The Business Email Compromise (BEC) attack is an increasingly popular type of cyberattack because the success rate is quite high. A BEC attack impersonates a familiar person, such as a business partner or an employee, tricking the victim into buying gift cards or transferring expensive items to the hackers orchestrating the attack.
Like the traditional phishing campaigns, BEC attacks often take advantage of topics in the news. These days, one of the main topics is the novel coronavirus. According to Check Point researchers – their team collects and analyzes global cyberattack data, SARS-CoV-2 related cyberattacks jumped by more than 30% in May 2020 alone, many of which involved email scams.
Several government agencies and medical facilities looking to purchase equipment unknowingly transferred money to hackers, eventually have discovered that the requested equipment does not exist and that their money was gone.
Also, in 2019, a group of attackers infiltrated and monitored the Office 365 accounts of three financial organizations. After creating fake domains for these firms and for their partners, accounts, and banks, the criminals diverted certain emails to these fake domains. Using this type of “man-in-the-middle” approach, the group behind the attack managed to request and receive money transfers worth more than $1.2 million.
BEC campaigns typically use three different methods for impersonating legitimate email accounts:
Usually, the attackers spoof real email addresses, which can be done quite easily as the SMTP protocol offers no efficient way to validate the sender. Hackers either use dedicated or public SMTP servers to deploy emails with a spoofed address.
Secondly, the attackers register and send email from a domain name like that of the actual domain they intend to spoof. For example, the registered domain may be example.co in contrast to the legitimate domain name of example.com.
Thirdly, the attackers use phishing techniques to gain control of the email accounts of the people they want to impersonate. They can then send emails from the actual account for legitimacy which facilitates their success in requesting and receiving money.
Stopping BEC attacks
Firstly, train your staff regularly about modern fraud techniques like BEC. The best training is brief, frequent, and focused. Organizations need to constantly retrain and keep security awareness messages front and center through multiple channels, including newsletters, web pages, online lessons, webinars, or presentations.
Every time irreversible actions such as money transfers are initiated, details of the transaction must be verified through additional methods such as voice communication and must not exclusively rely on email correspondence.
Review the existing protocols, and separation of duties for financial operations. Add extra controls, if needed. Remember that separation of duties and other protections may be compromised by insider threats, therefore risk reviews may need to be rechecked as well.
Create new policies related to “out of band” transactions or urgent executive requests. An email from a fellow worker’s Gmail or Yahoo account should automatically raise a red flag to staff members, but they need to understand the latest techniques being deployed by hackers. You need authorized emergency procedures that are well understood by all team members.
Review and test your incident management and spam reporting systems. Also, test your staff with simulations of incident scenarios.
Protect your email traffic with a layer of advanced email security. Make sure the email security solution you use blocks sophisticated phishing attacks like BEC. Viable email protection solutions would prevent those attacks from reaching employee mailboxes.
Protect mobile and endpoint browsing with advanced cybersecurity solutions, which among others, prevent browsing phishing websites.
Check the full email address on any message and be alert to links that may contain misspellings of the real domain name.
Regularly monitor financial accounts for suspicious transactions.
Use two-factor authentication every time you attempt to login to key applications.
Do not provide login credentials or personal information in response to an email.
In case you or your team members have encountered any suspicious activity, please let us know here. We are ready to offer your organization the professional support that it needs.
Location flexibility is one of the benefits of telecommuting, but as remote working becomes standard practice, information security becomes more of a concern.
From employees using unsecured Wi-Fi networks to workers bringing their own unsecured devices, remote work has added additional levels of security related concerns for organizations and their data.
– According to new data released by independent polling company Censuswide.
Organization leaders and their employees need to accept mutual accountability in doing what they can to protect sensitive data.
To start, business leaders should allocate funds to educate employees in regard to data security and how everyone is responsible for protecting it. They also need to initiate certain practices and procedures that will strengthen data security within their organizations.
Remote workers must also prioritize data security education and best practices, then commit to those measures.
So, what can companies and their remote workers do to protect their data? Here are few aspects to consider.
Have a BYOD Policy in place
To avoid any unnecessary disputes and the costs associated with them, it is recommended to have a carefully drafted BYOD policy in place with employees. Not having a structured policy may create disputes over what data is what and it may also compromise intellectual property protection.
Installing an endpoint agent with the ability to perform data and malware protection will provide greater assurance into securing the endpoint especially if corporate data resides on the employee’s device.
Keep Passwords Strong | Use a Password Manager
Password protection is another fairly easy way to protect your organization’s data. Some people tend to underestimate the importance of password access, using the same password from device to device- account to account. Educating remote workers about password protection is crucial to securing sensitive data. Start with the basics of how to keep passwords strong and why it is so important to not use the same one over and over.
Another way for organizations and employees to alleviate this risk is by using a password manager that will allow users to randomly generate passwords and store them safely. This way, employees can focus on their daily tasks without needing to remember all their passwords for different accounts. Also, data will remain secure and uncompromised.
Plan for authentication and authorization
Act as if a breach is inevitable to further improve the security of your company. Multi-factor authentication (MFA), monitoring access controls, and creating strong passwords are important hacks that every smart company should know by now.
Many organizations are moving to two-factor authentication (2FA) for their data security management. This method confirms a user’s identity by first requiring a username and password, as well as another piece of information, whether it be an answer to a “secret question” or maybe a PIN sent to the user’s cell phone.
Having the right authorization levels is crucial. Especially for remote workers, having access only to the necessary applications and features is the best way to go. Companies must develop the habit of granting ‘least privilege’ access rights. This means giving only the minimum permissions required by an end user.
Watch out for phishing threats
Phishing threats that target remote workers are on the rise. Usual phishing strategies include getting employees to engage with suspicious content through what seems to be essential notifications. Phishing threats often include obvious errors such as bad grammar and spelling. Well-trained and aware remote workers will be able to spot these signals.
Consider running simulated phishing campaigns to test your employee’s awareness to potentially harmful emails, from who opened or clicked shady links to who entered credentials or submitted suspicious forms.
Therefore, it is important to develop a remote working culture that takes IT security best practices as a top priority. When it comes to cyber security, organizations should plan for every possibility and leave nothing to chance. Remote workers must be trained to avoid and report any suspicious activity.
Last month, Google has announced Workspace, the brand-new name for all their productivity apps such as Gmail, Drive, Docs, Keep, Sheets, Calendar, Slides, Meet, etc.
According to the company, Workspace isn’t just a new brand (a replacement for GSuite), it also offers a deeper integration between apps, helping users collaborate more efficiently, improving their experience while aligning their products to today’s business necessities.
Improved User Experience
One of Google’s strengths has always been smart integration between its various products and services, but now the organization is taking dozens of little steps towards making these integrations deeper, simpler, and making the collaboration process more natural, especially when working in teams from remote locations.
Today you have the possibility to preview a linked file without having to open a new tab, which means less time spent switching between apps and more time getting the work done.
Also, when you mention someone (by using @ in your document), a smart chip will show the person’s contact details, including for those outside your organization, providing context and even suggesting actions like adding that person to Contacts or reaching out via email, chat or video.
In the coming weeks, Google promises that users will be able to create and collaborate in a more dynamic way on a document with guests in a Chat room. This will make content sharing easier and will allow users to directly work together with those outside their organization.
Google prepares even more ambitious features, such as creating a document directly from Chat or starting a video call from within a presentation. Those features are expected to be launched in the coming months.
There are some changes to the pricing, too. Starting this month, the cheapest plan named Business Starter costs $6 per month/per user and it allows users to create business emails using their organization’s domain name, video meetings for 100 participants, and 30 GB of cloud storage per user.
The next pricing plan is Business Standard, which costs $12 per month/per user, and you will get video meetings for 150 participants plus recording capabilities, as well as 2 TB of cloud storage/user.
Business Plus will cost $18 per month/per user and you will get video meetings for 250 participants plus the benefits of recording and tracking attendance, 5TB of cloud storage/user, enhanced security, and management controls, including Vault and advanced endpoint management.
Eventually, if your organization needs more resources, you may contact Google for a customized Enterprise plan.
Google has made obvious improvements in user experience, app integration, product flexibility within the last ten years and promises to continue this process. It has also launched, rebranded, and merged so many products over the past couple of years it’s hard to keep track, so most likely, in the following years, we will see a stronger Google Workspace, a tougher competitor to Office/Microsoft 365.
All the buzz words are out there; virtual CIO (vCIO), IT Advisory Services, Technology Advisor, etc. Yes, all the reasons why you should engage in such a service is important, but it should be more than just good advice.
Let’s explain the key aspects of an IT Advisory practice, and what it can do for you. Then we should talk about the key differentiator between “talking about IT strategy” vs. “doing IT strategy”.
Key aspects of an IT Advisory practice:
Assists in aligning IT to your business objectives
- Involves in strategy meetings with leadership/management
- Comprehends short-term vs. long-term initiatives
Identifies and documents your infrastructure
- Aligns technology with your business objectives
- Hardware and service standardization, from workstations, networks, servers, backup solutions, and cloud services
Recommends process improvements, investments and savings based on your infrastructure and business objectives
- Assists in developing your IT budget based on useful life of your current environment
- IT governance policy and process, along with new technology recommendations
Recognizes vulnerabilities to achieve your business objectives
- From compliance shortfalls to security vulnerabilities
- Starting with identifying, then communicating, and finally prioritizing solutions
“Talking about IT strategy” vs. “Doing IT strategy”:
When a managed IT service provider tells you, they provide vCIO or IT Advisory services, ask them what their methodology is and do they have a platform to orchestrate the process. As was mentioned in a previous blog “MSP-Are You Getting More Than A HelpDesk”, also ask if the service is being delivered by a dedicated resource or an engineer who also resolves tickets, etc.
Any IT provider selling IT Advisory services should have three key aspects to ensure it’s the right service for you.
- A dedicated team solely focused on the customer success and tasked with supporting and driving positive change in your business.
- A methodology geared around a strategic, business driven, technology consulting process to engage with customers. A methodology that is a value-add service to assist customers through an ever-changing technology landscape, from cloud migrations, to implementing proper security protocols.
- A platform to orchestrate the methodology, where the customer and advisor can share, document, communicate, and track decisions and agenda items in one portal.
It’s easy for someone to talk to you about IT strategy, and they will call it vCIO services, but you deserve more than just a conversation. Engage with an IT provider that has a dedicated team that provides a proven methodology through a transparent process on driving success with their customers.
Contact StratusPointIT and ask about our STAR methodology, and see how we are “doing IT strategy”.
Multi-factor authentication (MFA) is commonly used to prevent a stranger from logging in, with or without a password. MFA improves the security of user logins.
With Office 365 MFA, users are required to allow a phone call, a text message, or enter an app-generated number on their smartphone after correctly entering their username and password. Only after this additional authentication factor has been verified the user can sign in.
Security Is Key
Using passwords alone is risky. If a single password is cracked, cyber criminals could have their way in your system, and you would probably not be alerted to their access. Enabling MFA for an Office 365 user ensures that if access occurs from an unusual location, from another device, or another Office client, etc. the user will be blocked until he/she provides additional verification.
Many users still have weak passwords, and it becomes difficult for management to mandate strong password management. By implementing Office365 MFA, it provides a layer of security to protect sensitive information.
To date, the use of MFA to protect systems is not mandatory for every industry.
However, The Payment Card Industry Data Security Standard (PCI DSS) requires companies to use multi-factor authentication (MFA) to protect against breaches that could compromise payment card data.
Two-Factor Authentication (2FA) is a needed measure to comply with password restrictions in sectors such as finance, healthcare, defense, law enforcement, and government, among others. Let’s take a few examples:
The Healthcare Industry
The Health Insurance Portability and Accountability Act (HIPAA) does require organizations to confirm that users looking for access to electronic protected health information (ePHI) have the necessary authorization. Two-factor authentication addresses this HIPAA requirement, and multi-factor authentication takes it to the next level.
The Finance Industry
The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act includes The Safeguards Rule which is a directive designed to secure customer data with specific provisions to ensure that data is not accessed under false claims. Risk assessment and risk mitigation are integral to compliance with the Safeguards Rule.
An identity and access management (IAM) solution can proactively address provisions in The Safeguards Rule and improve GLBA compliance through role-based management, entitlement management (limits permissions and only access what is needed), and multi-factor authentication.
The Unites States Government
For several years, 2FA has been a requirement for accessing government websites. This action plan has also instructed the National Cyber Security Alliance (NCSA), a non-profit, public-private partnership, to partner with leading technology companies such as Google and Microsoft to promote the use of 2FA.
These public-private partnerships instituted by the US Government prove that MFA is a handy solution for mitigating security risks inherent to systems that use single password authentication protocols.
Authenticator is Microsoft’s two-factor authentication app. Launched around four years ago the app simplifies the multi-factor authentication process. Basically, you log into an account and after entering the username and password you are asked to provide a code to ensure MFA.
The Authenticator generates a six-digit code every 30 seconds that you must enter to finalize the login process into your app or service.
It is extremely useful for quick sign-ins, it works cross-platform, and it is faster than email or SMS codes.
When MFA is enabled, there are certain situations when O365 users must re-authenticate:
- In case of password change;
- In case the user signs in and out in Office clients;
- In case users swap between Office 365 accounts;
- In case administrators apply conditional policies to restrict the resource the user is trying to access.
MFA Can Combat Phishing Attacks
How? Basically, by making it harder for hackers to get into your system. With multi-factor authentication enabled, cyber criminals need to have initial access to even more information in order to perform a successful login (sometimes access to the victim’s phone, so not just the username and password).
MFA is a needed enhancement as more people use the entire Office 365 suite and save sensitive data in OneDrive and/or SharePoint. Protecting your data is crucial, and it seems that MFA’s importance and applicability will only grow over time.
While private and “incognito” modes can reduce your digital footprint online to an extent, there are still ways in which your activity can be tracked by malicious third-parties such as people on your network, the internet service provider, government agencies, and cyber criminals.
So, What Is Private Browsing?
Web browsers generally store data about your searches and online activity to make it easier for you to revisit websites. Browsers can store web-based content like usernames and passwords to speed up the log-in process or information about your location and preferences (favorite pages or certain features). This can be helpful in the short-term, but you likely don’t want this information shared with other users.
Private browsing first appeared in Apple’s Safari 4.4 browser back in 2005. It didn’t take long for other players like Google and Mozilla to release the feature. Soon, it became a standard component for any modern web browser.
Basically, private browsing creates a separate browsing session that’s isolated from the main one. Any websites you visit within that tab aren’t recorded in your device’s history. So, if you log in to a website in private mode, the cookies aren’t saved when you close the window.
Another consequence is that private browsing tabs can’t access cookies you use in the main session. For instance, if you log in to LinkedIn, and then enter incognito mode, you’ll have to re-enter your credentials. This also allows you to easily access multiple accounts at the same time and will make it more difficult for third-party sites to track your activity while in incognito mode.
Besides, using private or incognito mode, it becomes easier to further check some “soft paywalls” websites such as The New York Times, where you’re granted access to a few pages before being prompted to either log in or subscribe.
The Incognito Mode
Your private browsing mode only blocks your own device from getting information about your web session. Browsers that offer private (or incognito) mode usually warn users it isn’t an efficient security method.
Incognito mode doesn’t stop network administrators from keeping an eye on your activity. It also doesn’t prevent a third party from spying on your browsing habits if you’re using a public hotspot in a restaurant.
So, private browsing is a matter of how browsing activity data is stored on the user’s personal device, and not about its transmission across a network.
Google and Mozilla are completely upfront about this in their browsers. “Going incognito doesn’t hide your browsing from your employer, your Internet service provider or the websites that you visit,” Chrome users are warned each time they open a new incognito window. Microsoft Edge also informs its users about “InPrivate” browsing limitations.
Furthermore, there are several ways to defeat private browsing at local level. If your device is infected with malware that tracks network traffic and DNS requests, incognito mode cannot help you. It also can’t protect the user from “fingerprinting”, in which third parties (usually advertising companies) try to determine unique features of your computer to track its activity across a network.
Unfortunately, fingerprinting attracts less attention than malware, despite its ability to identify individuals with remarkable accuracy. As you browse the internet, third-party sites can squeeze information about your device, your display resolution, the browser, plugins, language, time zone, and so on. Any piece of information might be insignificant by itself, but together, it may be used to create your computer’s profile putting yourself and your organization at risk.
It has been a while since Microsoft adopted the Chromium engine for the new version of Edge, and reception to the browser, according to field data, was positive overall.
Initially, Microsoft has given Windows 10 users the option to use the new Chromium-based Edge or stick with the old version. But that has changed. Few weeks ago, the company pushed out the browser via Windows Update to Windows 10 versions 1803, 1809, 1903, 1909, and 2004, so Windows users are not allowed anymore to keep using the old Edge.
Why Did Microsoft Choose Chromium Over EdgeHTML?
NOTE: EdgeHTML is based on the Microsoft Trident rendering engine, which is used by Internet Explorer browser.
In December 2018, Microsoft announced it would replace the EdgeHTML engine with the Chromium rendering engine. Microsoft’s Corporate Vice President of Windows at the time, Joe Belfiore explained this decision was made to create better web compatibility for their customers.
New Edge Vs. Chrome: What’s the Difference?
Although Chrome and Edge look similar, certain aspects are different. Firstly, Edge will keep its users away from Google services and usually replaces them with Microsoft ones. For example, Edge will sync your browser data with your Microsoft account rather than a Google one.
Secondly, the new Edge offers some features that Chrome doesn’t. For instance, Edge has a native tracking prevention feature and a potentially unwanted program (PUP) blocker.
As the old Edge interface, the new version of Edge still includes the Favorites button to the right of the address bar, but also a shortcut to the Collections folder for capturing and storing snippets of certain web pages.
Tracking Prevention Option
Chromium rendering engine gets updated every 6-8 months with the latest security patches. Google rapidly implements them in the Chrome browser, and Microsoft did the same since relaunching Edge.
However, Microsoft has gone ahead and added a tracking prevention option in the Settings menu. Users can go to Settings > Privacy and Services and switch on the option and set it to a Balanced approach. Balanced is the default option and blocks potentially harmful URLs. Be aware in case you choose Strict because this will likely result in issues when loading certain websites.
You can install a Chrome extension to achieve similar results, but with Edge, you have this security feature by default.
Permissions work comparably on both browsers. Users can get specific about what permissions each individual website has on their device(s).
Also, running an identical setup on both browsers with a single window and four tabs open (to Google Docs, Microsoft, Facebook, and Twitter), we saw literally more than double the RAM and CPU usage from Chrome. Google Chrome sat consistently around 3.91GB of RAM and 5.9% of CPU, while Microsoft Edge sat at around 1.81GB of RAM and 3.1% of CPU. The gap is bigger when using less powerful computers.
Does Edge Support Other OSs?
Microsoft’s new Chromium-based Edge browser is available for Windows 7, Windows 8, Windows 8.1, Windows 10, macOS, iPhone, iPad, and Android.
Microsoft will release a version of Edge for Linux probably by the end of the year. Chrome already supports all these operating systems, making the update simpler for Microsoft.
The Browser War Continues
Google wants you to use Chrome and its extensions, while Microsoft will always suggest the new Edge.
For example, you can install extensions from the Chrome Web Store in the new Edge. But, when you do so, Microsoft will warn you that extensions from the Chrome Web Store are unverified and may affect browser performance. After you agree to that, Google will recommend you switching to Chrome to use their extensions securely.
Even though Edge is now based on the same code as Google Chrome, many Google-developed and partner websites still throw warning messages recommending you switch to Chrome. For example, when you visit Google News in Microsoft Edge, you will be prompted a message saying Google recommends Chrome, encouraging you to try a fast and secure browser with updates built in.
Bottom line, old Edge is completely replaced by the new Edge in a non-reversible process. Any existing data is migrated across, but even if you’re not using Edge, you’ll find that desktop and taskbar shortcuts are created on your computer.
Also, Windows 10 users who stick with the included browser will now have a faster, more capable browser with an open-source rendering engine that is updated frequently and better supported by websites, providing them a better browsing experience.
Microsoft’s work on the Edge browser will improve Chromium, which ultimately is a win for all Edge and Chrome users.
When a business is looking for assistance in managing their IT infrastructure, many times they realize it’s more cost effective to partner with a managed IT service provider. There are key aspects for a business to look for when selecting an IT provider, which goes well beyond simply a helpdesk to call when something breaks.
There are basic services that every business should receive from an IT provider:
- Access to a remote helpdesk: Ability to call, email, or log a ticket via a web portal to receive assistance with basic issues for your workstation, along with access to key applications
- 24×7 Network Monitoring: Ensuring your network is up and running, along with support for as-needed firmware updates, device security and VPN administration, and firewall rules provisioning.
- 24×7 Server Monitoring: Includes systems administration, security and critical patch management for operating systems, and proper anti-virus.
Why businesses need to go beyond the basics
Too often businesses feel that the above services meet their IT needs, but a true IT partner should go well beyond the basic services. Why do businesses need more than just the basics? Because of the following:
- 99% of malware is deployed using email and the web1
- 81% of breaches leverage stolen and/or weak passwords1
- 74% of security professionals rank Data Back-up & Recovery is the most effective solution to respond to a successful attack2
- 66% of malware is via email attachments1
Security and Back-up Solutions for your Business
Don’t think your business isn’t vulnerable, and you won’t be targeted by hackers. Businesses that think that way are the targets. Why? Because they are an easy target.
- Advanced Phishing & Spam Protection: A suite of services inspecting inbound, outbound and internal emails to help detect and fight phishing and ransomware via malicious URLs, attachments, and impersonation attempts.
- Web Protection (DNS filtering): Add a layer of protection between an employee & the internet by blacklisting dangerous sites & filtering out unwanted content.
- Office 365/GSuite Multi-Factor Authentication: Establishing multi-factor authentication (MFA) by sending a second randomly generated pass code to your phone for your O365 and/or GSuite account will further protect your company from malicious attackers.
- Security Awareness Training: More than ever, employees are the weak link in an organization’s network security. They are frequently exposed to sophisticated phishing and ransomware attacks. Employees need to be trained and remain on their toes with security top of mind.
- Network Security: Go beyond just monitoring, perform proactive network scans for vulnerabilities, ensure proper firewalls are installed and configured, or even establish a Managed Detection and Response solution.
- Office 365/GSuite Back-up & Recovery: Having your O365 and/or GSuite backed-up provides a multi-layered approach to security against ransomware, compliance needs such as HIPAA, & advanced recovery features. From human error to phishing emails or malware can cause data loss. SaaS/Cloud providers protect your data from hardware failure, software failure, natural disaster, and power outages, but who is protecting your data from human error and malicious acts from internal or external sources.
- Cloud Backups: A secure, easy-to-use cloud backup service to protect your important data on your server. A perfect cost-effective solution for those focused on protecting key information, but flexible on business continuity.
- Business Continuity and Disaster Recovery: Go beyond just a cloud backup, and make sure your business has little to no downtime. A disaster recovery solution provides an appliance onsite for quick and easy recovery, along with a cloud backup in case of a disaster. A key solution for those focused on continuous uptime, regardless if a server goes down or a natural disaster occurs.
Too often IT providers market that they provide Virtual CIO (vCIO) services, but those services are being provided by an engineer who is also responsible for resolving tickets or installing hardware. When you ask about advisory services, ask if this service is delivered by dedicated individuals, or is it part of the responsibility of the engineering team.
Is your IT provider protected?
Most times small and medium size businesses focus on the IT needs of their respective business. They are forgetting a key question to ask the IT provider. What security does the IT provider have implemented? Also, how is the IT provider protecting your data? Do they use a password vault? Before an IT provider sells you a security solution, are they using it themselves? We just learned why businesses should go beyond the basics of IT support, so shouldn’t the IT provider be doing the same thing?
You might not need or can afford some of these solutions today, but don’t you want to partner with an IT provider that can provide IT support not only for today, but for tomorrow (future). As your needs expand, and your business allows you to invest more in your IT infrastructure, you should choose an IT Partner, not just a vendor.
1 Verizon Data Breach Investigations Report 10th Edition
2 Cybersecurity Insiders & Bitdefender 2017 Ransomware Report