REvil ransomware gang. [..] Authorities said they seized more than 426 million rubles, $600,000, and €500,000 in cash, along with cryptocurrency wallets, computers, and 20 expensive cars. [..] The FSB, which serves as Russia’s internal intelligence agency, said it conducted its operation at the request of US authorities, which were notified of their results. The raid comes after President Biden and US authorities have pressured Russian President Vladimir Putin repeatedly over the summer to crack down on the Russian underground cybercrime ecosystem, which harbors many of today’s top ransomware crews. The REvil gang was one of the most active ransomware crews last year, being responsible for the attack against JBS Foods, which impacted the meat supply across the US and Australia in May, and the attack on IT provider Kaseya during the 4th of July weekend.”

This may be an interesting development. In the past, the US have accused Russia of turning a blind eye to these gangs operating in their jurisdiction. So, it may be one of the first times that the US and Russia have worked together to shut down one of these ransomware gangs.

There is no word on similar operations to shut down the operations of the Wizard Spider gang, which is said to operate from the St Petersburg area of Russia. This is the gang behind the attack that crippled Ireland’s Health Service last year. Perhaps the Irish government could leverage the special relationship that it claims to have with the US Administration to get this gang shut down. After all, President Biden says he is as Irish as a pint of Guinness. Even though Biden does not drink, and Guinness is owned by an English company.

3: If you wish you knew the meaning of metaverse, blockchain, NFTs, and smart contracts, this is worth a read.

This next article might be worth a read if you’d like a quick explanation of terms like metaverse, Blockchain, NFTs and smart contracts.

It doesn’t hang about, describing blockchain as “a technology that permanently records transactions, typically in a decentralized and public database called a ledger”. Less than one hundred words later, it defines smart contracts as “essentially blockchain-based software routines that run automatically when some condition is met”. As an example, it says “you could use a smart contract that says you are willing to sell your piece of digital art for $1 million in ether, the currency of the Ethereum blockchain. When I click “agree,” the artwork and the ether automatically transfer ownership between us on the blockchain. There is no need for a bank or third-party escrow, and if either of us were to dispute this transaction — for example, if you claimed that I only paid $999,000 — the other could easily point to the public record in the distributed ledger.“

There are mountains of articles and white papers out there that can explain in detail each building block of the metaverse and web 3.0. But this one is a good place to start.

Read more: https://www.upi.com/Voices/2022/01/14/metaverse-cryptocurrency-blockchain/7591642169034/ via Ron Immick’s Mind Candy Newsletter (via Ron Immink https://www.linkedin.com/pulse/mind-candy-15-january-2022-ron-immink )

TWO NUMBERS

1: 32%

During the 15-month study that I discussed earlier, approximately 32% of staff members clicked on at least one of the six simulated phishing emails sent to them during this period.

While the study does not mention how much cybersecurity awareness training the staff had received prior to, or during, the study, this statistics remind us that staff are human, and humans are flawed.

It appears inevitable that our staff defences will fail. The best that we can do is to reduce the frequency of this failure (through effective training and testing) and to ensure we have other defences in place to protect the organisation when these failures do occur (e.g. two-factor authentication; restriction of administrator privileges; reliable backups – For more, check out my guide to the basics)

Read more: Refer to section (III)(G) on page 8 of the academic paper at https://arxiv.org/pdf/2112.07498.pdf.

2: $400 million

According to this article on CoinTelegraph, North Korean hackers stole $400m worth of crytocurrency in 2021, double the amount stolen in 2019. Cyber attackers based in North Korea, such as Lazarus Group, primarily focused on investment firms and exchanges, and used the usual range of techniques (phishing emails, malware, and social engineering) to succeed.

I always wondered how North Korea can fund the development of hypersonic and inter-continental rockets, and maintain one of the largest armies in the world (with one million army personnel) despite being subjected to significant economic sanctions. Ransomware and cryptocurrency must play a part. After all, they are both truly global and do not understand borders.

The Lazarus Group that I just mentioned has also been blamed for the WannaCry ransomware attack in 2017 which affected nearly 200,000 computers in 150 countries, including the NHS in the UK. If you are interested in learning more about this Group, which has been closely linked to the North Korean State, the BBC released a podcast series last year called ‘The Lazarus Heist”. It’s a great series that describes the group’s attack on Sony in 2014 and their attempts to steal USD $1 billion from Bangladesh Bank in 2016.

ONE ACTION

1: Review your approach to phishing test simulations

As I mentioned earlier, the latest research suggests that immediately telling people when they have clicked on a simulated phishing email may have unintended consequences.

If your organisation runs phishing test campaigns, it may be worth reviewing how these are setup, to ensure they do not lull people into a false sense of security.

And if your organisation does not run phishing test campaigns, it’s time you started. If you are not testing your staff, you’re waiting for the bad guys to do it for you.