Phishing - Solution Approaches!

"There are essentially two major ways to defend against social engineering scams, in order to protect your company and its employees. One is training your users, and the other is technical security controls. We believe you have to implement a combination of both user training and technical controls to be successful. Relying on just one approach or the other will probably not decrease your risk to an acceptable level.

Nearly 60% of employees receive phishing emails every day, so clearly technical controls are failing to stop many of these messages as they pass through the system. Often, the technical controls are working, but spearphishers continue to change their tactics to cope with the ever-improving technologies. Therefore, the user can be both the weakest point and the strongest resource in the defense of corporate networks. With the proper user training, you can turn the weak link into a protector of your organization.

Security Awareness Training

Security awareness training helps you educate your employees to stop risky activities such as clicking on a link in a questionable email, opening an attachment they are not expecting, or submitting something on a bogus forum.

Here are 15 good defenses to teach your company’s employees:

1.     Don’t trust links in an email.

2.     Never give out personal information upon email request.

3.     Look carefully at the web address; it could be a close approximation of the real URL.

4.     Type the real website address into a web browser.

5.     Don’t call company phone numbers listed in emails or instant messages; check a reliable source such as a phone book or credit card statement.

6.     Don’t open unexpected attachments or instant message download links.

7.     Be suspicious if emails says “do X or something bad will happen”.

8.     Be suspicious of any email with urgent requests for personal financial information.

9.     If the email sounds too good to be true, it probably is.

10.  Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your web browser; look for the https:// and/or the security lock icon.

11.   Regularly log into your online accounts and check your bank, credit and debit card statements to ensure that all transactions are legitimate.

12.   Use a reputable anti-virus program.

13.   Enable two-factor authentication whenever possible. This combines something the user knows (such as a password or PIN) with something the user has (such as a smart card or token) or even something the user is (such as a biometric characteristic like a fingerprint).

14.   Keep your operating system updated, ensure that your browser is up to date and security patches are applied.

15.   Always report “phishing” or “spoofed” e-mails to your IT department.

Through this kind of security awareness training, you turn each one of your employees into security sensors in your organization. So, there are actually people who can now spot a phishing campaign and can alert security so that they can react. This type of threat might have otherwise have flown under the radar of security.

Technical Security Controls

Of course, training needs to be coupled with technical security controls. These technical controls will prevent or block many of the threats so that they never reach your users. We’ll take a look at some of the different types of controls and how they work.

Vulnerability management is your number one defense against attackers. It identifies existing vulnerabilities in software programs, browsers and plug-ins and helps shield your organization from potential damage, as well as mitigate vulnerabilities through patching, changing configurations or making application updates to remove vulnerable code. Programs like Microsoft Office and Adobe Reader are the typical applications that get exploited through phishing, so it is important to stay on top of any vulnerabilities associated with these programs. You also need to make sure your vulnerability management program is maintained and monitored over time. The keys to vulnerability management are to get visibility on client-side vulnerabilities, focus on solutions that highlight vulnerabilities exploited by malware kits, as well as validate and prioritize vulnerabilities to identify high-risk issues that must be fixed immediately.

Patch management is used to fix vulnerabilities based on input from vulnerability management. Some fixes are implemented through patching and some are through changing configurations. Software updates and security updates need to be done in a timely manner to keep up with patching vulnerabilities.

Malicious URL and attachment blocking can be done with web filters and SPAM filters. Microsoft Outlook has incorporated a good filter that will put emails into the junk folder if they contain a suspicious link – for example, a link that doesn’t have a domain name but only an IP address. Outlook will automatically put that email into the junk folder or it won’t let you click on the link until you confirm that it’s okay. (Of course, you need to train employees that these emails have been placed in the junk folder for a reason!) There are also web filters that you install at the Internet gateway of your company that will block malicious URLs.

Intrusion Prevention System (IPS) is another form of defense. If, for some reason, a user does click on a suspicious link, and a website is serving up a browser exploit, an IPS can detect that and block web-based exploitation.

Data Loss Prevention (DLP) / Egress filtering is a system designed to detect a potential data breach and prevent it by monitoring, detecting and blocking sensitive data while in use, traveling over the network or in storage. Let’s assume that your network has been compromised and that somebody’s inside the organization to actually complete the action. They haven’t reached their goal until they’ve actually downloaded the sensitive information, so, DLP and egress filtering is all about stopping that sensitive data from getting out of the network.

Disabling Java may be a drastic approach to security but Java has been a huge attack vector for compromising systems via malicious links in phishing emails. If you are using critical applications running on browser-based Java, or if your users need Java to get their jobs done, you may want to configure the browser to prompt and ask for permission before launching Java and educate your users to only allow Java on websites they trust."

By, Rapid7

Social Engineering Attacks Beyond Phishing Emails!

"Social engineering can also be used to launch other types of attacks as well. Some are web-based, others are more low-tech, but they are still quite effective because they take advantage of human nature.

Drive-by attacks exploit vulnerabilities in web browsers or plug-ins. Often they use a popular topic, such as celebrity gossip, and optimize a malicious website to rank highly in search engines for that news. When the user finds the site and clicks on it, their machine gets compromised. This is an untargeted attack, but when it compromises employees, it can still put company data at risk.

USB drives can be used by attackers to gain access into a network. The same file format exploit or executable exploit that is put into an email by an attacker can also put on a USB thumb drive or a CD ROM. A tactic would be to give the file an enticing name, such as “management salaries” or “layoff list” and then perhaps attach the USB drive to a couple of keys and drop it in the parking lot outside the company that the attackers want to intrude. Then, if an employee walks by and sees it, they would naturally pick this up. People want to be good citizens, return the key and the USB drive. To find the owner’s identity, they may plug the USB drive into their computer. When they see the enticing content, they double click on it, infecting their machine and opening up the corporate network to attackers.

Physical or in-person attacks rely on someone walking into a building, under a false pretense such as a package delivery, to get access to the building. They can also use a “tailgating” strategy to follow an authorized person into an off-limits area. Once they have physical access, they can plug a little device into the network to compromise it by phoning home to an attacker’s server.

Phone calls are another way that an attacker may trick users into handing over their credentials. They may use a ruse such as: “I’m Bob from the IT department; I’m seeing on our systems that your computer has been a little slow lately. Do you have time to sort that out right now?” They then walk you through a few steps, maybe they’ll send you to a malicious website, or maybe they will ask you to give them your credentials. Since the user believes it’s a helpful person from the IT department, many fall for this scam.

QR codes, the square 2D barcodes, are being used in marketing campaigns and could also be used as an attack vector as well. When scanned with a smartphone, the QR code sends the user to a website which could be malicious.

Social media including Facebook, LinkedIn, Twitter and other social media sites, can be used to send posts, updates, tweets or direct messages with URLs. When the link is clicked on, again victims are sent to malicious sites and their computers are compromised. With Facebook, user’s accounts can be attacked and then configured to send messages to their friends, which may entice people to click on something they normally wouldn’t.

Typical Steps of a Phishing Attack

In most phishing attacks, the user opens an email, and then clicks on a link in that email. This results in the user’s browser getting exploited. Maybe there is also a form on the web page that captures the users credentials as they are typed in. Alternately, the user could open an email attachment and their machine gets compromised that way."

By, Rapid7

Breaches Often Start With Phishing!

"Most of today’s data breaches start with a phishing email, giving company-confidential data to malicious outsiders. This is a real problem that companies need to address.

Phishing attacks are the most frequently used form of social engineering. They work because they take advantage of cognitive biases, or how people make decisions. These techniques prey on human emotion by appealing to greed, curiosity, anxiety or trust.

Phishing means that attackers are fishing for your private information. Attackers attempt to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Many times this is done to steal a victim’s login credentials and other confidential information. Phishing continues to grow and become more widespread with attacks up 37% year over year, and 1 in every 300 emails on the web containing elements pointing to phishing.

Phishing attacks can result in compromised client systems. Here are some different consequences of phishing that can impact your network:

Browser exploitation - Browsers and their plug-ins contain vulnerabilities that can be exploited simply by visiting a malicious website. An attacker can send an email with a link, which brings the user to a malicious website (which is often designed to look like a legitimate site.) Just by visiting that site the user’s browser and machine would be compromised and the attacker would have full access to the user’s computer. In addition, a completely legitimate website can be attacked to become malicious. So a user could be browsing a legitimate website that’s been attacked on the back end and injected with malicious code, which then exploits their browser.

File format exploitation – Opening a malicious email attachment is another way to trick users. Attachments are typically PDFs or Office files because those applications are widely distributed and widely used across platforms, and the chance that the recipient can read that kind of file is higher. Once the malicious attachment is opened it exploits vulnerabilities in a given application.

Executable exploitation – This exploit uses another form of email attachment, an executable file (ending in .exe) that runs when the user clicks on it. It is programmed to operate without needing a vulnerability in the program. Although .exe files are quite often blocked by email security features, there are other types of executables. For example, JAR (Java Archive) files end in .jar, rather than .exe, but they can still execute a malicious file when you double click on them." 

By, Rapid7

Mobile Device Management

“Simplified IT administration.

IT is already overburdened with provisioning, maintenance and support responsibilities. BYOD* shouldn’t increase user productivity at the cost of IT’s. Simplified IT administration is critical, and this is where you will see the most variation when evaluating MDM solutions.

There are several ways that MDM solutions can simplify administration. Over-the-air (OTA) administration and management allows the IT organization to maintain mobile devices anytime, anywhere, so users don’t have to visit the help desk. Initial setup and configuration can also be done over the air. You should also be able to automatically assign devices to existing groups from your user directory and apply the respective policies when they are registered via a self-service portal.

Centralized monitoring and control of all registered devices is a hallmark of MDM, but the ease of use and granularity of functions differ from one solution to another. Look for an MDM solution that allows you to manage all supported smartphones and tablets from one console, regardless of the operating system, service provider, network or location of the device.

If you are also using BlackBerrys, it makes sense to bring them into your MDM solution so you have the full inventory overview in one place. You should be able to track and report on all registered devices, and drill down to individual configuration settings, serial numbers, model numbers, hardware details and installed applications. A dashboard view can quickly show registered devices and whether or not they’re compliant with policies. Auditing allows you to easily track changes to devices and compliance status.

Graphical reports should provide the most important data at a glance. For example, charts should show the percentage of compliant vs. noncompliant devices, managed vs. non-managed devices, corporate-owned vs. employee-owned devices, etc., rather than require you to navigate through numerous menus to find the information.

Finally, the administrative interface should be action-oriented and easy to use. Consider how many clicks are required to perform basic functions like decommissioning a device, viewing device OS distribution, and defining the OS versions supported in the app. One or two clicks maximum should be all it takes to complete these tasks.”

By, Shopos Mobile Control.

  

*Bring your own device (BYOD) (also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC)) means the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and use those devices to access privileged company information and applications.

Les aventures de Snowden, le fidèle chien de NSA, d'après Zeca!

L'étoile mystérieuse (A estrela misteriosa!):

Un soir, alors que NSA et Snowden, son fidèle chien, se promènent, ils aperçoivent une brillante étoile (Determinada noite, enquanto a NSA e Snowden, seu fiel cão, passeavam, reparam numa estrela brilhante)...

Logicamente, os meus leitores já se aperceberam que uso o código de espião K7 (capacete), que Hergé me ensinou através da sua personagem Tintin, transmitindo, na primeira abordagem a esta que será, segundo a teoria da conspiração, a verdadeira razão de toda a recente celeuma que aflige os governantes mundiais, sobre a segurança da informação, num contexto pós ameaça nuclear - a descoberta da Estrela Brilhante:

Efectivamente, todo este burburinhado ao redor de um rapaz (NSA) e do seu cão (Snowden), com fugas de informação, pedidos de asilo político, viagens fantasma ou interdições de espaços aéreos, nada mais é que uma cortina de fumo para ocultar a verdadeira razão, que nas linhas de introdução podem ler em código K7, tratando-se na realidade, da descoberta por parte dos Serviços Secretos Americanos (CIA) em conjunto com os Serviços Secretos Ingleses (MI5), do escândalo "MelãoGate"!

Todos conhecerão o poderio tecnológico e a dimensão da rede de informação destes colossos da espionagem, mas foi por acaso, num passeio à noitinha, que o fiel Snowden reparou na "Estrela Brilhante" (nome de código de Jorge Jesus), que, como diz a música, ofuscava as demais, e decidiu investigar!

Em pouco tempo, repararam na soberba, pseudo-hegemonia, concepção avançada de moda e excelso domínio do hair-style europeu, mas, em abono da verdade, também no seu dialecto, que mais tarde viria a fornecer um código indecifrável aos Serviços atrás mencionados... No entanto, após uma investigação meticulosa dos seus actos e feitos, estava cada vez mais a ficar exposta a capacidade dos seus adeptos abrirem os olhos e, com o aparecer do escândalo "MelãoGate" nos finais da época desportiva, por volta do final do mês de maio passado e sob o risco de cada vez mais, assertivos mas comuns mortais, estarem próximo da descoberta do código da "Étoile Mystérieuse", decidiram lançar uma contra-ofensiva informativa, com o único intuito de ocultar a real questão e dissimular o código comunicativo oferecido pela "Misteriosa Estrela Brilhante".

Eis toda a verdade sobre este "quid pro quo" que aflige a humanidade!

(Aviso todos os meus mais íntimos amigos para a eventual discrição que deverão agora apurar, sempre que queiram comunicar comigo, seja através de que via for. Obrigado!)

ZC

Condução? Eis a questão!

Em Portugal exercer o direito adquirido de condução é um ato que nos aproxima do fundamentalismo muçulmano! Eu sou conhecedor, tanto do fundamentalismo como da condução muçulmana e por vezes pergunto-me, se não seria melhor adoptarmos o seu “modus operandi”… Pelo menos, na condução!

Priorizávamos ao som da buzina, escolheríamos o percurso independentemente da sinalização vertical ou horizontal e ignoraríamos todas as demais regras gerais de boa conduta, na procura dessa alegria que é o caos no tráfego! Mas, pelo menos, as regras seriam iguais para todos!

Antes de mais, faço um “mea culpa”, principalmente por alguns impropérios vociferados aquando do esgotar da paciência, assim como, na opção de uma condução dita mais agressiva, na tentativa de fazer notar algumas regras básicas aos “reis da estrada”! Posto isto e apenas como desabafo, queria aqui expressar um robusto e poderoso: “Prostituta que Pariu”!

Arrepia-me, eriça-me, em suma, causa-me horror, a falta de civismo do poder de conduzir. Sim, porque a conduzir nós estamos em plenas funções ditatoriais, onde todos têm de obedecer ao déspota que há em cada um dos parceiros de estrada…

Eu bem sei que os tempos são difíceis, que a conjuntura, o sexo, a política, o chefe, a cara-metade, a brigada, o médico, a imaturidade, o desemprego, as audiências ao Sr. Presidente da República, a azia desportiva ou a conta do almoço que caiu mal, convergem no sentido de necessidade de exteriorização, através da condução sem civismo, do nosso desagrado pela vida miserável que possuímos, mas há situações evitáveis malta, assim tipo, por exemplo:

1. Chego a um entroncamento com parca visibilidade, passo por lá há 729 anos, sei que para verificar se existe a aproximação de algum veículo, das duas, uma: ou projeto o meu próprio trono de poder para o meio da estrada, impossibilitando a passagem com prioridade de quem vem da esquerda, visto conseguir reparar num STOP que ignoro há 729 anos, bem como, aterrorizando quem vem da direita e que pretende virar para a via de onde me desloco, ou, quiçá num esforço inglório físico e cívico, ao invés de colocar o meu 20 cilindros com 12.000cm³ de cilindrada na porra do meio da estrada (reparem que evitei aqui o uso da palavra caralho!) e apenas virar o meu frágil pescoço para ambos os lados, refreio o meu ímpeto meio metro atrás e num movimento dolorosíssimo, lutando contra a porcaria do cinto (aqui evitei o uso da palavra merda!) forço o meu tronco para a frente e só depois utilizo a torção do pescoço para verificar o trânsito, evitando congestionar tudo que tem motor e se desloca na via pública! Em suma, evitando a fornicação do estado de paciência e deterioração da saúde dos restantes beneficiários sociais que possuem um ‘renô nobe’! (note-se, no entanto, que tanto o gajo pedreiro que possui o ‘forde fiesta’ de 1992 como o Sr. Engenheiro que se desloca no ‘b-éme’ de 2014, apesar de antagonicamente possuírem graus de escolaridade díspares, possuem o mesmo grau de civismo! Curiosíssimo, não?)
2. Vou na autoestrada, encontro uma subida prolongada onde se verifica o alargamento da pista de rally para 3 faixas, mas decido continuar a minha marcha pela do meio, independentemente da marca do meu bólide, a uma impressionante velocidade de 60kms/h (vulgo mach 3 = 1020,87 m/s!) porque: possuo uma fobia de raides ou taludes muito íngremes; no meio está a virtude; já não tenho idade para conduzir em segurança por qualquer uma das outras duas faixas; não sei ler; sou um amante do ‘tuning’ e o meu trono tem de ser exposto de modo a ser visionado de todos os ângulos; no meu tempo só havia 2 faixas e conduzo na que estou habituado; quero falar ao telemóvel e aqui tenho maior margem de erro; à velocidade terminal que me desloco posso não ter tempo de reparar num camião de 14 toneladas que vai a subir na faixa da direita a 70kms/h; é de noite; não conheço a via e assim posso andar mais depressa (60kms/h); sou energúmeno; possuo o civismo de um rinoceronte; gosto de brincar com a vida dos outros; sou distraído e levo o rádio ligado; apetece-me prestar o mínimo de atenção possível ao caminho e à condução; sou acionista da Brisa e isto é tudo meu; desloco-me numa viatura oficial do Estado e vou a uma audiência com o Sr. Presidente; etc.

Chega de exemplos que estou a ficar azedado!

Bem, hoje vou de comboio (fica para outra oportunidade o que se passa no vagão…) ou fico em casa, a pé é muito longe!

Boa deslocação motorizada,

ZC