Scam Feeding Frenzy

Image courtesy National Geographic

Well corona viruses have certainly changed our landscape in a very short space of time. Last year I’d only ever read seemingly inconsequential bits and pieces about them. Now It’s impossible not to hear about them all day long.

One thing that hasn’t changed though is that criminals are still ‘crimming’ (yes that’s a word). In fact they have really upped their game in a big way. It’s almost a feeding frenzy out there at the moment. Every Crim and even Nation States are getting in on the action.
You see most scams work by getting the victim to act before thinking, and by misdirecting their attention. That is why getting people to click on a malicious link or open an attachment is so easy. All the Crim needs to do is find a topic that will get you to click (either link or attachment) without thinking.

Now nCOVID-19 didn’t create this situation, but it is certainly providing a very fertile ground for the criminals to operate from. FUD (Fear Uncertainty and Doubt) are great for getting people to act without the normal caution and forethought. Titles about the virus, or the effects, or the economic impact or… <insert current FUD topic here>.

But it’s not just FUD topics either. Opportunities for gain and wealth also play on people’s emotions and cause them to defer their normal precautions. “Earn Money from Home” , etc etc.
Brian Krebs has a good cautionary tale on this last topic, in one of his latest articles.

So what should you be telling your staff to do? Well in an ideal world you’d go through training all your staff on Cyber Security. But the world isn’t ideal, and we are where we are. So let’s look at a few things you can be doing to keep your staff and your data safe in this current situation.

The OODA Loop

The OODA loop is important. it is a great mechanism for having a simple framework to follow for people. The military use it extensively in pilot training. But we mere mortals can also take advantage of it. OODA stands for,

  • Observe
  • Orient
  • Decide
  • Act.

Observe what is going on; Orientate this with what you already know and what the current situation is; Decide on your course of action; Act.

What the criminals want you to do is observe (very fleetingly) then Act. Miss out the vital, orient, and decide steps. To act without thinking. Then it is easier to scam you. To send you to a link that will compromise your computer. Or to get you to open an attachment that you would otherwise think twice about.

What to do

So what is it that we can all do? (please be aware this is a greatly simplified list for a wide and diverse audience. Your case may well be more complex.)

Windows Best Practice

First and Foremost, have good EDR/AV system in place. EDR stands for Endpoint Detection and Response. AV Stands for AntiVirus. Basically EDR is modern AV. But you need something. On Windows systems it’s good to do these big 3 as an absolute minimum…

  1. Don’t be logged in as an administrator for everyday use. Only log in as an administrator when it is vital to administer the device
  2. Have Macros disabled in Microsoft Office, unless critical. If it is critical to use them, restrict where they can run from.
    1. Here’s a great technical guide.
    2. And here’s a good simple one
  3. Use at least Windows Defender for AV (Preferably Defender ATP)

MAC Best Practice

With MACs it’s a little simpler. The threats are the same, but there is far less MAC focused malware around. So your odds are better. But there’s still some good rules to follow.

  1. As with Windows, don’t be logged in as an administrative user unless necessary.
  2. Make sure your firewall settings are strong. (mine are maxed out. Everything is turned off, but the essentials.)
  3. Disable Macros in Office if you use it.

Vigilance

Be extra vigilant. Be suspicious of every link and every attachment at the moment (well always really). If you are at all suspicious or wondering why you have been sent this (attachment or link), don’t click on it.

  • Ring the sender and check if it is legitimate if you are really curious.
  • Or maybe take a screen shot of the details and send to your security team or IT provider and ask them.
  • Or simply, just delete it. If it really is critical, the sender will contact you again.
  • But don’t get caught by clicking links unnecessarily.

If you do inadvertently click on a link or attachment here are some warning signs to look for that it may have been malicious…

  • It takes you straight to a login page.
  • It opens up a few different sites (seen as URLs flashing in the address bar of your browser), before taking you to where you anticipated it should.
  • You see some windows open on your desktop then close again quickly. These are likely PowerShell windows if you are on a Windows PC.
  • It just doesn’t look right. (Logos are wrong, URL seems dodgy, Grammar is inconsistent)
  • Your browser “misbehaves” afterwards. (taking you to different sites or crashing unexpectedly)
  • “Odd” things happen on your computer over the next few days/weeks.
    • Files aren’t accessible (encrypted)
    • screens opening without you doing it.
    • Camera activity lights come on when you aren’t using it etc.

This is by no means a definitive list. This is just some symptoms that *May* happen.

Be quick to ask for help

If you do inadvertently click on a link or attachment that you think may be dodgy, be quick to call your security response team or IT team. Time is of the essence in these situations. Your security team will be able to assist to get things going for you again. You won’t be judged. Or if you are, ignore the judgement. You have done the right thing in alerting the response team.

Whatever you do, DON’T just hope that it’s all okay. That could be costly.

If you don’t have a Security Response Team,

If by chance your business doesn’t yet have a security response team, try the following…

  • Disconnect from the network.
    • If this is wireless, just turn your wireless off
    • If you are wired, just remove the network cable
  • Call someone who can do a scan on your computer for you. Get them to assist.
  • If you don’t have anyone,
    • try downloading MalwareBytes if you are on a PC
    • Run a scan yourself using a virus scanner of your choice

Conclusion

As I mentioned. It’s a feeding frenzy for criminals out there at the moment. Situations like this seem to bring out both the best and the worst in people. But that doesn’t mean you can’t be safe.

Check back from time to time and I’ll try to keep this post updated or if you have a specific question, Contact us to ask.

Stay safe, and the BIS and Ramtech teams wish you, your families and loved ones, safety health and prosperity.

Securing your Mail Exchange System

It’s not enough to simply have an email mail exchanger that you manage. It requires some basic level of improvement to be in anyway regarded as secure. Our aim here is to minimise the impact of an attack on the system. That’s the aim of every information security system we put in place..

We’re making a few assumptions in this post. Namely…

  1. Your’e already using good secure password practices for all your users.
  2. You have a CSF or similar to guide your overall Security decision making and strategy throughout the business.
  3. You manage your Mail Exchange System, or responsible for those who do (CEO, CTO, CIO Etc)

So if you are all ready having all your users adhere to good secure password practice let’s consider the whole system.

Is your Email Exchanger secure for your users?  If you are a business it is also critical to protect your entire email systems.  Most people in business tend to use one of the following…

  1. Microsoft Exchange Online
  2. Microsoft Exchange On Premise
  3. Gmail (GSuite for Business)
  4. Linux / BSD based On Premise systems
  5. A “free” account that came with their website of outlook.com or similar.
    1. Remember if you don’t pay for the product, you are the product, so free is never free.  In fact it is usually the most costly in the long run.

Not a single one one of these common business MXs (which account for over 95% of business email throughout the world) come secure, as standard.  When these companies build these apps they build them easy to access and simple.  They don’t build them secure.  They do this purely so you will adopt them.  But they all require extensive alteration to make them more secure.

There’s not enough space here to go through how to effectively secure your email systems for every type of email system, so let’s just give some generalisations

MX Baseline

Below is a very basic standard baseline. If your MX does not have these basics, you are behind the eight ball to start with.

First and Foremost though, understand what you’re setting out to achieve. Don’t just blindly follow a guide.

Also, use best practice change management processes. Don’t wreck your system by just changing things with no plan. Okay, here’s a sturdy basic baseline for an MX you manage

  1. Secure your domain. Time and again we see businesses that have had their domain delegation tampered with. Please secure your Domain and it’s delegation.
  2. DNS:  Secure your DNS.  Make sure Record changes to your zone file are carefully controlled. SPF, DKIM, DMARC and DNSSEC are all tools you also have at your disposal for DNS protection.  Use the tools most appropriate for your business.
  3. Patch Patch PATCH. If you run an on premise exchanger (MS Exchange or one of the excellent Linux options) keep it up to date and follow best practices regarding redundancy. If you can’t do this, move it to Exchange OnLine.
  4. Link Scanners/Sanitisers:  All inbound links should be at least scanned, if not sanitised BEFORE the users get to see them. None of them are perfect, but it is another layer in the Cyber Defences.  Put it on the Mail Exchanger though.  On the endpoint is not nearly as effective.
  5. Attachment Scanners/Sanitisers:  As above
  6. Malicious and Blacklist traffic dropping goes without saying.
  7. Multi Factor Authentication (MFA/2FA).
    1. Biometrics are great. A good option.
    2. U2F style tokens are a close second (Yubikey etc)
    3. Software tokens (authenticator apps) are next
    4. SMS code is okay, but still way better than no MFA
    5. Location based is also way better than nothing.
  8. Turn Off protocols not needed.  e.g. O365 rarely needs POP3, iMap, EWS etc enabled, but they’re on by default.
  9. Enable extended log retention. I personally think 1 year is minimum. Also consider SEIMs such as Chronicles Backstory for excellent visibility into the past.
  10. Redundancy. It goes without saying that ANY system needs to be backed up and fully replicable. Redundancy is also generally required.
  11. Firewall and access control is also required. You need to carefully control what and who can access your systems. Obviously “Most” other systems should be able to send mail to it, but logging in to mailboxes should be tightly controlled.
  12. Alerting:  Have your system send alerts if anomalies happen. Into a SEIM as well as other alerting systems is obviously best.
    1. Privilege escalation,
    2. forwarding rules added
    3. Delegation changes
    4. Logins from multiple locations
    5. logins from unusual locations.
    6. TOR exit node access
    7. Change in protocol availability
    8. Other alerting required for your system
  13. Regular auditing of the system for security issues.
  14. You will have noticed by now that if your system doesn’t support these features (very few free ones do) it may be time for a new Mail Exchanger system.

Remember that these are simply baseline options. There may be far more you need to do for your particular environment over and above these baselines. Please contact us if you need help with a security audit. Maybe you need a Cloud Services Security check up or just your email system. Just drop us a line and we’d be only too happy to assist.

If you get these baselines in place, it will go a long way towards keeping your users far safer than an out of the box system.  And most cost options very little or nothing!  Now you can turn your attention to your wider Business and systems Security.

You can also Contact Us to assist with a security audit and assistance with implementing a CSF (Cyber Security Framework) for your organisation.  It costs very little and will make an enormous difference to your business’ security and hence, bottom line.

Regards

Ross Marston

Business Intelligence Security