Security Archives - Page 4 of 8

Petya, WannaCry and the future of global cyber attacks

Posted on July 3, 2017April 15, 2020 by QuoStar

It’s been mere weeks since the outbreak of WannaCry, a global ransomware attack which left many organisations’ IT infrastructure in lockdown, but this week companies worldwide are again reporting that they have been struck by another major global cyber attack.

What happened?

Late on Monday night, the first reports surfaced of another global cyber attack. This time the attack began in Ukraine and appears to have spread through a hacked Ukrainian accountancy software developer to companies in Russia, Western Europe, the US and Australia.

Around 2,000 individuals and organisations worldwide have reportedly been affected. The list includes advertising firm WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk.

Infected computers displayed a screen warning users that their files were encrypted and no longer accessible. A $300 ransom, paid in Bitcoin, was demanded to release the decryption key.

How did it happen?

Initially, it was believed this outbreak was a new version of “Petya” – ransomware that emerged last year. But in the hours after the outbreak security researchers noticed that the resemblance between Petya and this malware was only “skin deep”.

Kaspersky Lab reported that they believed this malware to be “new” and dubbed it “NotPetya”, a tongue-in-cheek name based on the fact that both outbreaks share a similar amount of code. Others have also referred to the outbreak as “Petna”, “Pneytna” and “Goldeneye”.

Worryingly experts are suggesting that this latest outbreak of malware is taking advantage of the same weaknesses used by the WannaCry attack last month. Like WannaCry, “NotPetya” utilises the EternalBlue vulnerability in Microsoft Windows to move through the network, infecting other machines and systems as it goes by injecting malicious code into them. However, unlike WannaCry it does not contain the code which enables it to leave the network once it has spread.

Microsoft did release a patch for this vulnerability, even for operating systems which were no longer under support – which is incredibly rare in itself – this latest attack suggests that many companies did not apply it. Security experts have said this is partly because WannaCry was tackled so quickly, but also because industrial firms struggle to apply software patches quickly as their systems cannot have downtime.

The motive of malware

Now the dust is beginning to settle and there’s been time to analyse Tuesday’s outbreak it’s been suggested that although “NotPetya” bears all the hallmarks of ransomware it, in fact, has a much more sinister motive – to permanently destroy data.

By its very definition ransomware is designed to make money by holding data hostage. Only releasing data once the victim pays the fee. Yet with “NotPetya” there’s very little money to be found. One security researcher, who goes by the handle “the grugq“, states that “the malware’s advanced intrusion techniques is in stark contrast to its rudimentary payment structure”. Some of the elements researchers have flagged include:

Designed to overwrite the master boot record, meaning even with a decryption key it would be impossible to restore disks.
The ransom note does not display a “personal infection ID” which attackers need to decrypt a paying user’s computer.
Used a single bitcoin address to receive bitcoin payments.
Required victims to manually type a long string of human-unfriendly characters into an email address. This is typically avoided as it decreases the likelihood of payment.

There have been differing opinions on the motive behind “NotPetya”. Some researchers speculate that it looks like a “state-sponsored” or a “state operating through proxy” attack. This is due to the fact that the infection seems to specifically target Ukraine’s vital institutions, such as its central bank, airport and metro transport, rather than focusing on more lucrative targets.

Another suggestion is that Tuesday’s attack was “a lure to control the media narrative, especially after the WannaCry incidents to attract attention to some mysterious hacker group”.

The future of global cyber attacks

As society becomes increasingly connected and ever more reliant on technology, this wave of global cyber-attacks raises questions about the future for businesses.

Traditionally you would have people who would hack for “fun”, just to prove that they could enter a company’s systems. Now the majority of today’s hackers are looking for financial gain. Using the threat of locked-down systems or the release of sensitive data to extort payment from a business. However, if we are entering an era whereby businesses are attacked simply to cause the maximum damage possible then it is right to be concerned.

Businesses sometimes decide to pay ransomware demands, simply because it costs less than losing a day’s productivity. Even if they dislike the idea of responding to ransom demands. However, if you now have malware which simply poses as ransomware, it changes things. In this case, even if a company responds to the demands it won’t guarantee the return of their files and, depending on their policies, who knows how much data could be permanently destroyed.

There is no doubt that “NotPetya” was a sophisticated piece of malware, designed to “spread fast and cause damage with a plausibly deniable cover of ransomware”. Which raises questions about potential attacks in the future and the motives behind them, e.g. cyberterrorism, revenge, geopolitics etc.

What, if anything, can you do?

Although the increase in cyber-attacks, and their global reach, is concerning, there are steps businesses can take.

On a day-to-day level, you should ensure that all your systems and software remain up to date. Apply the latest patches when they are released and ensure you’re running up to date Anti-Virus and Firewall solutions. Staff training also plays an important role. With email and social engineering popular attack methods, it’s vital that they recognise potential threats and know how to respond.

Backups are critical, but they need to organised in a particular way to be “ransomware-proof”. A three-tier approach, which comprises short, medium and long-term backups, is a more reliable way to protect your data:

Short-Term – Constant backups of files through a file/block-level replication service. Or on your own network but with proprietary protocols so the backup isn’t visible to attackers.
Medium Term – Regular backups onto easily accessible storage devices logically isolated from the rest of the network
Long-Term – Offline, encrypted storage, physically isolated from the rest of your company and users. These backups are less frequent and comprehensive but are there in the case of an emergency.

Alongside this, you should also run regular tests of your backups to ensure all is working as it should be. Regularly scan for malware in case ransomware enters the systems and hides in encrypted files when they are backed up. This will help prevent users from becoming stuck in a continual loop of backup-restore-encrypt.

Those businesses who are particularly reliant on certain systems, who deal with large quantities of sensitive information or have access to significant funds may want to go further and consider advanced security solutions.

How to protect yourself from malware and phishing attacks

Posted on June 16, 2017April 15, 2020 by QuoStar

Phishing is a form of online identity theft or the introduction of damaging viruses and other software into a business. The aim is to steal information or make IT systems unusable until the individual pays up.

Phishing is certainly on the rise again, thanks in part to simple to download malware and virus toolkits – even for inexperienced “hackers”. It is a global business and worth the effort, it’s all about the money now.

Even though businesses have security systems in place it’s not unlikely that something will slip through the net at some point in time. When this happens the last bastion of defence is the IT users. When phishing attacks are successful it’s usually down to an untrained member of staff clicking on a link or opening an attachment, so it’s critical that employees fully understand the basics.

Security basics for phishing attacks

So, what areas should businesses be making their employees aware of to protect the business from phishing attacks, either on a website or via SPAM?

1. Protect against SPAM

Users must be educated in terms of what to look for, such as:

Comes from unrecognised senders – always check the email address, even if the name is familiar
Asks you to input personal information – especially if it’s required urgently
Aren’t personalised
Try to make you act quickly – often by frightening or threatening you into action

2. Use a phone or secure websites to enter information

When asked to enter personal information check the status bar of your web browser for a lock icon, or check the web address in the bar starts with https://. Also, check that the domain is right (no spelling mistakes or unnecessary hyphens).

3. Be wary of links and downloads

When opening web pages or emails you should only really be opening attachments or downloads when you are expecting them, even if you know the sender.

4. Don’t send sensitive information via email

Email is quite a simple technology and is often targeted during attacks. You just don’t know who could gain access to your emails, either in your mailbox, whilst travelling over the internet, or in the recipient’s inbox.

5. Watch out when links in emails which ask for personal information

The best way to get a target to enter sensitive information is to send an email which looks exactly like an email from that company. It’s very unlikely that these organisations would ask for sensitive information from within an email, so pick up the phone, call the company and check.

6. Pop-ups usually mean danger

It’s extremely unlikely that a legitimate organisation will use pop-up windows

Never enter any personal information into a pop-up window
Do not click links in a pop-up

7. Have multiple layers of security

Ensure that you have the basics in place, such as:

SPAM filters
Firewalls with zero-day threat protection
Anti-virus and anti-malware software on your servers, laptops and other devices

8. Think when you receive a phone call

It’s now becoming more common for attackers to call their target, often pretending to be from the IT team or the bank. They then direct you to a website that will then steal your information or allow them to access your machine. Always be wary of callers, call them back if necessary.

Staff should also be careful when entering sensitive information, clicking links or opening attachments and downloads they aren’t expecting. If you train them in what to look for, you drastically reduce your chance of a breach. As stated before, the majority of attacks are now targeting the end-users and, at times, can breach defences – even at large firms.

Do you require cybersecurity training for your business? Contact us today to chat with a consultant.

Web browser vulnerability puts web users at risk of phishing attacks

Posted on April 27, 2017April 15, 2020 by QuoStar

Even the most careful Internet users could be at risk from a recently identified phishing attack, which a Chinese infosec researcher has described as “almost impossible to detect”.

It has been warned that hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domains as legitimate websites, such as Google, Amazon or Apple, to steal information from users.

It would be difficult to identify the website as fraudulent because the web address displays the HTTPS secure symbol.

You can check if your browser is vulnerable to this attack by visiting this demo web page.

When you visit the demo page, if your web browser is displaying “apple.com” in the address bar secured with SSL (usually a padlock icon), but the content on the page is coming from another server, then your browser is vulnerable to the homograph attack.

How does the attack work?

A homograph attack is a type of spoofing attack where the website looks legitimate but it is not because a character or characters in the URL have been replaced with Unicode characters.

Many Unicode characters may look the same as Latin letters to the casual eye, but they are treated differently by computers. For example, the Cyrillic “a” and Latin “a” are treated differently by web browsers, but are displayed as “a” in the browser address.

Many web browsers use a type of special encoding called “Punycode” to convert Unicode characters to the limited set of ASCII (A-Z, 0-9) characters supported by the International Domain Names (IDNs) systems, and protect against homograph phishing attacks.

However, a loophole means that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then web browsers will render it in the same language instead of Punycode format.

This loophole allowed researchers the domain name xn—80ak6aa92e.com which appears as “apple.com” on all vulnerable web browsers. Xudong Zheng, the researcher who identified the vulnerability, has written about the attack in detail in a blog post here.

How can I protect myself?

You can protect yourself against this vulnerability by following the instructions below to disable the vulnerability on affected web browsers.

Google Chrome

Google has patched the vulnerability on the latest version (v. 58), so you will need to update to this version if you have not done so already.

To update Google Chrome, please follow these steps:

Open Google Chrome on your computer
Click the burger icon (3 dots) in the top right hand corner
Then click “Update Google Chrome”
Finally click “Relaunch”

Note: If you can’t see “Update Google Chrome” then you’re on the latest version

Mozilla Firefox

Currently there is no patch for this web browser, but there is a workaround to protect yourself from this vulnerability

Open Mozilla Firefox on your computer
Type about:config in the address bar
Click “I accept the risk”
Type “punycode” into the search bar
Change the value to “True”

Opera

There is currently no patch for this web browser, and there is no workaround such as with Firefox.

We would recommend using an alternative browser such as Google Chrome, to protect yourself, until Opera release a patch.

Other browsers

There have been no vulnerabilities reports on the following browsers: Internet Explorer, Microsoft Edge, Apple Safari, Brave and Vivaldi.

Remember to carefully check any email which contains links or attachments before you click on anything within the message. We recommend that users manually type website URLs into the address bar for important sites like email, social networks or banking, instead of clicking on a link contained within an email, to prevent against such attacks

NEXT>> What is malware?

9 red flags to help you spot an email scam

Posted on December 7, 2016April 15, 2020 by Beth Price

Every day hundreds of thousands of scam emails flow into the inboxes of users all across the world. While it’s painfully obvious that some are completely fraudulent, phishing emails – particularly those targeted at businesses – are becoming much more sophisticated, and increasing numbers of users are being tricked into sharing valuable company information.

Unfortunately, there is no one red flag which immediately identifies a scam email, but there are a number of things to watch out for.

How to spot a scam email

1. Don’t trust the displayed name in the email

A name displayed in the “from” box in Outlook is not a guarantee of the sender

2. Look but don’t click

If you hover your mouse over a link (without clicking) you will see the web address that the link points. If it doesn’t directly reflect that of the sender then be cautious. Also be extra vigilant if any email directs you to a website asking for a login, as this is the main way a criminal will steal valid login credentials.

3. Check for spelling or grammar mistakes

If the email doesn’t sound right when reading it then that’s a flag that it’s not legitimate

4. Look at the salutation

If your contact usually addresses you by your first name, but now they’re writing “Valued Customer”, you should look deeper. Again, any suspicion you have is probably being triggered correctly – trust your instincts.

5. Never give sensitive information

If an email is asking for sensitive information over email or a web page that you wouldn’t be comfortable with anyone else seeing then pick up the phone to a known number and validate it.

6. Beware of “urgency”

If an email sounds urgent and startling then do take some time to think, analyse or ask advice. If someone is threatening to stop a service or is making a demand then you should stop, think about it, and talk to your colleagues.

7. The images and layout in an email tell the truth

It’s common for cyber-criminals to not quite get the look of emails right, in terms of images and layout. You alarm bells should ring if the email doesn’t look quite right. If in doubt, pick up the phone.

8. Check the domain

Many spoof emails use a domain that is close to the legitimate domain. For example, someone could use paypall.com rather than paypal.com to fool a recipient.

9. Be wary of attachments

Attachments in emails can be dangerous if the file type isn’t a standard application file, such as a .doc (word file), xls. (Excel file) or pdf. (PDF file). Be especially wary if the attachment is one of the following file types – “exe”, “bat”, “com”, “cmd”, “cpl”, “js”, “jse”, “msi”, “msp”, “mst”, “paf”, “wsh”, “wsf”, “vbs”, “vbe”, “psc1”, “scr”, “lnk”. Also be extra careful with zip files as they can often hide dangerous files from inferior email scanners and firewalls.

Example of a scam email

At the end of the day, if an email doesn’t seem quite right then make sure to qualify with the supposed original sender. If your Finance Director asks you to arrange a bank transfer, confirm the request on the phone or in person. It only takes a few minutes and could prevent you from making a costly mistake.

NEXT>> How to identify 4 common types of scam emails

Three uses for email archiving in your HR department

Posted on November 30, 2016April 29, 2021 by Beth Price

Email archiving brings benefits to every department throughout a business – from finance and legal, through to administration. One department which can benefit from email archiving is HR, as they deal with personal data every day.

Three benefits of email archiving for HR Managers

1. Investigate claims of bullying in the workplace

You may think this doesn’t happen in your workplace, but it’s something you should be able to investigate. Research carried out by the TUC shows that 29% of people have been bullied at work. Email records are important in cases of alleged verbal or physical bullying, as they’re difficult to prove.

An email archiving solution that captures every email provides HR managers with the transparency and visibility required to conduct a fair investigation in the event of a complaint. It’s more reliable than relying on employees to archive their messages on an ad-hoc basis. A solution with user-based security permissions is ideal as HR Managers can investigate complaints without the involvement of the IT department.

2. Monitor for email misuse

A company may find itself in the midst of a legal dispute if employees misuse corporate email. This could range from sharing offensive material to accidentally hitting the “Reply All” button. It is not enough to rely on your employees to use common sense when it comes to email etiquette, and it could result in legal action against your company – as seen in the case of Thales Australia.

One way to ensure employees are aware of your business’s email usage policy is to send a copy of the guidelines via email. Then ask employees to send a reply stating they have read the policy and agree to abide by it. Your email archive will save the reply, so you have a record available should any dispute arise. Using an email archiving solution means you will also have a record of any inappropriate work emails, even if the employees sending and/or receiving them delete the messages from their inbox in between system backups. Emails are time-stamped and digitally fingerprinted at the moment of storage and retrieval so you can guarantee accurate data. Which is essential if these emails are being presented as evidence in a tribunal.

3. Ensure regulatory compliance

You must keep former employees’ records for the duration of employment and for six years after you terminate employment. This includes items like training records, appraisals, contracts, annual leave, sickness records and disciplinary warnings (even if these have since expired). You have to keep these because an Employment Tribunal, County Court or High Court claim is possible for up to six years after employment ends. So the business could be at risk for failing to produce these records. Also keep anything that relates to the employee, which an Employment Tribunal may require as evidence, for this retention period.

How to increase security & better protect your insurance firm

Posted on November 7, 2016April 15, 2020 by Beth Price

In recent years insurance firms have been targeted by numerous cyber attacks, both internal and external, including those by disgruntled former employees and organised cybercriminals. With the UK insurance industry alone managing investments of £1.9 trillion it is no surprise these firms are such an attractive target. Not only do these firms have a lot of capital funds on their systems at any one time, but they also have access to a wealth of customer data – the perfect tool for hackers to use for blackmail or to release to the public with the intent of causing reputational damage.

How do cybercriminal target insurance firms?

Gone are the days when individuals just hacked for “fun” or to prove that they could access a company’s system. Now their motives are far more calculated. This, in turn, has also changed the method of attack. Cyber attacks are rapidly becoming more sophisticated and for the hacker who is willing to be patient and clever the rewards stand to be substantial, whether that’s financial gain or the potential to damage – in some cases irreparably – a firm’s identity and reputation.

While insurance firms can be exploited through software vulnerabilities, social engineering is another popular tactic for many hackers. It essentially involves using tricks or tactics to gain information from legitimate users of a system in order to gain unauthorised access, without having to break in. Examples include calling targeting employees pretending to be from IT or maintenance, and requesting login details in order to “fix a problem”. As this can be a common helpdesk request some users may respond, which highlights the need for continual end-user training. Employees are often a firm’s first line of defence and, as such, must be able to recognise any red flags – such as suspicious emails or calls – and understand the appropriate escalation process.

How can insurance firms protect themselves?

When it comes to determining a security strategy, and overall IT strategy, the insurance sector faces pressure from multiple angles. The sector faces additional regulatory burdens, in comparison to some other sectors. They are also under continual pressure, from a technical aspect, to modernise their systems to ensure customer data is highly secure. Yet this data still remains accessible for review and processing.

These pressures combined can result in increased overheads and reduced margins, which can lead to decreased technical investment. However, when it comes to cybersecurity, technology should actually be the last piece of the puzzle.

Determining a security strategy should really begin with a firm understanding what their assets are, and then assessing them to determine potential risks. A reliable starting point is the ISO 27001 standard. This is a global accreditation which essentially covers best practice in regards to information security. It helps firms manage security by reviewing assets, assigning controls and monitoring processes.

Education will always be a key element of any security strategy. Social engineering is developing at a rapid pace and employees remain vulnerable as these attacks essentially manipulate trust. A comprehensive security policy should cover basic elements such as password strength, disclosing confidential information and physical security. You should then share the policy with the whole company. A security-aware culture will mean that potential threats will flag up with employees, who can then make the correct decisions. Even when the request seems genuine.

Recent high-profile breaches must serve as a warning that they are a prominent target for cybercriminals. This is likely to continue, if not increase. Taking steps to protect customer and financial data will protect your brand reputation and profitability. Therefore it makes sense to implement policies and systems to secure your business and review these regularly. The consequences of failure can be devastating, or even fatal, so cybersecurity must be a priority.

NEXT>> What is malware?

6 scarily simple security slip-ups businesses still make

Posted on October 31, 2016April 28, 2021 by Beth Price

Happy Halloween, reader! Forget about ghouls and ghosts though because today we’re talking about something seriously scary. Working in the managed IT support and consultancy sector, we always hear about the latest breaches, newest methods of attack and many other security horror stories.

But even with scammers devising dozens of devious new attacks every day, zombie computers that answer the call of the botnet and stealthy malware which lurks in dark recesses of the network. By far the scariest thing we see when auditing businesses is that so many are ignoring old and known risks. It’s the stuff of IT nightmares!

What follows are the six most fearsomely frightening security stumbles we still see businesses make…

1. No centralised (pumpkin) patch management

With cyber-attacks a constant threat, maintaining systems security is critical and requires constant vigilance. However despite the threat of attack many businesses often still decide not to implement some of the latest security updates. One reason is that they decide they cannot afford the risk of disruption to services that patching can sometimes cause. This is a false economy. Leaving your business open to vulnerabilities could end up costing you more than the potential patch disruption.

Once a vulnerability has been disclosed it’s only a matter of time before hackers use that information to devise exploits. Heartbleed is one such example. Attacks against systems vulnerable to Heartbleed, a vulnerability within OpenSSL, allowed the disclosure of a small amount of data held in the system’s memory – which was potentially enough to retrieve usernames, passwords or other sensitive data.

A good patch management schedule should keep operating systems, services, firmware and applications patched and up-to-date. The patches should be applied regularly, on an agreed schedule and soon after any newly identified critical vulnerabilities are disclosed.

2. No multi-factor authentication

Passwords alone aren’t particularly secure. Weak passwords are like a cheap lock, easy to break and a useless defence against criminals. Despite the consistent advice telling them otherwise, many people continue to use classic passwords like 123456, qwerty and password. To try and combat this many IT teams will implement password policies, but sometimes these can often exacerbate the problem.

Complexity

Typical advice is that passwords should be: a minimum of 7 characters and contain uppercase, lowercase and numeric characters. However, that’s actually quite an easy requirement to bypass standard Microsoft technologies. For example, many users would pick Password1. As hackers become better at cracking passwords, what was once critical for password security is becoming less important

Change Cycle

It’s important to strike the right balance when setting rules which determine how frequently users should change their passwords. Forcing users to create highly complex passwords and change them frequently is often a recipe for disaster. Users will simply choose simpler and simpler passwords so they can remember them. Or they will end up just making small variations to the same password. For example, changing one character or one number. It’s also common to find passwords written down if requirements are too complex.

Lock Out Rules

When it comes to preventing brute force attacks rules which require the account to lock after a certain number of failed log-in attempts are the most effective. When establishing these rules consider the sensitivity of the account, how likely authorised users are to enter the wrong password and how much of a hassle it is to fix the situation when users get locked out.

The ideal option is some form of two-factor authentication, e.g. a password and a key fob. Sure, someone may find out a password but it’s unlikely they will also have an authentication fob. On the other hand, if someone were to find the fob it would be unlikely they could access your systems because they wouldn’t know where you worked or your password.

3. Not testing backup and restores

While it’s great that companies are investing in backing up their data, it’s no good if, when disaster strikes, the backups won’t work. All too often testing is the missing step when it comes to backing up data. This problem has only become acuter as backups become more complex. You must test simple backups much more frequently than Disaster Recovery plans – at least once a quarter. You will also need to test whenever there is a major hardware or software change to your backup system.

Your tests should be as realistic as possible, duplicating the condition you will face when you actually need to restore. If possible, test on the hardware you will restore to. Especially if you will restore to a different machine than the one that created the backup. Many businesses are also backing up to the cloud with no real plan on how they will restore operations should they lose a key system.

4. Running critical services on ADSL

Outages at the big providers are still a frequent occurrence and you only have to look to last month to see the painful impact of a major outage. Faulty domain name servers resulted in a widespread outage for Sky Broadband and BT customers starting at 07:00 and lasting for 9 and a half hours –wiping out the day for affected homes.

However, home users weren’t the only ones affected. Many businesses were hit by the outage as well – but this really shouldn’t have been the case.

Asymmetric Digital Subscriber Lines (ADSL) services aren’t a suitable solution for businesses. They are rarely backed up by a service level agreement (SLA) which strips you of your ability to claim compensation if their downtime damages your business and are typically down for extended periods when they do go down.

But despite all this, we still see businesses using them worryingly often. If you’re running a business of any meaningful size, you need leased lines at a minimum. These give you a reliable connection, are backed by SLAs and, if you invest in redundancy, can provide connectivity even during a disaster.

5. Not encrypting devices

Imagine having to explain to a client or your board that their sensitive information has been stolen or released to a third party? Terrifying? Well, it’s a real possibility for the business we’ve seen still failing to apply encryption across all devices.

A scary stat for both business leaders and customers alike is that encryption is used in only 4% of breaches. For customers, this means their private information is being released to criminals in an easy-to-read format. And for businesses, this means they will be facing higher fines due to their negligence.

Full encryption capabilities on all devices have been a necessity for years now and with the enormous quantity of data being shared and stored, the opportunity for a leak has never been greater. It’s now easy for information to fall into the wrong hands and, as far as the law’s concerned, that’s a data breach.

Any device which stores corporate data needs to be encrypted. If a CEO loses a phone on a business trip, that’s a data breach. If a laptop is stolen, that’s a data breach. If a USB stick is lost outside the company premises, that’s a data breach. But if in any of these cases, the information on the machine is encrypted, the risk drop to almost zero.

There’s a large range of IT systems that can help automate and control much of this problem without much complexity so there’s no reason businesses shouldn’t be doing something this simple.

6. Ghost accounts and shadow IT

We’ve seen these two threats in many businesses before and they’re both as scary as they sound.

Ghost accounts are the accounts of ex-employees who are still active on the network. They often crop up when an employee leaves and their account isn’t disabled as it should be.

As many as 50% of companies say ex-employees still have access to corporate accounts. For a disgruntled employee seeking revenge, this is an easy route to deal damage to your business. But what’s scarier is an unknown attacker leveraging the unmonitored account’s access rights to gain a presence deep within your network.

The simplest route to prevent ghost accounts is having a clear policy and process surrounding an employee’s departure which contains disabling their accounts. But technologies like Identity and Access Management can also help restrict the root of the problem. By only providing accounts with the exact permissions they need, any account compromise – ghost or alive – has a much more limited impact.

Shadow IT is another basic risk we regularly see not being controlled. Shadow IT is hardware and software which is running on the corporate network which is used by employees but unknown to the IT team. Shadow IT opens innumerable risks for a business and, unless you’ve taken proactive steps against it, it’s likely already on your network.

Controlling your shadow IT requires more than just tech since the problem has its roots in culture too. We have details on controlling your shadow IT in this blog. Fixing the problem can be a long road but ignoring it is simply not an option your business can afford.

How to create an information classification policy

Posted on October 17, 2016April 15, 2020 by Beth Price

Documents are a business asset. If an asset is lost, stolen or damaged, it becomes a risk. Both for the business and for their client.

This means having control systems in place to understand these risks is critical. And having the controls to counter them is equally as important.

It sounds simple. But after a decade of working with businesses, it’s clear that few of them have suitable controls in place. To address this, we’ve created 10 points to guide you through the process of creating your information classification policy.

1. Keeping it simple

When looking at security in any way, it’s important to keep it as simple as possible. This is particularly true when it’s something so regular as dealing with documents.

To make it simple, businesses need to invest in technology. In this case, there are three main technologies worth investing in:

Document / Content management
Data leak prevention
Rights management solutions

A document getting into the wrong hands is going to cause your business, or a client’s business, damage. That is a fact. So aiming to implement all three is the best way to get a comprehensive solution.

2. Mapping your classifications

Before you get into classifying documents it’s important to ignore technology. Technology comes after you have decided the policies and processes you wish to follow.

What this means is that you need to map documents or types of documents into distinct groups. To do this, you should look at two key areas: the sensitivity of the document and their intended audience. This information will make up the foundation of your Information Classification Policy.

Many businesses already have classifications in place. But they’re often created, implemented and forgotten – quickly becoming unusable without weeks or months of additional work. You need to create an Information Classification Policy and not hide it away. It needs to be clear and easy for everyone to work with and conform to with little effort.

3. Building the Information Classification System

The foundation of any Information Classification Policy is categorising information. Here are a few example document classifications that will fit most business requirements:

Public: Documents that are not sensitive and there is no issue with release to the general public i.e. on a website
Confidential: Documents only to be viewed internally or with third parties that have signed a non-disclosure agreement
Employee Confidential: Documents only to be viewed by employees at the company
Management Restricted: Documents only to be viewed by the senior management at the company
Private: Documents which contain personal information (useful for managing GDPR compliance)

In general, you don’t want to go over 10 classifications because classification should be as simple as possible. If you find that you have too many classifications, consider only looking at sensitivity or only looking at intended audience to begin with then filling in any gaps.

4. Assembling the Information Classification Team

A policy needs board-level support to ensure the business buys into and uses it. Once you have this, you should form a team which includes key departments in the business to enforce the policy.

This team may include people from technical, HR, legal and any other departments that are suitable for your industry. An appropriate team will be able to protect a business from security breaches whilst letting people access the information they need. And whilst it is important, the technical solution should be the last point to consider.

5. Designing the Information Classification Policy

Once you have your team assembled, you need to start going through your documents. In most organisations, it can be hard to know where to start.

To solve this, you should group documents at a high level. Looking at the impact that a data breach of that type could cause. Focus on the most sensitive document types first. And once that’s locked down, you can move through the less sensitive list.

When going through this process there are a few tips you can follow.

For company documents, it’s advisable to put your company name first. This helps them stand out from any other classification, i.e. from a client or a partner business.

It’s also useful to colour code classifications to help distinguish documents by eye. This helps you identify a sensitive document that’s left on a screen, printer or vacant desk. The beauty of colour classification is that it aids you in taking action internally or externally. It’s simple to prove that the defendant knew the information was restricted.

It’s important that you make it easy for staff to label and classify documents. If it takes more than three clicks to label a document, staff will find ways to circumvent the system. People naturally take the path of least resistance. So if your system is obtuse, employees will find ways to bypass it.

6. Enforcing control with automation

Once you’ve designed the Information Classification System, it’s finally time to look at the technology. Automation is very helpful to ensure enforcement. You shouldn’t rely on people alone as things will drop through the cracks.

It’s important that any technology links back into the core authentication system within a business. This will typically be Active Directory – the system you use to log in to your PC at the office.

Doing this simplifies things as you can use existing user groups to give access to certain classifications. There’s likely to already be an Active Directory group called “Board Members” for example, which you can use straight away.

Of course, grouping people doesn’t guarantee a user will know who they can and can’t send specific documents to. Nor will it prevent them from sending a document to a recipient by mistake.

This is why a business should be using a Rights Management system. Rights Management ensures that the systems know who has permission to access the document. So even if someone does send a restricted document, the recipient won’t be able to view it.

7. Educating employees

One of the largest reasons for data leakage is employees. Make sure to train them on how to use systems and refresh them periodically.

Also educate them on any security risks to the business – known, current or potential. They need to understand why following policies is important and how not following them can impact the business and therefore them.

8. Controlling leavers

So many organisations do not manage ex-employees. It’s important to disable their accounts once they leave the company. Even if they left on good terms, it’s best not to take a risk.

Loose accounts complicate the system at best and act as a open hole for attackers at worst. Hackers or insiders can hijack old accounts and make use of the access privileges. So you need to shut down accounts or strip them of all access rights to reduce the risk to your data.

9. Continually improving

It’s best if you adhere to common processes and document them somewhere accessible. To do this, you need robust information classification and risk policies that integrate with a wider standard. A good example to use as a framework is the ISO 27001 standard.

Doing this ensures that you assess and improve how you are controlling your risks within the business. Keeping you protected from an evolving threat landscape.

10. Widening the focus

It would be ridiculous to only focus on document security whilst ignoring the other risks to your business. So understanding all the risks your business faces and assigning suitable controls is something you must do.

Again, the ISO 27001 standard is a good framework to use for managing your information security on a wider basis. But this shouldn’t stop you going ahead and dealing with document security first. Getting this done will make things easier in the long term.

Summary

Businesses must control their risks, as failing to do so has catastrophic consequences. The key is to start simple and then improve. You don’t have to adopt everything at once.

A good starting point is to understand the sort of data you have and then classifying it. A good percentage of your business information could be used to extort or embarrass you. Or even worse, a client.

Once you’ve got your classifications, tie them into document templates. Then automate management and workflow automatically with technology. When done right, businesses can dramatically improve their security since it’s embedded onto the asset. Rights Management can then control who can edit, copy, paste, print, email, transfer or view it at a later date.

Once in place, this can be overlaid with network controls such as Data Leak Prevention. This watches documents flow in and out of the business and can isolate, sandbox or alert relevant people that a breach may occur.

To take it further, systems at the perimeter, such as gateway encryption solutions, can identify sensitive information. Encrypting it to ensure it won’t pass over the open Internet in clear text.

The list can go on but it’s important you start at the beginning by creating an Information Classification System. You need to understand what you have and what the risks and potential controls are first though.

NEXT>> Best practice tips for creating an email retention policy

In the press: Top tips for insurers to improve cybersecurity

Posted on October 10, 2016April 29, 2021 by QuoStar

Originally published in Life Insurance International

Hacking is becoming a relatively effortless procedure, and this is a major concern for many businesses.

Insurance firms, in particular, can potentially be a greater target for cybercriminals. This is due to a large number of capital funds on their systems and the wealth of customer information they hold. According to recent surveys, the Financial Services sector suffered 6.3 million cyber attacks in the last year alone.

Recent high profile cyber-attacks and the increasing number of them serve as a warning to insurance firms that cyber attacks are growing more sophisticated and that cybercriminals can get past some of the most protected systems.

QuoStar CEO Robert Rutherford explains the two main breach methods insurance firms are susceptible to. As well as several simple ways they can improve cybersecurity to better protect their firm, their reputation and their clients.

Read the article in full on Life Insurance International

In the press: How to secure your office printer

Posted on July 6, 2016April 29, 2021 by QuoStar

Originally published in Finance Digest

Security is a prime concern for the financial services industry. Not only are they under ever-increasing levels of regulation but news of data breaches is appearing more frequently every day. Many firms will be aware of basic security measures such as firewalls and anti-virus protection, one area they may not consider is the office printer.

James Stelfox, Managing Director of QuoStar, discusses the ways the office printer can put firms’ confidential data at risk. From simple things such as leaving sensitive documents sitting on the output tray to hackers intercepting print jobs as they travel from a computer to the printer.

Although the office printer can pose a risk there are many simple solutions that can easily increase their security levels.