Tag: cybersecurity

Going passwordless? Microsoft has the tools for your business

Scammers send countless spoofed emails that try to lure you to fake login pages and have you divulge your username and password. Hackers infect your business’s computers with keyloggers in the hopes of recording users’ account credentials. With so many cyberthreats gunning for your passwords, it won’t be surprising if you want to stop using passwords altogether — especially when Microsoft appears to have gotten tired of them as well.

Microsoft has introduced a couple of passwordless tools that users of their software can use to keep their data and their systems safe.

Before anything else, what does going passwordless mean?

Going passwordless means revamping your cybersecurity system so that your business will no longer have to rely on passwords to protect your data from unauthorized access and theft. Using passwords as part of your company’s security strategy actually inconveniences staff and users, as this demands the following from them:

  • Longer, more complex, and hard-to-remember passwords (which hackers can steal by phishing)
  • Password replacements every couple of months (which makes users tweak old passwords in a predictable or easy-to-guess way)
  • Password resets whenever they forget their passwords
  • Unique passwords for every account
  • Additional authentication steps (which makes the process of accessing accounts tedious)

In short, going passwordless means opting for cybersecurity tools that are both easier to use and more effective at keeping your company secure than password-based solutions.

Moreover, if you haven’t automated your password reset process yet, you’d know how expensive it is to have your IT team handle password reset requests. Going passwordless will therefore also mean cutting out costs related to maintaining password-centric security systems.

What passwordless tools does Microsoft have for their users?

As of this writing, Microsoft offers three types of passwordless tools, namely biometric scans, one-time passcodes (OTPs), and hardware security keys.

Biometrics

With biometrics, the user’s own unique characteristics become the keys for unlocking their accounts. Depending on the use case, you can opt for fingerprint scans, iris scans, and facial recognition. These promote ease of use while granting high degrees of security because people will literally always have such “keys” on their bodies, and these keys are very difficult to copy or steal.

Windows Hello, Microsoft’s tool for letting users gain quick and secure access to their Windows 10 devices, utilizes biometrics as a primary way to authenticate a user’s identity.

One-time passcodes

OTPs are security tokens generated by an authenticator app (such as Microsoft Authenticator) in the user’s smartphone and act as identity verification keys that grant that user access to their account. In this scenario, the smartphone is unlocked either by scanning the user’s fingerprint or entering a PIN code registered to and known only by that user. This makes the user’s possession of their device a marker of their identity. Therefore, when the user enters an OTP generated from that phone, they’re showing proof that it’s really them who are trying to get into their account.

Hardware security keys

The last type of passwordless tool offered by Microsoft is the hardware security key. These are literally like car keys or keys to your front door, but instead come in the form of hardware such as USB thumb drives or near-field communication smart cards. A user can have their credentials stored in the security keys so that they can then use these keys to open their Windows user account, online Microsoft accounts, and accounts associated with their Microsoft Edge browser.

While some applications will only require one authentication factor, the most secure passwordless systems utilize multifactor authentication, which requires at least two types of passwordless tools.

What tools you apply will depend on what you want to secure and how you want to secure it. To learn more about Microsoft’s passwordless options and which tools best suit your business’s needs, turn to our Microsoft experts at [company_short]. Get a free quote for your project or call us at 801-747-3200 today.

Securing Identities from Phishing – A Financial Sector Perspective

Discussing phishing and communications fraud is often a confusing experience, a territory filled with buzzwords and distorted news of incidents at major corporations.  Getting to the facts underneath the clutter requires understanding that elements of both the “how” and the “why” of cybercriminal methods, have value.

 

Setting the Stage

Let’s define some terminology first: phishing refers to fraudulent attempts to obtain sensitive information by impersonating a trustworthy entity in electronic communication.  The entity being impersonated can be a private organization, a government division, or a specific person.  Phishing can happen via any form of electronic communication including phone calls, SMS text messages, email, instant messaging, social networks, or customer-interactive websites.  Email is the most common phishing vector, and according to research groups like IBM’s X-Threat division, the volume of phishing email has been steadily growing for each of the last five years.  An average corporate user account will receive between 15 and 20 malicious emails per month.

The goal of a phishing campaign is to gain sensitive information which is not otherwise publicly accessible, leading to direct or indirect monetary gain for cybercriminals.  Phishing’s fundamental technique is social engineering: psychological manipulation of people into performing actions that divulge information, thus bypassing physical and digital security mechanisms.  Therefore, user awareness is the best defense against phishing: human beings are the targets, and human preparation can halt even the most advanced phishing campaign.

Phishing is becoming more sophisticated and multi-dimensional with time.  While some phishing attempts seek to complete only one action such as getting a user to click on a malicious link, the real money lies in performing layered attacks that have a sequence of objectives.  Additionally, the subset of attacks known as spear phishing are increasingly effective at triggering a response from targeted users.  Instead of a generic phish communication sent to thousands of recipients, spear phishing crafts content to be contextually relevant to a single organization or even a single person.

Financial professionals are particularly lucrative targets for advanced phishing campaigns.  There is a wide variety of content available about phishing in general, but little guidance specifically tailored to the threat landscape of finance.  By analyzing in detail, both the methods and goals of finance-specific spear phishing campaigns, CPAs and other finance professionals can enhance their ability to resist these attacks.  In this arena knowledge operates like a vaccine, inoculating against the risk and severity of future bad events.

 

Phishing Methods and Goals

 

Method 1: fake login portals

This phishing method has an attacker create a web site which seeks to very closely mimic the “look and feel” of a login page for a corporate software asset.  The page layout, fonts, branding, and color scheme will all be identical to the legitimate login page, but the URL of the website will not be correct, instead belonging to a domain the attacker controls.  The rapid adoption of software-as-a-service application delivery in corporate environments is the primary contributing factor to the growth of this phishing method; users are conditioned to think of credentials entry on websites as a normal daily activity.  Hoping the user does not notice the change in URL, an attacker steals the username and password entered on the page for their own use.  Examples of frequently-mimicked login portals include Microsoft Office 365, SalesForce, and Dropbox.

Credential theft is already a serious security issue in and of itself because it allows an attacker to move laterally within an organization across systems where those credentials are valid.  Once an attacker has access to working login credentials of a corporate user, they can begin sending electronic communications directly as that user, increasing the degree of trust that further victims will afford to the phishing attempts.  One particularly dangerous variant is conversation hijacking: an attacker replies to an existing email thread instead of delivering a new email.  The degree of skepticism a user applies toward a reply to a preexisting conversation is lower by default, and attackers seek to exploit that implicit trust to deliver further malicious content.

Method 2: VIP impersonation

Commonly known as “business email compromise” or “CEO fraud”, this attack method works by having the attacker impersonate someone of hierarchical importance and authority: a CEO, CFO, controller, or in-house legal counsel.  When crafted correctly, the electronic communication will appear to be from the legitimate account for that person of authority.  It may include timely details like their location out of office or reference discussions with clients, details that attackers can gather from social media networks, press releases, or corporate data exploration using compromised credentials.  Common examples of requested actions are to complete wire transfers of large sums of money to a bank account or to send copies of tax documents.  The power of this attack method lies in the ability to create artificial urgency for the target to take the action desired by the attacker.  This can happen either by negative reinforcement, placing an immediate deadline on the action, or by positive reinforcement, invoking a friendly and disarming sense of trust and dependency.

Method 3: malicious attachments

Some classics never go out of style: malicious file attachments are defacto of phishing methods.  Attachments sent to phish finance professionals often take the shape of invoices, forms to electronically sign via software like DocuSign, or Microsoft Office documents with embedded macros and instructions on the first page of the document to override macro security warnings.  All these attachments make good choices because they mimic the normal daily workflow of finance professionals; the attacker is hoping to trick the target into acting on autopilot and not performing a critical examination of the attachment before opening the file.

The attachment, once opened, can deliver any number of malicious software payloads to the target’s computer.  One dangerous example is a class of malware called banking trojans which seek out stored login information to financial institutions and send them to the attacker to use for fraudulent wire transfers or credit card purchases.  Ransomware is another famous malware class, locking a company out of their own files until a ransom payment is delivered in exchange for the decryption key held by the attacker.  However, the largest recent source of growth in illicit profits for cybercriminals is corporate espionage.   Once they use malware to exfiltrate data from corporate networks the attackers can sell that data to competitor companies or use that data to make predictive stock trades based on insider secrets.  Never underestimate the power contained in a general ledger, let alone a recently approved merger proposal or confidential intellectual property.

Method 4: impersonation of regulatory agencies

A phishing attempt using this method would proport to be from the IRS, the SEC, an auditor like Deloitte or KPMG, or from a law firm.  The phishing communication will make a call to action toward the targeted finance professional, requiring them to review a document or send a data set in a reply.  The goal of regulatory impersonation is to steal information, either by intimidating a targeted user into replying or by making the user believe the impersonated actor already has the information and just needs a confirmation copy.  This technique becomes particularly dangerous when the attack is targeting a CPA preparing tax returns and asking for either information on specific individuals or access to practitioner databases.  The attacker often intends to use the stolen information to file fraudulent tax returns and collect tax refunds, an outcome which requires considerable time commitment to remediate.  The IRS requests that financial professionals who receive phishing emails related to taxes forward those emails to phishing@irs.gov for analysis.

Mitigation

Despite the growing sophistication of phishing methods, the situation is far from hopeless.  There are effective mitigation tools available to finance professionals that require nothing more than the use of critical thinking and changes in personal behavior.  One of the best tools to detect phishing is to look for a tone mismatch between the email content and its alleged sender.  This is a bidirectional consideration: an email with a highly informal greeting and an overabundance of slang is suspicious if sent on behalf of a professional organization, as is an email filled with unnaturally formal language when sent by an individual considered a close compatriot.  Attachments should always be treated with suspicion because almost any type of file can be used to deliver malware.  The use of security software to scan electronic communications and block the delivery of malware in attachments acts in compliment with user preparedness, creating better defense in depth against phishing.

Another powerful phishing detection tool is domain auditing: by comparing the text of a web address or portion of an email address after the @ symbol to the known correct text for the person or institution the attacker is attempting to impersonate, an alert user can find the text does not match and reject the phishing attempt.  This auditing needs to be highly precise because attackers often use the smallest possible change to a domain, different by just a one letter or a single added punctuation mark.  The best tool of all to halt phishing is to verify the requested action with the alleged sender prior to acting via a different interactive, real time communication method.  The result of a phone call, a video conference, or an in-person visit with the alleged sender will reveal the truth: they did not send the request, and the phishing attempt ends unsuccessfully.

Stay safe out there.

 

JR Maycock is a 12-year IT veteran with a background spanning corporate, freelance,
And K-12 education environments.  His areas of expertise include identity management, behavioral security, systems architecture, and exploring the alignment of technology with business strategy.  JR currently holds the position of Business Technology Architect at NetWize in Salt Lake City, UT.  He is reachable at jrmaycock@netwize.com.

WannaCry Update: More Details about the Ransomware Attack

It has been ten days since the WannaCry ransomware attack was unleashed. It has infected nearly 300,000 devices in 150 countries. During that time, many large organizations—including hospitals, banks, and telecom companies—were brought to a halt when their data was encrypted. The yet-to-be identified attackers had received just under $110,000 in ransom at the time this article was published. Despite the initial chaos, details have emerged about how the attack happened, who may be behind it, and other malicious attacks using comparable techniques.

WannaCry: What We Know So Far

It is now believed that Windows 7 users were the hardest hit by WannaCry, which counters initial reports that stated Windows XP users were the most widely affected. In fact, the version of Windows 7 that suffered the brunt of the attack is the x64 Edition, an operating system widely deployed by large organizations. It is unclear whether enterprises are less likely to stay up-to-date with their security patches, or if there are other explanations for the nature of this vulnerability.

Another rumor states that most systems became infected following the distribution of spam emails. However, it has been proven more recently that the malware began by scanning the internet for devices with open Server Message Block (SMB) ports. It then used a modified version of the security exploit “EternalBlue”, an exploit initially developed by the National Security Agency, to install WannaCry on vulnerable machines. Once installed, WannaCry propagated across networks, infecting connected devices, and encrypting more and more user data as it grew.

Who is Behind the WannaCry Attack?

EternalBlue was initially developed by the NSA, only to be leaked by the hacker group known as The Shadow Brokers, along with a number of other weaponized software exploits on April 14, 2017. The connection between The Shadow Brokers and the group that created WannaCry remains unclear.

Cybersecurity company Kaspersky Lab has pointed out similarities between the code used for WannaCry, and code that was used for attacks carried out by hackers known as the Lazarus Group. The Lazarus Group, which has ties to North Korea, is believed to have carried out the cyberattack against Sony Pictures in 2014, as well as a bank heist in Bangladesh in 2016. North Korea is denying involvement in those attacks, as well as WannaCry.

New Malware on the Prowl

All of the recent attention on WannaCry has brought to light new threats that are doing damage via the same security exploits that were originally developed by the NSA. One in particular, “EternalRocks”, is malware that makes use of seven of the weaponized exploits The Shadow Brokers have leaked, which is five more than WannaCry used.

Another malware, “Adylkuzz”, has also been spreading using similar security exploits as WannaCry. Although it hasn’t received the same amount of attention that WannaCry generated, it is thought to have been at work longer, and to have done even more damage in the time since its release. Similar to WannaCry’s reliance on the cryptocurrency Bitcoin, Adylkuzz profits from its use of a digital currency called Monero.

Trust the Experts

In March 2017, Microsoft announced the security patch that prevents the SMB vulnerability enabling the latest wave of attacks. At that time, NetWize made sure its customers were protected by implementing the requisite security update. We are also available for consultation regarding user best practices for optimal security. We always make sure our customers are protected with up-to-date anti-virus protection, and a reliable data backup and disaster recovery process. Ask us about Sophos Intercept-X, and its capabilities for protecting against any type of ransomeware attack.

If you have any questions or concerns regarding recent malware attacks, or cybersecurity in general, please call NetWize at (801) 747-3200, option 1.

WannaCry Ransomware: Learn More About the Attack

A new ransomware attack is infecting hundreds of thousands of devices all over the globe. Starting May 12, the ongoing attack uses malicious software called “WannaCry” (also “WannaCrypt” or “Wanna Decryptor”), which locks users out of their computers, and then demands a ransom for restoring the encrypted files. Ransom demands range from $300 to $600, and are to be paid via bitcoin to one of three designated wallets. It is currently unclear whether the unidentified attackers have unlocked files for the users that have made a ransom payment. As of the morning of May 16, ransom payments had reached over $70,000. In 2013, a comparable ransomeware called CryptoWalker was posted to the internet. The attack pulled in an estimated $30 million in its first 100 days.

The the likelihood that the particular vulnerability enabling the spread of WannaCry will affect customers of NetWize is very low. Thanks to the commitment of our engineers to ensuring our customers’ safety, we made the security patch needed to protect against WannaCry shortly after Microsoft’s recommendation. We also offer advice for best practices that reduce a user’s vulnerability. In addition, we always make sure our customers’ antivirus is up-to-date, and that a reliable data backup and disaster recovery process is in place.

[vimeo 217574866 w=640 h=360]

 

To learn more about the outbreak as it unfolds, check out Wikipedia, and technical support website Bleeping Computer.

As always, if you have any concerns regarding this recent ransomware attack, please call NetWize at (801) 747-3200, option 1.

The most advanced Gmail phishing scam yet

What is virtual “sandboxing”?

The phishing craze that’s blindsiding users

Is the government really spying on you?

Some ransomware strains are free to decrypt

Firewalls: hardware vs. software

© 2020 NetWize, Inc | Privacy Policy