[Reading time: 5 minutes]
Cybersecurity: Clarity. Not Insanity: Through 3 articles, 2 numbers and 1 thought.
This week: Cyber criminals favour ZIP files, RAR files, and PayPal. Even the big firms are moving to the cloud. And CISA shows us how one security layer may not be enough to protect us.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
THREE ARTICLES
1. If you’re not convinced that a move to the cloud could improve your security, it’s time to convince yourself. The Record recently reported on a decision by Rackspace, one of the world’s largest IT hosting companies, to migrate all of its Microsoft Exchange customers to Microsoft 365, the cloud-based email platform managed directly by Microsoft. It follows a ransomware attack on Rackspace, which knocked their Microsoft Exchange customers offline. Apparently, Rackspace earned $30 million last year from their Microsoft Exchange hosting service, so a migration to Microsoft 365 is not a small undertaking.
2. Now that we’ve all been trained to avoid enabling macros on Excel files and Word documents, it looks like the cyber criminals have moved on to other file types to launch their attacks. Apparently, the most popular file types used by attackers in Q3 2022 were ZIP and RAR files. That is according to HP Wolf Security’s Q3 2022 Quarterly Threat Insights Report and recently reported in eSecurity Planet. Key takeaway – It might be time to quarantine any emails that have these types of attachments before they reach the inboxes of your staff. You can tweak your quarantine rules later if some genuine senders get blocked.
3. The final article comes from ZD Net (and mentioned by Secure The Village) and describes how scammers can use legitimate functionality on PayPal to try to fool us into sending them money, dialling a premium phone number, or revealing personal information that can be used in future attacks. All they need is our email address and our lack of attention. Key takeaway – Just because someone sends you a request for money doesn’t mean you need to respond.
TWO NUMBERS
The two numbers this week come from an infographic released by CISA, the US Cybersecurity & Infrastructure Agency.
80% – In 80% of the organisations tested, at least one employee clicked a link or opened an attachment in one of CISA’s simulated phishing emails.
87%– 87% of the people who received CISA’s phishing email did not report the email to their organisation, “limiting the organisation’s ability to respond to the intrusion and alert others to the threat.”
ONE THING TO THINK ABOUT
As shown in the CISA infographic, we cannot rely on one security defence:
- Network perimeters failed to block 70% of the phishing emails.
- At least one staff member in 80% of organisations was fooled by a phishing email.
- 87% of people did not know (or did not bother) to tell their organisation about the email.
- Anti-virus / endpoint protection failed to block 15% of the malicious files downloaded from phishing emails.
Individually, each layer may be weak.
This is why we need to ensure we have multiple layers of security.
It’s called Defence-in-Depth.
The good news is that none of the layers need to be complex or expensive. We’re talking about things like:
- Staff awareness training
- Multi-Factor Authentication
- Up-to-date software
- Restrictions on the use of administrator accounts
- Anti-Virus / endpoint protection
- Backups
Yes, individually, they may be weak.
But together, they are far greater than the sum of their parts.
PS As I have previously mentioned, benchmarks and frameworks will guide you on the defences to focus on. If you need help with this, give me 30 minutes of your time, and I will steer you in the right direction.