DE:CODED – Testing like hackers

Transcription

(Generated automatically)

Simon Edwards 0:00
Welcome to DE:CODED, providing in depth insight into cybersecurity. What does it mean to test like a hacker? Can a well intentioned tester behave the same as a real cyber criminal? And when you’re looking for a good security test, how can you tell the useful from the misleading

Our email accounts sits at the centre of our digital lives. We look at ways to bulletproof your most important internet account. To discuss these questions and more. We’re joined by Frank Duff, who used to work at MITRE, Mike Sentonas from CrowdStrike and Siggi Stefnisson from Avast. Show notes, including any links mentioned in the show are available at DecodedCyber.com.

There are many different ways to test cybersecurity products. Most of the common approaches are useful when evaluating a service or system. But they each have their pros and cons. There’s penetration testing, for example, where testers have a limited amount of time to focus on either bypassing security products completely, or braking those products, simulation tools generate data that looks like a real attack, but isn’t. The idea is to see how a security product would work when a real attack happens.

And there is what we do at SE Labs the full real attack, otherwise known as full attack chain testing, or red team testing. This approach basically puts the tester into the role of a real adversary, there is little to no automation, just a skilled team of hackers attacking targets, while recording how defensive tools handle the situation, and to what extent.

Frank Duff is the man behind the MITRE security evaluations. Frank built the MITRE attack evaluations programme from the very start and ran it as the General Manager for four years. Today. He is the chief Services Officer of Tidal Cyber, educating organisations on the cyber threats they face. Frank, can you explain a little about what an attack chain is, and why it’s important in testing.

Frank Duff 2:15
Attack chains, as we consider them, or other people will call it attack flows as well, is about chaining together behaviours that are related. So what that could mean is I need to, for instance, dump credentials. So I can get an additional credential, I need to do network discovery to understand where I’m going to go next. So that I can actually perform the goal of the lateral movement and move to the next toast. So in that case, you’re talking about a three step chain to achieve a goal

Simon Edwards 2:48
Which is what the bad guys would do in the real world.

Frank Duff 2:50
Exactly, exactly. It’s about making it real related to what the bad guys have to do to achieve their goals. Their mission, when when I like to consider testing, a lot of tests can’t be done in just isolation of a single step, for instance, instead, what you need to do is consider those multiple pieces that need to be pulled together. why that matters for testing and why you can’t just go the atomic route is because each one of those steps offers potential for increased protection detection capability, and improved performance of those by correlating back to the behaviour that was before him. So what that means is, maybe that third activity, that lateral movement in my example, isn’t enough to really raise the level of concern on its own.

But when you couple that with the credential dumping that happened right before it and the network discovery that happened right before it, suddenly that thing becomes of much higher importance, right? It tells you something a lot more when you understand it. Similarly, in like a protection test, a lot of these tools are going to stop that credential dumping. And so the discovery that might have come afterwards, or the lateral movement that might have come after, it’s wouldn’t have even been able to happen. So that’s why these chains matter. Because each of these atomic behaviours can do a certain amount of capabilities on their own. But understanding the bigger picture really gives you an idea of how that tool would perform under realistic conditions.

Simon Edwards 4:23
Using the full attack chain or behaving like an attacker from the very start of an attack. And working through all phases until the end is a great way to test security products. different vendors take different approaches to solving the cybersecurity problem. And if a tester only looks at one part of the attack chain, the products won’t always be able to function as designed results in what Frank calls an atomic test, where only a part of the product is assessed might show that doesn’t work. But in a full attack chain test it might stop the threat at an earlier stage and completely halt the attack.

Maybe tested Using the full attack chain is the best way to run a test in a technical sense. But is that all anyone cares about? What about the ethics behind testing? Do all testers operate with the same level of competence and honesty? Mike Sentonas is CTO of cybersecurity company CrowdStrike. CrowdStrike focuses on endpoint detection and response, its goal is to identify not just one part of an attack on a network, but to put together the pieces of a full attack campaign and fix things across the whole organisation. Like when you look at tests, other than using the full attack chain, what else really makes you sit up and pay attention?

Mike Sentonas 5:41
The big thing for us is transparency, when everybody knows what the rules are, when it’s not sort of a pay to play sort of tests that’s behind the curtain, and then you just put out a result, you know, we want to work with with testing centres, we use the test to build better products. At the end of the day, I’d rather be finding holes in the products that we provide, I’d rather find the gaps, I’d rather find the areas that we need to improve before an adversary finds them and uses it in a way that impacts one of our customers. So transparent testing is key. As you know, Simon, we do it all the time. We’re constantly testing our products every single day. And, you know, we challenged the team internally to engage in all the tests, we focus on having a testing transparency page. So on our website, you can go and find out our results from all the tests that we’ve done, and you can track us over time. And I think that’s really important.

Simon Edwards 6:43
Realism is important in testing. If you want to work out if a product protects against hackers, you need to take on the role of a real attacker. But it’s not enough to know you’re doing a good test, you need to be able to show you’re working. How can others tell that your work is good enough? Transparency is the best thing for this. And you know, sure it can highlight problems in a test. But if a tester is honest and well intentioned, they’ll find positive criticism useful, as we’ll see a bit later.

One of the reasons our tests are good is because we explain everything that we do, and listen to feedback. But not every tester seems willing to do that. How do you spot a good test from the bad as Mike and others on this podcast mentioned, transparency is the key. Historically, antivirus testing has lacked a lot of transparency. The reasons for this span good to bad, all the way to corrupt.

Now let’s not forget that the security industry sells products, billions of dollars worth a year. So a cynical tester may choose to share almost nothing with the vendors. They see the vendors as opponents. They hold their billion dollar businesses to account you guys say you stop hackers. But do you really. And sharing information can help vendors perform unrealistically well in a test cheating, some might call it. We’re going to do a special episode on cheating and security tests later in this series. So subscribe now, and you won’t miss our probably most controversial set of conversations.

But anyway, some testers don’t want to share because they don’t trust the vendors to work in good faith with them. Other testers know that their work is biassed, possibly because they’re paid to produce certain results. Now, that sounds shocking to me, as I say it out loud. But Mike mentioned just now about pay to play tests. And I’ve seen myself two vendors fight it out in public by paying the same tester to compare their products, the same products. And guess what, in both cases, the paying vendor won the Bake Off. That sounds corrupt to me.

And at the other end, you have fully transparent testers who may be more or less competent. The poor testers expose their methods and receive feedback and some of that can be aggressive. But that can be the price of learning to do a good job, and some incompetence and these guys stand out from the crowd. To help improve the transparency and anti virus testing, the Anti-Malware Testing Standards Organization or AMTSO, created a standard. Now this standard doesn’t tell testers how to test from a technical point of view. It requires that they say what they’re going to do. Then they actually do what they said. And finally, they should be prepared to prove it. To me that sounds completely reasonable. Which is why all SE Labs is enterprise small business and home user anti-malware testing conforms to the standard.

But we’re in a very distinct minority. Why is this? Some testers might say Well, we do this same things the standard requires. So we don’t need to use the standard. But the problem with this approach is that we then have to trust the tester completely. With the AMTSO standard, there is some oversight from a third party, and so verifies the test as claims of transparency. And it’s not hard work to deal with them. So which then raises the question, why not engage? Well, I’ll leave it to your imagination, why tester that is aware of AMTSO chooses to ignore it.

Having the AMTSO stamp of approval doesn’t mean the testing is technically good, though. It just means that the tester has shown enough detail for you, the reader of its reports to decide whether to give it any credibility or not. And if the test involves throwing bananas at PCs protected by different antivirus programmes, then you wouldn’t trust the results. But at least you’d know not to trust them, because the standard directed the tester to publish its methodology, which would involve bananas in this case. So when you see reports that allude to clever techniques, but provide no real detail, where you can’t trust them, much more than anonymous reviewers on YouTube.

Your email account is one of the most important that you have. This is because it’s usually the way other services confirm your identity. Banks, utility companies, and other important organisations connect to your real world accounts with your email address. If you forget a password, you’ll most likely be able to reset it using email. And this presents an opportunity for attackers. If they can gain control of your email account, they stand a good chance of being able to access other accounts. Your personal email account is a gateway to your digital life. And your business email account can be abused in many other ways, too. So let’s ensure they’re as secure as possible. But first, we need to know about the threats. Christian Siefert headed up Microsoft’s email security programme, Christian, are email attacks the same today, as they were when we received poorly formatted spammy requests to reset our PayPal accounts?

Christian Seifert 12:18
Phishing attacks are becoming more sophisticated. I think the phishing attacks that we are dealing with today, as opposed to many years ago, are very different, that are much harder to spot. Now, I think there is a training that that users are able to go through and for the enterprise, we have our training and simulation solution that helps end users to spot these sorts of attacks. But as I say, they’re they’re becoming much more sophisticated, right. And so I think there are certain types of attacks, that probably you and I would fall victim to, because they’re they’re not easy to spot.

So think of like, hey, there’s a compromised account, that now sends me a mail that contains an authentic, right. So the link itself actually points to a legitimate service, it actually points to the Microsoft service. And as I click on it, it will lead me to essentially a permission screen of an app that the attacker has created that if I click, though, would give that attacker access to my male access to my cloud resources. I think those sorts of attacks are extremely difficult to spot. And so I think it is really essential to have comprehensive security solutions that have broad visibility across the entire enterprise. So not just looking at the email component, but also looking at what happens afterwards, right?

Like a user clicks on on the link, maybe give gives up their credentials, right? And so now, how are these credentials used? And so you really need to have a comprehensive set of security solution with, you know, defence in depth, in order to defend against those sorts of attacks. I don’t think it’s as easy anymore as, hey, we do training, we asked users to spot phishing attacks, and then we’re good.

Simon Edwards 14:20
Yes and actually, even those who know what they’re doing can easily be tricked. So in Outlook on a Windows PC, but it’s actually even harder when you start looking at mobile devices, because you can’t hover over links, for example, to see where they really go to.

Christian Seifert 14:35
That’s right. I mean, I think mobile devices were kind of the limited Vela static state. And kind of the way users can interact with the application make that more difficult, but I think the client providers need to be able to surface the kind of UI indicators that would help users To make an assessment, but then again, it really comes back to having a comprehensive security solution because we cannot rely on the user being able to start, spot that attack and not click on it. So we need to look at how do we prevent the mail from getting into the inbox? How do we train users to spot the mails, but then also, what happens afterwards? In kind of the post breach scenario? How do we detect those and provide the SEC ops with the information with the tools to spot that and remediate quickly?

Simon Edwards 15:37
That’s great. And that leads me on to a very important question, how do you choose a good security solution? So obviously, Microsoft has got its set up? Google’s got its and there are lots and lots of third party products and services available? And of course, there are some tests out there, which tries to assess them. So how would you go about if you were starting at square one, trying to work out, which would be the best products to get hold of

Christian Seifert 16:09
these security solutions really need to be integrated and cover the attack landscape across the entire Kill Chain? Right? Like, we want to make sure that the security solution essentially provides defence in depth, right. So if, if a male gets incorrectly classified as good, like a phishing email incorrectly classified as good, well, what comes afterwards that protect the enterprise. So I think it needs to be a comprehensive security solution that looks at you know, mail, web identity. And those solutions should be integrated, because I think there’s a lot of value of a utilising signals across the different products and services. So for instance, if we’re thinking about a mail that comes in that has a NIC. Well, that link has a lot of information associated with it, that allows us on the Microsoft side pivot into data sources that allows us to give a get a good security relevant signals from that information. So for instance, the IP address that is associated on where the link is hosted, the website is hosted, allows Microsoft, for instance, to pivot into big data, where we’re able to now assess Well, How popular is that? That website? What else is hosted on that IP address? What are some of the queries that are used to find that website in the search engine? And those are all threat relevant signals that we’re able to leverage to protect customers

Simon Edwards 17:55
And the customer themselves would never be able to detect that just by looking at an email or knowing whether to click on or not? So you’re, you’re providing a lot of backup security to those people who are going to fall for the the phishing attacks?

Christian Seifert 18:07
Absolutely. And then, you know, if I think about, you know, security solutions, for for a particular area, like email, I think the third party tests are extremely valuable, because I think it is an objective way executed by independent third party like SE Labs, that really allows customers to get an apples to apples comparison of the various security products. Now, one thing I would say there is, tests are just one signal that a customer should should utilise in making that decision. There is, you know, analyst reports, like Forrester and Gartner that look at a particular area and provide a comparative analysis. I would also recommend that customers sign up for trial and try out the product. Do a side by side comparison to see for themselves?

Simon Edwards 19:05
You’re absolutely right. A security test is one data signal and, and services like Office 365, and Google and Mimecast, and Proofpoint and all those guys. They’ve all got lots of different configuration settings that can be used. So when a tester tests any kind of security service, really, they have to imagine what kind of organisation that they’re pretending to be, because testing with default settings. Again, it’s a valid thing to do because you’re you’re showing what how effective those default settings are. But I don’t know if you’ve got any telemetry, but how many big organisations are likely to instal office 365 and not change any security settings at all? I’m suspended, suspecting it’s quite a low number. Well,

Christian Seifert 19:49
I think what we are working towards is ensuring that the security settings are actually enabled by default. And so the product does work out of the box, there are certainly kind of unique circumstances that may necessitate some some customizations, and we’re providing, you know, the tools and the reports that allow an enterprise to configure the product even further. So for instance, you’re able to turn on a particular security feature, essentially in silent mode, and see kind of how the product behaves if that security option were turned off. And so I think that allows customers to kind of ease into it right? And kind of shepherd the process through where first hates get gets turned into silent mode. Now they’re getting the telemetry, they’re able to assess, Hey, how’s the product behaving? And if the results look good, then they’re able to turn it into, you know, enforcing mode.

Simon Edwards 20:58
And there’s a quite a simple thing that people can do, as well as know with quarantine, see, with the quarantine, you can restrict who has access to that. So maybe your analysts or your administrators can see malware or suspected malware that has been sent to a quarantine, rather than allowing all users to dig through and, and maybe get tricked again into pulling something out.

Christian Seifert 21:19
Yeah, that’s a good point. Because I think, you know, we’re in the email space, we’re not just classifying, Hey, is it bad or not? Because if you look at the bad classification, there’s a spectrum, right, we have, of course, a phishing attacks, credential based phishing attacks, or business, email compromised attempts. These are really security events, right? Or wrong as a security risk, we want to make sure that those sort of mails don’t make it anywhere close into the users inbox, those who should really go to the SEC ops team, because it’s a security relevant event. But then at the same time, spam messages, they’re more a nuisance, right? They’re not necessarily a security relevant event. And so those we we can deliver to the user in a separate folder, junk folder. But we don’t want to send those to the SEC ops, because it’s not necessarily security relevant event. The Secretary already has a lot of alerts to deal with. And so we want to make sure that they are able to, that they get the cleanest signal possible around the security relevant events.

Simon Edwards 22:35
And when when a tester, any tester does a test of an email security service. How much attention should they pay to these different routes of threats or potential threats through the system?

Christian Seifert 22:46
Well, I think they should pay quite a lot of attention to those I know that SE Labs test today is more on Hey, do we detect a bad male or not? Right? That’s kind of the binary decision. But if we’re thinking about the customer experience, the SEC ops and how overloaded they are with with alerts today, as well as the end users, I think a more nuanced assessment would would be beneficial.

Simon Edwards 23:16
Yeah. And actually, I completely agree, and I’m not trying to sort of push SE Labs testing, but actually we do look at the user experience. So we score more highly, the further as a product or service keeps the threat away from the user. So quarantining it, where the admin can get to it as great, quarantining it where the user can get to it is less good. So that’s where configurations come in, to play if, if you’re a small business, and you’ve just installed Office 365. I’m not even sure Quarantine is turned on by default. But if it is, I’m pretty sure users can get access to their own quarantines, whereas a larger organisation with a sec ops team may be inclined to configure it differently and have threats sent to a repository.

Christian Seifert 24:00
It’s one thing to take into consideration if we put everything into quarantine for the SEC ops, that is a lot of volume, right. And it contains things like spam messages that are not posing a security relevant event. And so that leads to a lot of unnecessarily response work on the setup side. And so I think a more nuanced approach on evaluation would be good where we’re looking at hate that the security relevant mails like fish, they’re ending up in quarantine, whereas the more nuisance mails around spam end up in junk. I think that that would be the ideal experience.

Advert 24:50
Many of us have email passwords that are far too obvious. Why not make it harder to hack and even easier to remember? Just you was three random words for your email password, my cardigan, snail. And take your email security to another level search cyber aware.

Simon Edwards 25:14
In 2022, the UK Government launched the campaign to improve the nation’s cybersecurity. The advice was good, it was simple. And if anyone followed it, they would end up with stronger passwords. Passwords play a crucial part in securing email accounts. But there is so much more to it. Email Security is built into many of the services that we all use. That said, default settings are often not very aggressive. So if you want to beef up your email security, you will need to dig into those and maybe do some other things too. To find out how we can do this for business or personal purposes, I spoke to Sigurdur Stephanus. And Ziggy is head of the threat lab at security company Avast. He’s been in the industry for over 25 years. And he’s been dealing with cyber threats of one sort or another since his first role as a malware researcher. Before he joined Avast he spent many years heading up an email security company in his native Iceland Siggy is having a strong password safe enough.

Siggi 26:20
No username and password would not be enough I would do I would look at having some kind of some form of second factor authentication as well. It’s too easy nowadays to break up the passwords and unless you have a very long one. And it’s something you should look at anyway. We still have if you go and look out, let it look online, what are the most commonly used passwords, you can see that we still tend to make them too short, too easy to crack and having other means to authenticate is also important. So something like a second factor authentication, having that turned on, I would say is very critical.

Simon Edwards 26:54
I think email companies are getting a bit better at forcing this naturally.

Siggi 26:58
They are it’s you can see more and more companies doing this. But I think the bigger bigger vendors are definitely putting in but they’re still saving a significant amount of smaller vendors that are not yet. They don’t yet have this

Simon Edwards 27:12
and give them the choice. So you have a choice between using, say an app like google authenticator, or having a text message sent to your phone, what would your preference be?

Siggi 27:23
I would use the authenticator or one form of them. There are several of them out there. But I for instance, I use the google authenticator, I find it quite useful.

Simon Edwards 27:33
But it’s good for other accounts as well, isn’t it? Oh, yeah, definitely.

Siggi 27:36
It’s goes well beyond your email, obviously,

Simon Edwards 27:39
with SMS sorry, Text Message Authentication, I think there may be one or two security issues with that as well.

Siggi 27:47
If you’re getting an SMS as a second factor authentication, it’s not gonna be enough. Those can be exposed and don’t believe it’s enough. So how would you use a stronger form than that?

Simon Edwards 27:58
Yeah. So I think the issue is that people can hijack those SMS messages and, and use them to login. I think there have even been some bank robberies done using that. But the authenticators are safer. I find so with your own email accounts, you’ve probably got two factor authentication. Do you use multiple accounts for different things? Yes.

Siggi 28:21
So I actually, I think the last time I counted, I have about nine different email addresses, which for most people is not necessary. But it’s you want to have one for your general one for your last savoury stuff, I need to go out there need to find a better word and say we’re here. But it’s, it’s good to have multiple things out there.

Simon Edwards 28:44
Well, yes, but you’re a researcher, aren’t you? So you’re probably purposely delving some of the horrible parts of the internet, whereas most people, hopefully are staying away from the really risky stuff.

Siggi 28:55
But But even so, I mean, if if you think about how much spam you end up getting by using your email address out there, I think it’s generally good to have something that you use for more formal business than what you use to kind of subscribe to things online.

Simon Edwards 29:12
Is it worth like checking your email settings every so often to make sure that yes, some strange forwarding rules are similar?

Siggi 29:18
Absolutely, you do want to check your settings. You also want to make sure that things might change updates come to like review using external vendor for your email servers, things might change, and metalock, delete some settings, and so on are usually for good. But you want to go in to take a look at it and see what’s going on and ensure that things are as you want them to be, and as you expect them to be. So it’s very important to do that.

Simon Edwards 29:44
So what why would a bad guy sort of mess with the settings? What could they achieve there?

Siggi 29:48
If you can put in a forwarding rule to everyone who emails redirect or certain types of email being redirected? If you have, let’s say you go to a website where you or having your password reset and somebody has gotten into your email and as allowed that every email from that site to then be redirected to their place, they can use those as a way to get in. In short, if if somebody has the ability to kind of do those, you can assume they have access to your full email. So

Simon Edwards 30:18
do you think there’s much benefit in using one of these so called very secure email services like protonmail?

Siggi 30:24
It can be, I think one of my one of my accounts is on protonmail. Like, again, I like to kind of test out different services, it’s really comes down to what you’re after, depending on your use case, I would say,

Simon Edwards 30:36
Yeah, I think with protonmail, it’s the benefit there. Encryption, rather than stopping people actually breaking into your account, I would say is encryption. So at the moment, we’ve got multi factor authentication to stop people logging in, we’ve got choose a service that has some kind of business recognised as being decent, and then check your settings as well make sure that someone hasn’t come in and leaking your email out to themselves. Yes, and nothing else that occurs to you?

Siggi 31:04
Well, one of the things we got to think about is the nature of with malware and threats and all of that, you want to make sure you have some kind of security solution. That is ensuring that you don’t get any of it, what you’ll find is, none of the services out there are perfect things to escape through. So having an additional layer of security on top of that, I would say is, is crucial. We could do many phishing attacks and malware attacks and social engineering attacks coming through email that just adding something else on top of that is also something you want to have.

Simon Edwards 31:36
What’s another service? Or are you talking about changing the default configuration.

Siggi 31:43
This can be it’s some kind of security solution, it could be something it could be like a traditional AV on top of it. It can be like several Caspi solutions out there that allow you to kind of hook into your, into your email to scan it, in addition to what the show is doing, and so on. It’s something of that nature. And what I would do is, I would make sure that I have some form of antivirus, or, or good strong security solution running on my computer, just to make sure that it gets blocked, but those things can’t reach in to Gmail, or Outlook or those solos like that easily. So I think there’s an importance to have something else as well, that can be a layer on top of it. Because we do see things coming through from there.

Simon Edwards 32:36
Could you maybe talk a little bit about the kinds of configuration options that are available, such as file types that you can set in office 365, to be blocked, and maybe the idea of viewing documents online rather than opening them in Word where an exploit might kick in.

Siggi 32:54
So setting up we’re setting up the ability to kind of choose which file types can be helpful. For instance, like right now, if you look at it, I think most of those, most of the places don’t allow executables, anyone to follow through, I think Java scripts and zip files, for instance, were were stopped when Lucky was spreading, and have you having the ability to kind of go down and say I don’t want any one those particular file that was a good is can be a good thing for you. Especially if something new kind of spreads out. Like the benefit of viewing an office document online, means that the macros won’t be running on your computer. And within the scope of those macros. That’s where you’re going, you’re gonna be seeing a lot of them all, and I’m not sure all of it, but a lot of them all will be executed with that. So doing it online, you can quickly see if this is only relevant for me, is this something that I’m expecting to see? And will be a little bit more secure than getting it straight to your computer?

Simon Edwards 33:55
So it’s a little bit like looking at it in a sandbox, rather than downloading it running on your system?

Siggi 34:02
Yes, the stuff that I worry most about for with email is, is the is the attacks we see. It’s going to be it’s the phishing attacks we’re seeing, it’s the social engineering attacks, it’s it’s the people tricking you into doing things you don’t want to do phishing and, and malware and so on. And I think that’s some of the biggest risks plus you wrong email. Like obviously, you got to lock it down. And just make sure nobody gets to it. Because as you can see the earlier this is what we use us as one of our key things to identify who we are, it’s the beginning. It’s often the username for a lot of different services. And I worry about the the attacks that people are getting, there are too many things floating out there, that people are being targeted to trick them into doing things they shouldn’t and don’t want to do. You see that both for business and for consumer as well. And you can also see like some of these things that are being able to see bomb threats being sent out to people, whether they’re saying effectively that if you don’t pay me Bitcoin, I’m going to do something. I’m going obviously, definitely that people claiming they have pictures of you and values where he is compromising situation. Thank you. Exactly. And again, pay Bitcoin or pay some kind of cryptocurrency view, if you don’t, if they’re like, no don’t want that to happen. And those are kind of the aspects that I tend to worry a lot about email, I

Simon Edwards 35:39
suppose at the end of the day, email is just a communication tool. But arguably, it’s one of the least secure available to us now, because we’re used to chatting on WhatsApp or telegram or whatever, yep. And regardless of various issues of Facebook, and so on, they are encrypted, whereas by default, emails just aren’t serving.

Siggi 36:01
That’s true. And then there are several places online that are trying to kind of trying to solve that, and that in the in the encryption layer. And those are definitely something we should be doing. But I don’t think email is going away. It’s it’s one of those services that we keep saying everybody’s going to move over to some other form. But I honestly think as long as we it’s still one of the only ways we have for like for normal people to talk to businesses, and vice versa. You can see Facebook trying to achieve that to some degree. But not everybody is on Facebook, you can see all the social and inside trying to do that. But still today, email is the main tool for us to communicate to businesses and from businesses to us. And I don’t see that shifting in the near future.

Simon Edwards 36:56
Now and even legal firms who are possibly the slowest types of organisation to adopt technology, they have their own even special ways of faxing things they’ve just about got their heads around email. Now. I don’t think they’re ready to move on to messaging just yet.

Siggi 37:10
No, exactly. And it’s gonna stick around for a while. But hopefully, eventually we’ll get to a place where we have something different and more secure. But I think we’re stuck with email for some years more

Simon Edwards 37:27
Attackers change how they behave. Over time, they learn, and they want to get past the security measures that we all use, as the security world evolves to stop them. So the bad guys change tactics to keep up their evil work. tricking people might be easier than writing new malware that can evade detection. Everyone has email. So of course the attackers focus on that factor. The UK government reported this year that nearly 90% of all cyber attacks started with email phishing attacks.

Now even experienced people in security can be tricked, as Christian mentioned earlier. And I myself was completely fooled not that long ago. The short story is that I just recently set up a new mobile phone account for a family member. I received a text message sometime later, asking to verify some account details. Now it’s appear to come from the same mobile supplier. So it seems completely reasonable to answer the questions. Now here’s the thing. When it got to the stage where it wanted credit card details, I couldn’t send them because I was otherwise engaged and couldn’t access my wallet at the time. But once I was able to move around, I suddenly realised that this felt scammy why would the company need my credit card details again, and given a moment to think I realised and later confirmed that it was a scam, the message sender used a web address that was very similar to the real supplier. And probably it was dumb luck that they hit me shortly after I’d set up a new account or not, in which case that supplier has a real security problem.

The bad guys are clever and persistent. And it takes minimal effort to spam loads of us potential victims with email and text messages in hopes of finding a few who happen to have signed up with a new supplier. Now, as everyone was saying at the start of this episode, security testing needs to be realistic. This applies as much to email testing as anything else. There’s a lot of social engineering involved not just virus samples you can download from the Internet, which is why our email team spends time pretending to fall for scams. That way we learn how the bad guys behave and can create realistic tests that work in the same way. In the following clip, you can hear one of our security team pretending to fall for a fraud that started with an email and that way we know What else you can expect should you also fall for such trickery and we can add it to our tests

SE Labs Security Team 40:08
The transfer… Hello?

Cyber criminal 40:17
(undetectable) message you will be required pay for… opening account… which is £250…

SE Labs Security Team 40:29
Okay, I need to pay 250.

Cyber criminal 40:31
Yes, yes. Completed…

SE Labs Security Team 40:42
Oh, okay. Could you could you send over a transfer link then I’ll get that sent to you.

Cyber criminal 40:53
Yes, I send that email now, email information you can use to send experiments. Either monogram. Okay…

Simon Edwards 41:05
And now just before we finish it security life hack time. At the end of each episode, we give a special security tip that works for real people in the real world for work and in personal lives. This episode’s life hacker is convicted cyber criminal and connoisseur of classic cars, coffee and cameras, Dan Cuthbert.

Daniel Cuthbert 41:28
So here is an amazing life hack for you. If you wanted to make your passphrase super, super secure, and one that’s not necessarily impacted by rainbow tables. Why not choose a different keyboard layout? Why not choose different languages when you are making your passphrase, such as a mixture of English, Bulgarian, Russian, German, Czech or whatever. The likelihood of a rainbow table having the hash value for your amazing concoction is incredibly small.

Simon Edwards 41:59
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. We also have a free email newsletter. Sign up on our website, where you’ll also find this episode’s show notes, and bonus episodes featuring full length interviews with our guests. Just visit DecodedCyber.com And that’s it. Thank you for listening, and we hope to see you again soon.

Feedback

Please send your comments, questions and concerns to [email protected].