Tuesday, 16 May 2017 12:07

E-mail the softest entry point for cyberscammers

By: 

Paladion’s John Daniele, at his firm’s cybersecurity monitoring centre in Oakville, Ont., says Canadian companies tend to lag their U.S. counterparts in spending on data security.
(J.P. Moczulski/The Globe and Mail)

That message from an Eastern European stranger who would like to make your acquaintance is obviously bogus.

So is that random PayPal notice. Yet the e-mail from a manager at your company, authorizing a money transfer, could just as easily be the work of criminals, too.

E-mail is still, and could very well remain, one of the most porous entry points for cybersecurity breaches, as evidenced in last week’s massive phishing hack targeting Gmail accounts. (Phishing is an attempt to gain sensitive information, such as passwords and credit card numbers, usually through e-mail inquiries.) Against a rat-a-tat machine-gun fire of constant hacking attempts, a defence that depends merely on employee vigilance not to open or act upon any seemingly questionable e-mail can seem hopelessly fallible.

“Just recently, I was dealing with a client who had about $200,000 transferred out of their account due to some criminal entity that was exploiting their business process,” said John Daniele, chief analyst of cyberintelligence and digital forensics at cybersecurity firm Paladion in Oakville, Ont.

The criminals had studied the business closely, determining which part of the process was vulnerable, “and they used a very sophisticated spear-phishing attack to exploit that,” he said. Spear phishing is a more targeted version of an e-mail ploy.

The problem is not only tricking a victim to click a link or give personal information. A hack can also be planted in a business process in which it is acted upon nearly automatically, faster than it can be confirmed.

“With the pace of business, that’s not always so easy. You may not be able to pick up a phone every single time and delay a business process that may be happening 100 times a day,” Mr. Daniele said. So, ideally, companies and organizations need to build a defence very specific to their unique operation.

Yet, he added, threats are so constant that “breaches are, in my view, inevitable, and many companies simply operate in a continuous state of breach.” Like wildfire, some breaches are simply left to burn.

“Some companies know that they are breached and decide not even to take the extra step to hunt for the attackers who are live on their network,” he said. It can be too costly, and Canadian businesses often spend less on cybersecurity than U.S. counterparts.

U.S. firms tend to set aside 2.5 to 5 per cent of their information technology budgets on security, “and I continuously see Canadian companies well under the 2.5 per cent,” Mr. Daniele said.

For many institutions, training users to detect suspicious messages and e-mail filters are their main defences. Yet, there are obvious limitations. Rather than just making the text of an e-mail look official, hackers are getting better at spoofing an e-mail’s point of origin, said Daniel Tobok, chief executive officer of Cytelligence in Toronto. Scammers can make an e-mail address look like it is legitimately from a vendor.

“The problem is that you can’t stop it fully because the bad guys are relying on the human factor. You’re dealing with psychology,” Mr. Tobok said.

Also, employees may wait to fess up whenever they think they might have clicked on something nefarious, but an immediate response is crucial. “Those five, 10, 30 minutes are critical to potentially contain whatever they clicked on,” Mr. Tobok said.

Phishing through e-mail is still the most pervasive way to breach a computer network, say security experts. Sometimes phishing may also lurk on websites, fooling users and implanting all manner of dangerous code from spyware to ransomware, but predominantly e-mail remains the main phishing spot.

There are automated processes, though, that institutions can apply. For instance, a system can be created to send any message to a sandbox, a location (usually remote servers, a.k.a. in the cloud) where a link or an attached file is automatically opened up to see if there’s anything wrong. Or it may test the link or file before the receiver even gets the e-mail, explained Danny Timmins, national cybersecurity leader at MNP in Mississauga.

This verification process can happen in seconds. Yet, it also needs to provide a safe way for users accessing the network from outside.

Training also can be more targeted. With clients, Mr. Timmins’s firm can simulate a focused phishing attack, trying hard to deceive users. If a few dozen users are fooled enough to click on a link, and some even provide their passwords or other personal information, the firm can then go back and provide more targeted education.

In particular, this can mean picking apart a company’s business process to find its weak links. “That’s often how wire frauds happen. Somebody has already phished them. They are already watching inside the network,” and then exploit how the company moves money or commercial data, Mr. Timmins said.

However, relying solely on education isn’t enough, experts warn.

“We’ve seen some very convincing e-mails which would even potentially fool a professional security consultant,” said Mr. Daniele at Paladion, noting that this also applies to websites hiding that they are controlled by dubious hosts. Detecting these dangers goes far beyond merely locating a secure site icon at the top of a Googled Web page.

“There is so much nuance involved that it’s a bit of an unrealistic expectation I think for security professionals to say, well, this is just a user problem, and a user simply needs to be better educated,” Mr. Daniele said.

“Security education and awareness is vitally important … but beyond that, there is a role for vendors [computer software and service companies] to produce secure software to ensure that they are doing right by their clients and consumers who are relying on the safety of that application,” he said.

Source: This article was published theglobeandmail.com By GUY DIXON

3 comments

  • Comment Link ace 333 Sunday, 27 October 2019 03:08 posted by ace 333

    Changing out the doors can an individual afford the most up-tp-date look
    set at a reasonable estimate. This does not have to be the case, even if.
    Not developing a plan can spell disaster. http://ace333.gdn/index.php/download/15-ace333

  • Comment Link Columbus Sunday, 22 September 2019 01:56 posted by Columbus

    The first date is the time when you could meet human being for glad.
    The release of PSP abbreviated for Play station portable, was over
    in 2005 in Asia.

  • Comment Link Maya Wednesday, 18 September 2019 00:44 posted by Maya

    Having a web page and working with a business look to go surrender
    hand in the current market. Obviously way to match your businjess get ooff is ideal
    forr your web site have a top ranking froim the searrch magnetic motors.
    When your website has a high ranking on those search enginws it gets
    moore site visitors. Traffic is the benefit
    of any successful website.

    Your traffic will increase logarithmically if you go the chain. If your page
    rank improves from four to three, ann individual might be ten times more
    anticipated to get in order to your website. You will be amazed
    too discover that pag rank 5 is a lot better than page rank 3.
    A conclusion for this anomaly depends on the incontrovertible fact that people are highly
    travelling to click insde the of google domination results world wide web.


    An experiejced SEO professional knows how
    the way major search engines like Google, evaluate web pages
    has changed through theese years. Search engine website are getting smarter and smarter.
    Fooling a site is becoming harder. Or should I say risky.

    A person first try to fool search engines, you own the risk to get banned.
    So, what triumphs? Real good contents? Linking? What besides?



    And I'd been right. Once i checked out my targeted traffic reports,
    Great that I'd gotten many hits from all of these sites but no t nearly where they
    promised. The tutor said hundreds Acquired about ten a
    day in each and every one. That's right I said ten.So it was for
    you to the audiobooks. I went for you to reseaching ways of generating traffic for my
    website even more walks . looks just as tthe only guaranteed method iss that this simple.Hard effort.I'm talking
    making sure your site iis properly published to search engines, has plenty of readable
    content, incoming and outgoiong links, user friendly, informative, holds a service orr goods that people want
    however on.

    Most associated with have a good page rank, and they qualify as a good inbound link tto your personal
    site. Further, writing a guide also elevates youu into the status of "author", which most people equate to "guru" or
    "expert" on the topic.

    Hoow Drinking Vinegar Caused myy Fatt loss - I thought Kim's first article on AC, published inn September of 2008.
    Kim expolains how drinking apople cider vinegar treatment helped her lose weight and disappeared her
    nausea.

    Here are five anyone may caused by optimize much more ..
    Remember you simply are optimizing individhal pages to rank well.

    Apply these tips to each of one's pages.

    Don't second category the hype of a useful
    review solution, is definitely real no guaranteed ovdrnight in order to
    yoiur web traffic. You must build the rise in popularity of your website slowly but strongly period.
    It may take weeks to months and even even a number oof years.
    But if yyou completed right a person be rewarded witgh the powerful reputation and customer base that is spread around the web for the future.

Leave a comment

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now