An estimated 97% of cyber-attacks originate from or involve email.
This estimate cited by The Wall Street Journal may be a little bit high, according to IT consultant J. Peter Bruzzese, who believes it is between 90% and 95%. But it nevertheless means emails are the biggest threat and employees are typically the weakest point at which an organisation can be attacked.
Speaking at the Armour Expo on Friday, 4 Oct., Bruzzese said gone are the days when hackers would drop infected USB sticks in the parking lot of their target organisation.
Those who picked up the devices and used them would ultimately infect their computers and potentially a whole network. The method was so successful that IT teams started to super glue the USB drives on computers to render them unusable.
“We actually have software for that,” the IT consultant said. “But some people are really extreme. Why? Because that’s where the threat was coming from.”
Nowadays these types of attack have been replaced by sophisticated email scams.
These can take the form of ransomware and other malware attacks, URL links that lead to malicious websites and even impersonation attacks that make heavy use of “social engineering”, the hacker term for manipulating the victim through verbal or written interaction.
Far from the Nigerian email scams, which involved preposterous stories written in bad English, these attacks appeal right to the heart of the victim, said Bruzzese. They are emails using sophisticated language, often imitating a person known to the target, and containing plausible messages or requests.
The IT consultant presented an email that he, although highly sensitised to the threat, fell prey to himself. It was purportedly sent from the CEO of a client company, who informed Bruzzese that the company had changed direction and to continue the collaboration his compensation structure would have to be adjusted. More information was supposedly contained in an attached Excel file.
Of course, Bruzzese said, he should have noticed that he had never communicated with the CEO about compensation in the past or that an Excel spreadsheet was not really needed in this context.
“I wasn’t thinking. That is what your end-user is like most of the time,” he told local IT professionals at the event hosted by IT and cyber-security firm eShore.
The first thing he therefore recommends is end-user training.
“You have to prevent the end-user from making that click or opening that attachment. If you can stop that just a proportion of the time, you will save the company the frustration of a ransomware attack, the frustration of some form of impersonation attack or URL-based attack where they get password credentials.”
But in some cases, even the best training will not be sufficient. When homoglyphs, different character sets that look like letters, are used to replicate an email domain name, Brazzese said what looks like “apple.com” to the naked eye will actually be “xm00-ak68.com”, adding, “That’s how sneaky these folks are.”
The solution therefore must involve technology on top of user security awareness because most people will not pick up on these attempts. “You have to have the technology in place. An end-user is never going to see a URL that is based on homoglyphs.”
Moving email systems into the cloud will take care of some, but not all, security issues. Most people think that if they use Office365 they will never have a problem with a ransomware attack because their email is in the cloud and on Microsoft servers, Brazzese noted. “That makes sense, except there is a new form of attack called a ‘ransomcloud’ attack.”
In this attack, the end-user is prompted with a fake Microsoft message to opt into certain settings to enhance their security. Once these settings are accepted, the attackers can take control of the Microsoft mailbox online and they can encrypt it.
“They only way you can get your mailbox back is to pay the ransom unless you have a back-up, which in Office365 most people don’t,” the IT consultant added, because most people believe that Microsoft backs up their emails in such a way that they can be easily restored. But with 180 million corporate users across the globe that is impossible, he said.