Written by Robin Vann, Chief Solutions Officer
I’m often asked about my approach to being secure, and my overarching view is that whilst I have a right to expect technology to support me in this respect, I’ll never outsource my responsibility to keep myself secure to a technical control – the brain is better than that!
I’ve also had the question “Well, what’s changed in the current situation?” quite a few times recently – and while we have indeed built and delivered a number of specific remote worker security solutions to address the evolving risk, my core principles haven’t changed at all:
- Trust nothing – So many times I’ve attended a breach and been told “I thought it looked a bit funny, but I clicked it anyway.” If you aren’t sure, don’t do it! Make your default stance NO, and then investigate or question to ‘get to yes’ – not the other way round!
- Question everything – Tying in to my first point, be inquisitive. Does this feel right? Am I expecting it? Does this person normally write to me in this format (or indeed about subjects of this kind?) In this style? And in this kind of language?
- Ask someone – If you can’t be sure you’ve ‘got to yes’, ask someone (and it doesn’t even need to be an expert), because (1) you might get a good answer, and (2) the process of explaining what’s happening to you to someone else makes you give yourself some time to stop and think, sincea step by step account is a good way to ‘park the panic’.
- Finally unless you think you have ‘got to yes’, phone the purported sender or originator to confirm it was them, and if you must click and you can’t phone them, go direct to the website referenced in the link instead of following the link in the email.
The Covid-19 effect
So, my approach hasn’t changed, but there has been a lot of publicity recently around the increase in phishing and breach attempts owing to the current situation, and certainly we’ve seen a rise both in attempts reported to us and those we have experienced ourselves. This has been offset by the big cloud providers and spam/phishing companies, however, who seem to be largely on the fence as to whether the overall volume of attacks has increased.
What’s universally agreed, however, is that more of these attempts are now being targeted at victims using Covid-19 messaging as the vehicle.
There are two perspectives I approach this from:
- My job is to help people not to fall for these scams, both through the deployment of technology that supports and enables the user communities, but perhaps even more importantly by helping people with the awareness that helps them to deploy the most powerful weapon in their arsenal – their brain!
- The current situation, whether attacks have increased in volume or not, makes individuals more concerned, more on-edge and more isolated than they’ve ever been. This makes them more likely to click, more likely to surrender their passwords, and less likely to ask someone whether it’s the right thing to do, or even to report it afterwards.
Ever since we started to build herd groups and societies, collaboration has been a strong part of our defences – grouping together, sounding alarms, and discussing our problems, in order to find common solutions and agree the best approach.
We’ve got the tools to collaborate, and we’re using them to do business, educate our children, and continue to live our normal lives.
But we can and should also use these tools to increase awareness and engagement from our people – helping them to defend your corporate environment, but also their personal security and private life.
Training and education, testing, and encouraging reporting transparency and openness are all more critical with our users now remote. Targeting the messaging and examples at the current situation, driving interaction and engagement, and connecting the messaging to personal as well as corporate security will help to defend your business and your people.
And this is so because, at the moment, we’re seeing greater uptake of attacks, and we’re seeing the good, the bad and the ugly in terms of levels of skill and complexity in both corporate and personal phishing and fraud attempts.
- Phishing just got more interesting: over the last two weeks, I’ve received email, text and WhatsApp phishing attempts targeted at both my work and private personas. Some of it was easy to spot, but some of it has used some interesting techniques, such as:
- Spoofed addresses: purporting to be from both colleagues and my LinkedIn contacts. If you receive an email that doesn’t look right, call the sender – partly for your benefit and for validation, but also to get them to check their inbox rules to ensure they haven’t been compromised.
- Valid certificates: seeing a HTTPS link, some individuals become more likely to click, having been taught to ’look for the padlock‘ – but with the rise in free certificates, we’ve seen more and more malware domains using valid certs (and in fact it’s one of the indicators to our threat intelligence that a domain is likely to be malicious). Remember, all the padlock shows is that communication between the client and server is encrypted – it doesn’t tell you anything at all about the intent, motives, or legitimacy of the owner.
- Less aggressive language: a good indicator of malicious intent is always compelling messaging containing urgency (Act now! / Limited time offer! etc.) but over the last couple of weeks this appears to be evolving to a less aggressive stance. We can’t know exactly why, of course, but with the average user in a heightened state of edginess, it’s reasonable to suppose that less persuasion is now needed to trigger the base level of urgency required to act, and the likelihood of asking a colleague or an expert is reduced.
- Spelling and grammar: again, whilst poor spelling and grammar are traditionally an indicator of spam/phishing mails, I’ve seen a number of threat actor groups up their game in this respect recently – and this really plays into people’s increased sense of urgency that we mention above.
- More targeted approach: let’s be honest, most of us are doing the same things socially (very little) and going to the same places (stay at home) and have the same concerns (Covid-19) so targeting victims with emails is probably easier than it’s ever been – and I’m certainly seeing increased evidence of this.
In summary and in defence…
To summarise, let’s educate and train, and use the tools and techniques that we have and that we can develop to empower our employees – not only to support your corporate defences, but to help them defend themselves and their families.
Chief Solutions Officer
Rob has over 25 years’ experience in both offensive and defensive cyber and information security, and works constantly with customers to advise them on all security subjects – including remote security, defensive tooling and breaches – and to develop new solutions that anticipate their changing security needs.