Keeping communications channels openI’ve recently heard some interesting albeit cynical opinions regarding the apparent futility of end user training and awareness communications as effective security mitigation. The problem here is often not actually the principle itself but rather the way it is delivered. Many business users have neither the patience nor will to spend time deciphering what may appear to them as a jargon-filled lecture from their IT department. As a result, those learning resources often do more to confuse than help in places. Whilst they do have good intentions, the people that know the most about cyber threats aren’t necessarily the best ones to communicate them to the business. If you are in an organisation that has access to specially trained professionals, corporate communications, or even marketing teams, then why not work with them instead to deliver relevant, plain-English bulletins and awareness programs? Some resources might appear somewhat ‘dumbed down’ to the pros in places, and maybe they won’t have all the detail you would like to see. But a simple message that actually gets through to more people and perhaps makes them actually think twice before opening something that has slipped through the net has to be worthwhile. Driving this point home, a recent CERT-UK issued advisory stated the following:
"The best defence against the Dridex malware, or any other spam phishing campaign, is to ensure that all staff in an organisation are educated on the dangers that email attachments or links can bring."Raising regular user awareness and vigilance towards phishing and other social engineering techniques is therefore still 'a' necessary mitigation that we need to be doing all year around and one that’s especially relevant during periods of heightened risk.
Policy in PracticeWhilst there is no value whatsoever in creating a culture of blame or fear toward those who have made genuine mistakes, (In fact, this is more likely to prove counteractive in terms of both co-operation by staff and genuine awareness of your risk posture.) good communication and awareness programs have to be backed up by policy to let people know that your organisation is serious about its security. At a minimum, each user entrusted with access to your network should be aware that they have a personal responsibility to protect its assets and report incidents in a timely manner. Keeping certain lines clear between personal and business use can also serve to protect your organisation and actually make it a little easier for your staff to make the correct choices. Good practice guidance has long advised government organisations to forbid or at least actively discourage staff from using business email addresses for subscribing to non-work related services, for example. By doing this, it should be far easier for staff to recognise a scam.
Keep defending in depthWhilst it’s all well and good trying to educate staff and steer behaviour through policy, as network defenders we should be getting better at defending this ‘bad stuff’ from reaching them in the first place, shouldn’t we? As we know, however, there are no silver bullets for this. The only hopeful approach is to have as many well-tuned layers of defence as you can afford to implement and to properly configure, maintain, and monitor. These ideally need to be at every possible layer of the OSI stack and at every possible position from network gateway right through to the end point. The problem is that many of these layers are still heavily if not wholly reliant upon signature-based detection to identify ‘bad stuff,’ and as we also know, the rate in which such signatures are created cannot possibly hope to keep up with the rapid proliferation of bad stuff. We must, therefore, look more to analytical solutions that can recognise unknown stuff as being bad by how it behaves (when detonated in sandbox environments for example) rather than simply basing that decision on whether or not it has a signature to tell it that. That is not to say (as claimed by some) that signature-based detection is necessarily dead, either. It is still essential for that first step of filtering out the noise, particularly given there is more noise out there than ever before. A bit like the air bag in your car; it isn’t necessarily going to save you in an accident, but that doesn’t mean you would be wise to simply remove it altogether, either.
DMARC the spotChristmas is a time of giving, and whilst we rightly concentrate on protecting our own networks, we should also perhaps be considering playing our part toward creating a better mail ecosystem where our namespaces can be better trusted by recipients. If, however, you’re feeling more like Scrooge than Santa, consider instead perhaps the reputational and political damage that can be done to your brand even if it is perceived that a malicious payload originated from your domain and systems. One of the biggest problems with email has always been the relative ease with which many address spaces can be spoofed so that a malicious message can appear to come from a legitimate and trusted source domain. After all, if a malicious message is well-branded, convincingly constructed, grammatically correct, and appears to have come from YOURDOMOMAIN.COM (rather than Y0URD0MA1N.com, for example), even the best-trained user with the keenest eye for detail cannot reasonably be expected to question its legitimacy. Here in the UK, the National Cyber Security Centre (NCSC) has embarked on a positive campaign to promote and make mandatory for Government departments adoption of the proposed DMARC standard. DMARC stands for “Domain-based Message Authentication, Reporting & Conformance’ and builds upon the understood techniques of SPF and DKIM. It can help to determine what should happen to mail purporting to come from your domain if either of those validation methods fail. Allowing a scalable action policy of ‘no action,’ ‘quarantined,’ or (as confidence in its accuracy grows) ‘reject,’ the end goal is a far more confident sense of authenticity regarding your mail and brand. Furthermore, the ability the collect and analyse failures provides a useful sense of wider intelligence as to how someone might be misusing that brand. Its implementation has already yielded successful results for HM Revenue and Customs (HMRC) in the UK, apparently preventing 300 million phishing emails in 2016. This doesn’t solve related problems of spoofing via typosquatting and misuse of punycode, as highlighted very well by David Bisson here, but if you are feeling charitable or concerned around that particular threat, you can always take the advice in the article by buying and redirecting possible domains. Here’s hoping that all State of Security readers survive through and even manage to enjoy at least some of the festive season so that they're ready to face 2017. Indeed, given the current state of IoT security and the fairly safe consumer predictions that more internet-connected Christmas gifts will be given and received this year than ever before, 2017 could very well prove to be another challenging year.