When the 2015 National Cybersecurity Awareness Month (CSAM) started last week, we kicked off with an up-beat look at computer security.
It’s the fifth year of CSAM’s Stop | Think | Connect message, so we came up with a list of five security topics where we thought things had improved in recent years, as a way of saying that it’s not all doom and gloom.
But security is a journey, not a destination, so there is always room for improvement.
And this week, CSAM’s theme is Creating a Culture of Cybersecurity at Work.
So, what’s the biggest and best thing you can do at work to help keep cybercrooks out of your business?
If you’re a regular reader of Naked Security, you’re probably familiar with the sort of technological tips we like to hand out, such as:
- Don’t run XP, if not for your own sake, for everyone else’s, because any security holes left in it will be there for ever.
- Keep your operating system and applications patched, because the crooks try the easy ways in first.
- Keep that anti-virus active and up-to-date, because the crooks update their tricks all the time.
- Segregate your network internally – don’t use only an internet-facing firewall – because crooks who break in at one point just love to look around (or “move laterally” in techie jargon).
- Use full-disk encryption on your laptops and your mobile phones, because it won’t slow you down, and it really does make it hard for crooks to recover anything from a stolen device.
- Try our free tools. (OK, that’s more marketing than it is a tip, but our free Virus Removal Tool is an excellent way to get a quick second opinion about malware.)
But that’s all technical stuff.
Changing your behaviour
What about behavioural changes?
We’ve just published an excellent article by Sophos security expert Ross McKerchar, entitled How to create a culture of cybersecurity at work, which we think you should read.
But we also thought we’d concentrate on one topic that has become a firm favourite with crooks who can’t get in by guessing your passwords, hacking your server, or sneaking malware into an ad network that you trust, or some other bypass-the-human-factor attack.
Phishing and spear-phishing
We’re talking about phishing, or, more particularly, what is often called spear-phishing.
We normally associate phishing with cybercrimes that relate to on-line banking, where crooks lure you to a website that is a visual clone of your bank’s login page and wait for you to put in your password.
But phishing covers more than just fake banking sites: it’s really just dangling digital bait in front of you, and waiting for you to swallow it.
So, those fake invoices that arrive telling you that someone bought an airline ticket on your credit card, please open the attached document for details if you want to dispute payment – that’s phishing, too.
So are those fake courier notes that say they need you to confirm your company’s address so that an undelivered item can be shipped at last.
💡 LEARN MORE – PHISH 1: iTunes ►
💡 LEARN MORE – PHISH 2: Online banking ►
💡 LEARN MORE – PHISH 3: Bitcoin ►
Spear-phishing, for the most part, is very much the same thing, except that the bait is more specific, and thus the attack generally seems more believable.
Simply put, if a fraudulent email starts, “Dear Customer”, it’s a phish, but if it starts, “Dear Your Actual Name“, it’s a spear-phish.
Of course, many spear-phishes are much more pointed than that, if you will excuse the metaphor.
Well-prepared crooks may know your job title, your desk number, the sandwich shop you often visit for lunch, the friends you hang out with, your boss’s name, your previous boss’s name, and even the name of the supplier of the company’s official coffee beans.
And, as you can probably imagine, when it comes to spear-phishing, nothing breeds success like success.
The more that crooks, or cybergangs, or a team of state-sponsored actors, learn about your company, the more believable their phishing attempts will appear.
The crooks can acquire that information in many ways, including
- From previous successful attacks such as data-stealing malware.
- From private company documents such as phone directories or organisational charts that show up in search engines.
- From your company’s social networking pages.
- From disgruntled former employees.
- From data bought from other crooks on the cyberunderground.
You can probably think of many other ways that “secret” information can become anything but.
What to do?
If a phisher, or spear-phisher, gets in your face, then YOU become the primary line of defence, no matter what technological protections your sysadmins may have in place.
Unfortunately, anti-phishing advice often ends up being rather specific, such as advising you to “look out for spelling mistakes,” or to “be suspicious of bad grammar,” or to “make sure you are on a genuine HTTPS web page.”
All those things can really help, but phishers can front up to you in many ways, including email, web, telephone, SMS, Twitter, Skype, Facebook – any conduit via which you are accustomed to receive messages.
And, of course, there’s no rule that says phishers will always makes spelling mistakes; and no rule that says people you do trust will always spell correctly
So your simplest and most general defence is this: caution!
In the CSAM words we quoted above, Stop | Think | Connect.
A phisher, or spear-phisher, will almost always require you to act in a non-standard way.
After all, if you follow the usual procedure, such as logging into your corporate account to check up on courier deliveries, you won’t fall for the crook’s trick of asking you to open an emailed document attachment instead.
So, keep these tips in mind:
- Familiarise yourself with your company’s usual processes. If something looks iffy, ask for a second opinion.
- If anyone asks you to vary procedure, ask for a second opinion.
- Never trust outsiders just because they seem to know “insider” facts. Ask for a second opinion.
- Never use information provided by an outsider (e.g. a phone number or web address) for verification. Use a second source.
- Don’t allow yourself to be hurried or harasssed into taking shortcuts. Ask for a second opinion.
Oh, and if you do think that a crook out there is trying to trick you into giving away information you shouldn’t, report it, as a warning to everyone else in the company!
→ Phishers and social engineers don’t usually stop at one person. If you tell them to take a hike when they ask you to reveal a password, they’ll probably call the next number on the list, and the next. The sooner someone raises the alarm, the more likely that everyone in the company will get to stand up to the treachery.
And if your company doesn’t have a place to report this sort of thing, show your bosses this article and tell them they should have one.
When it comes to phishing and spear-phishing against a company, an injury to one very often ends up as an injury to all.
simonmackay
I would also like to see this campaign pitched at small businesses and community organisations because these organisations are as likely to be “tapped” for information about their regular customers and associates. For example waitstaff at a cafe could be approached to give information about whom the venue’s “regulars” are.
Paul Ducklin
I tried to pitch it at businesses both with and without a formal IT department, which I why I mentioned the idea of “ask for a second opinion,” rather than specifically “call the IT helpdesk.” It’s also why I suggested talking to your boss, not specifically to “someone in IT.”