Need for Better Employee Protection is Apparent During Cybersecurity Awareness Month

National Cybersecurity Awareness Month is upon us again, and it’s a great time to be reminded that the top cause of corporate data breaches is phishing. The very nature of phishing is to elicit an end-user response that makes it seem like the responsibility falls on employees. After all, they are ultimately the ones being tricked into clicking on bad web ads or filling in credentials to a fake form. Hackers are smart. They would much rather avoid spending a significant amount of time and resources breaking into what could be a heavily secured network through brute force attacks and searching for possible vulnerabilities in defenses, when they can target users who are a much softer target that provides quicker and cheaper access to corporate networks.

While security awareness training is important to weed out the most obvious of Nigerian Prince scams–especially during National Cybersecurity Awareness Month–phishing scams have become so rampant and so sophisticated that it’s almost impossible for anyone, even IT or security employees, to definitively detect a every threat by viewing their screen. With this year’s theme to “Own IT. Secure IT. Protect IT.” it’s a great time to strengthen the partnership with your employees, to not only teach them to be wary of common attack types and how to look for them, but also to set them up for success with the right automated security tools that prevent them from being exposed to phishing campaigns in the first place.

Cybercriminals are successful in large part because many organizations are not carrying out due diligence in addressing the problems of business email compromises (BEC), phishing, spear phishing, ransomware and other socially engineered threats. One common phishing threat that’s hard to detect is malvertising, which uses distributed ad networks to serve up malicious advertisements on legitimate websites. These enable cybercriminals to lure more victims to their phishing pages, which can compromise corporate and BYOD with malicious browser extensions that are hard to detect. Ad networks enable advertisements to be served up on numerous legitimate sites, so the bad guys benefit from the implied trust visitors have of those sites, enabling them to hook more people. Here’s an example malvertising being served up through Google ads on the New York Times online, a trusted website.

The malvertising ad looks innocent enough in promoting a download of a simple PDF viewing and conversion tool.

Sponsorships Available

Sponsorships Available

Sponsorships Available

But once the app is downloaded, users are directed to a phishing page that conducts user behavior monitoring by hijacking browser and search functionality. The app also automatically runs unsecured malicious third-party content within a browser.

From an enterprise security standpoint, it is impractical for most organizations to block traffic to legitimate websites and ads from those sites. Users see ads on these trustworthy sites, take the bait, and then download browser extensions and agree to terms of service — which opens their machines to all kinds of manipulation from threat actors. To make matters worse, rogue browser extensions are extremely hard to detect. Most are simply JavaScript and HTML rather than a file-based executable, and they execute entirely within browser memory as part of a “trusted” application, the browser. So now users and machines are compromised, and most security tools can’t detect what is going on.

Of course, the human element is the inherently weakest link in the security chain and the sophistication of today’s socially engineered attacks leaves employees and organizations at risk. During a typical day, employees can browse numerous websites and go through hundreds of emails, so even the most well-trained and observant employee can get distracted and be directed to an insecure website, click on a phishing link or malvertising site or download a file with malware.

Again, while it’s easy to place the blame on an employee, IT and security teams should take the following precautions to ensure their organizations are protected:

• IT policies should encompass Shadow-IT issues for installing unapproved software or browser extensions, or granting access from personal devices and service logins.
• Put real-time phishing threat intel feeds (or block lists) in place to remove access to sites serving up rogue browser extensions and other forms of malware.
• Use Network Traffic Analysis (NTA) systems to detect signs of unauthorized systems access, lateral movement, or data exfiltration.
• Determine frequency with which every endpoint is backed up, where it is backed up, and the procedures for testing these backups.
• Create policies for how employees handle and share sensitive and confidential data, stressing the importance of classifying and encrypting data plus instilling policies regarding which tools must be used to send and store sensitive data.
• Employ best practices for password management including minimum requirements (length, special codes, upper/lower case), the use of passphrases instead of passwords, and frequently changing and storing login credentials safely.
• Determine systems and data assets that require dual-control procedures so a single employee can’t steal or delete sensitive data assets.
• Determine which data assets are made available through the internal corporate network or the public network, and what should be air gapped.
• Create requirements for the use of at-rest and in-use encryption for every platform or device, especially mobile devices, laptops, or personal devices that touch corporate data or financial assets and must have remote wipe capabilities.

National Cybersecurity Awareness Month is a good time to stress that better security defenses, automated tools, and smarter users help interrupt the kill chain sequence or detect post-compromise activity that help reduce the risk of costly breaches from malvertising. Organizations need to be careful not the shift the blame entirely to users but continue to invest in the right tools that catch these new types of attacks before they can ever reach the inbox or web browser.