Pratum Blog

Here are the stories of three dangerous—and common—information security incidents. The common thread? One relatively simple security control could have stopped each one.

1. A bank discovers that someone has emptied a customer’s checking account without their knowledge. Upon investigation, the bank discovers that the customer’s username and password, which the customer reused for numerous other websites, were stolen from a hacked WordPress site for the customer’s book club. Then hackers included the customer’s information in a credential stuffing attack. (In credential stuffing, hackers throw thousands of stolen usernames/passwords at many websites, hoping that some will unlock accounts.)

2. An organization discovers its confidential intellectual property (IP) available for sale on the internet. An investigation reveals a phishing attack as the culprit. Hackers acquired an employee’s VPN account credentials via a fraudulent e-mail, then downloaded the data from an internal server to an IP address overseas.

3. On the Friday before a long weekend, a company gets hit with a ransomware attack. Its internal production server with customers’ personally identifiable information (PII) has been encrypted, and attackers are demanding a payment to unlock it. After several sleepless nights of incident response and investigation, company IT leaders discover that a hacker initially compromised a poorly patched Windows server in the DMZ and then installed keystroke logging malware to harvest credentials from an administrator logging in to the server. The hacker then reused these administrator credentials to establish a Remote Desktop Protocol session to the internal production server and install ransomware.

Each of these stories highlights everyday dangers rooted in the fact that the traditional approach of authenticating a user’s identity and system access with a username/password has mostly broken down. It has fallen victim to an explosion in the huge numbers of account usernames and passwords that the average individual must keep track of to function in modern life. (My personal password vault currently has 492 unique accounts). That leads to most people using easy-to-remember passwords or reusing a handful of passwords across many accounts. One report says that 73% of all online accounts use duplicated passwords.

In this environment, businesses and organizations must provide their users with tools to simplify good security practices. The answer is not requiring ever-longer and more complex passwords, but to implement additional or different factors to authenticate users to systems beyond just passwords and PINs.

Each of the attacks described above would’ve been stopped in its tracks by multifactor authentication (MFA). This tool (sometimes called two-factor authentication or 2FA) provides a powerful defense against most attacks—especially those involving access or passwords. In fact, Microsoft, which is spending more than $1 billion on security annually, is on record as saying that MFA can block more than 99.9 percent of account compromise attacks.

In a recent Pratum webinar, cybersecurity expert Terry McGraw of PC Matic said, “The one thing I would do today if I hadn’t already done it is implement MFA. I need to make sure everyone touching my environment is authenticated from the system they’re working on.” (For all the tips from the webinar, click here.)

Three Key Factors of MFA

A secure system incorporates at least two of the following factors when authenticating users:

  • Something you know - A password or passphrase.
  • Something you have - Generally based on some form of encryption to validate authenticity such as a USB key, common access card (the CAC used by the Defense Department), digital certificate, phone app that generates or receives one-time passwords (OTPs), or hardware/software token.
  • Something you are - Retina (retina scan), fingerprint (fingerprint reader), face (facial recognition).

Each factor has pros and cons, but, in general, using any of these in addition to passwords improves the security of the system or application in question and provides an additional layer of defense desperately needed in today’s environment.

At particular risk are systems, applications, and users that are exposed to the Internet, as well as privileged users and users of sensitive systems/applications. These types of systems should be the priority for MFA/2FA implementations because they are at the highest risk of attack.

How MFA Stopped the Attacks

Returning to our initial three examples, let’s explore how some form of MFA could have prevented or lowered the impact of these incidents.

1. A bank account hacked through credential stuffing - Even if the hacker stole the username/password, they wouldn’t get very far. The web banking system could be configured to require the user to enter a one-time password or code from an app before providing access to the online account. In this model, the user would have been notified of the unauthorized access attempt when they received an unexpected code. The attacker could get into the account only if they also compromised the user’s phone so they could receive the code.

2. IP stolen through a VPN - Even if the phishing attack successfully harvested the username and password from the employee working at home, the company could stop the hacker by requiring the entry of a code from a hardware token before allowing access to the VPN. In this setup, the user gets the code from a device such as a fob specifically set up to deliver unique codes for logins.

3. A ransomware attack carried out via password logging - Even if an attacker successfully compromised the DMZ server and captured the administrator’s credentials, MFA or 2FA can stop the attack. Without the unique code sent to the administrator, the attacker would not be able to successfully log into the production server in order to install malware.

MFA Best Practices

When considering your MFA setup, remember this key concept: Authentication factors should be separated from the system the user is authenticating from. For instance, a user should not receive an e-mail with a one-time password (OTP) as an MFA factor for accessing a VPN through the same e-mail account they use to access the VPN. A hacker who compromises that e-mail account has access to both the MFA factor (the e-mail delivering the OTP) and the user’s password. This bypasses the additional level of defense that the MFA implementation was intended to provide.

Moreover, the added security provided by MFA is only as good as the secrecy of the additional factor being used. For example, consider the rise in cell phone SIM swap attacks, where a malicious hacker uses a victim’s personal information to take control of a victim’s mobile phone number. A successful SIM swap allows an attacker to masquerade as their victim for any account tied to the victim’s phone number. This also subverts the security of any systems sending SMS OTPs to the victim’s phone as an additional authentication factor.

The increase in SIM swap attacks in recent years highlights the risk of using SMS-based OTPs as an additional authentication factor. While SMS OTPs are probably still sufficient for some individuals and organizations, those with a low risk tolerance will probably want to invest in a more robust MFA implementation to secure systems or data. (For a deeper drive into MFA guidelines from NIST, see this article.)

Obviously, no security control is a silver bullet. But if you are looking to make a big impact on risk reduction for your organization, MFA is a great place to consider investing. To talk with one of our experts on how you can implement MFA in your organization, contact us today.

Executives tend to fall into three camps when it comes to understanding cybersecurity’s strategic advantages.

  • Leaders who see information security as a discretionary cost. This mindset may last for a while, but it always turns out to be temporary. That’s because hackers attack small companies, too, along with companies that think no one would want the information they have. When “if a hacker attacks us” turns into “when,” the leaders move into the next category…
  • Leaders who see information security as a cost they pay grudgingly. To this group, securing their data may feel like upgrading the building’s heating system. Paying the bill just preserves the status quo rather than getting you anywhere. This mindset at least protects the company, but it’s still a limited view that leads to missed opportunities.
  • Leaders who see information security as an investment in future growth. Motivational speakers love to quote Wayne Gretzky’s observation that he skated to where the puck was going to be, not where it has been. Make no mistake: For businesses, the puck is undoubtedly going to be waiting on the other side of a strong cybersecurity game.

Right now, the third category remains a fairly small club. It’s not quite a first-mover advantage anymore, but activating a proactive information security strategy as a marketing tool certainly puts you ahead of much of the pack. So forward-thinking leaders still have a window for using cybersecurity as a business advantage.

Pratum’s consultants help clients do exactly that. Jim Sixta, a senior information security consultant, advises clients to ask themselves: “If you’re in your future clients’ shoes, what are they going to require of you? When that client comes knocking on your door, you won’t be able to say yes unless you start working on it now. Customers won’t give you time to comply. They want to get a quote and go.”

Here are five areas where information security plays a central role in planning for your business’ growth:

1. Industry-specific requirements – Longstanding regulations like HIPAA may already be part of your business operations. But as the cybersecurity industry matures, sweeping new standards are on the way. Beginning in late 2020, for example, the Department of Defense will begin adding CMMC compliance to its contracts, with every contract including this requirement by 2025. In all, that means about 300,000 companies must earn this certification through a third-party auditor like Pratum in order to win or renew work with the DoD.

2. Government privacy standards – We may be nearing Peak Outrage over how titans like Facebook and Google have been handling all of our personal data. In response, multiple countries and states are passing new laws controlling how companies collect, store and use personal data. If you’re not already clarifying how laws such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act affect your operations, Wayne Gretzky’s puck is likely to hit you in the face soon in the form of mandated operational changes and fines for those who fail to comply. (For an overview of recent changes in this area, see our blog on privacy laws.)

3. Current client requirements –Even if you’re taking a “let’s see what the government makes us do” approach, many of your best clients aren’t waiting around.

Throughout the private sector, detailed information security questionnaires and grids have become standard due diligence components for many companies selecting vendors.

Pratum CEO Dave Nelson says, “Wal-Mart, for example, has been pushing aggressive security requirements onto its direct suppliers, which are being pushed down through the supply chain. Wal-Mart wants to know that if they accidentally send out a confidential file, they have one response, not 50 different responses in each state. You can be three customers away from Wal-Mart and still be part of the ripple effect.”

Nimble companies can respond quickly to requests from potential customers because they keep updated statements about their cybersecurity posture and workflows. Imagine how it affects your chances of winning a deal if it takes you two weeks to fill out a security information matrix and your competitor sends theirs back on the day it’s requested.

Customer requirements may include elements such as earning a SOC 2 certification, which can take up to 18 months if you’ve never done it. If a competitor coming after your customers already has that certification and you haven’t even started on yours, you may quickly find out just how loyal your key clients are.

4. Dream client requirements – This is where another favorite motivational slogan comes into play: Luck favors the well prepared. If a client appears on your Big Hairy Audacious Goals list, they’re almost certainly on the front edge of information security. When your dream customer reaches out with the opportunity of a lifetime, will you have the security game to close the deal? Multiple Pratum clients brought us into the picture only after they had to turn down work from clients like giant national retailers because they couldn’t meet the security requirements. Next time, they’ll be ready for the deal that transforms their company.

5. A new selling point – Based on all the points above, if your information security stance is ahead of the pack, you have a marketing advantage. You can take that into all of your pitches with the message that you’re ready for secure business on Day One, which also speaks to your company’s overall position as a savvy market leader.

One of Pratum’s industry partners, Baker Group in Iowa, has identified a robust cybersecurity stance as a key way to separate from other building services contractors when it bids on new work. “We’re engaging Pratum to create a competitive edge,” says Daryld Karloff, Baker Group’s executive vice president of building services.

How to Prepare for the Future

Upgrading your information security posture needs to start immediately. If you haven’t focused on creating a future-ready information security plan, you may have already lost opportunities that you won’t even know about for a few months. But the good news is that this world is still young enough that you can turn your company into a leader.

To start creating an information security plan that positions your company for growth, contact a Pratum consultant.

Every advance in security technology reinforces a favorite industry cliché: It’s easier to hack people than servers. Clever code exploits may earn hackers bragging rights, but it’s a lot simpler to trick one user into clicking a bogus link and letting you in the front door.

That’s why social engineering continues to be the leading vector for cybersecurity incidents. Industry sources estimate that 80% of security breaches stem from phishing attacks and that 94% of malware arrives via e-mail.

It’s basic math for hackers. A bad actor can easily send out 1,000 e-mails at a time. If you assume an average ransom of $40,000, a success rate of even 1% yields $400,000. And in reality, phishing attacks can work 25% of the time.

Why do so many people fall for phishing e-mails every week? Human nature explains a lot of it. We’re baited with messages that threaten the loss of a service, promise a financial windfall, hint at an important message from our employer or play off our basic confusion about technical terms. All this is dangled in a familiar-looking message promising resolution with a single click.

And we shouldn’t stereotype all phishing victims as that co-worker who just doesn’t get it. Hackers have honed their game massively since the days of foreign princes asking you to help transfer money. Modern phishing e-mails often include your company logo, a trusted partner logo (such as Dropbox), your colleague’s authentic-looking e-mail address, details about your specific business unit and more. In some of our phishing tests, for example, Pratum uses this convincing-looking Dropbox knockoff:

To stop e-mail phishing attacks, you must continually train your team to keep a wary eye on their inbox. That requires a combination of ongoing training and phishing simulations that keep everyone sharp. The first time you test employees with an internal phishing campaign, the results may be surprising. Pratum’s phishing campaigns often hook 20% of the recipients into clicking the link, and we regularly see 10-15% of recipients giving up their credentials in a simulated attack.

How to Run A Phishing Campaign

Here are some key questions to help you plan an effective phishing campaign:

  • Should I do it myself or hire a vendor? Multiple services let you create and execute your own campaigns. But hiring a partner lets you tap the expertise of teams who run dozens of campaigns each year.
  • How often should I conduct campaigns? In short, regularly. Many organizations run them monthly, but quarterly tests are a good standard. It takes a lot of repetitions to keep your employees on the cutting edge of hackers’ tricks. Plus, you should be measuring your team’s progress in spotting phishing messages.
  • Who should receive the test? In larger organizations, it often makes sense to target campaigns at specific departments using custom messages. One Pratum client, for example, targets the IT team with decidedly more deceptive test messages, assuming these users should be far savvier. You also can customize messages to simulate the kinds of attacks you expect your team to see, such as fake invoices aimed at Accounts Payable.
  • What are next steps for users who fail the test? Make sure follow-up messages take a tone of coaching, not shaming. And consider the timing of training. You can set up a campaign to send someone straight to training if they click a fake link, for example. But if you’re in the midst of a larger campaign, that spreads the word that a phishing test is underway, tainting the results. Our experts frequently delay e-mails announcing required training until the test is over.

Creating Effective Phishing Test Messages

Once you’ve planned the test logistics, it’s time for the art of the project. Your phishing campaign is all about testing users’ ability to spot a fake, which makes the quality of test messages central to the process. Here are several tips for effective test messages:

  • Use a tool with plenty of templates. Top-level phishing campaign platforms like Pratum’s offer hundreds of e-mail templates rated by difficulty. They can take an official angle, such as asking someone to log into a fake company VPN. Or they can use a personal focus, such as telling users an Amazon delivery failed or offering them a great rate on a loan from a local bank.
  • Mix up the templates. If you follow the advice above and test regularly, you need a wide selection of templates to keep it fresh.
  • Test multiple attack vectors. Good tests dangle a variety of lures. Ask users to click on a link in the message. Try to get them to open an attachment. Request that they enter their credentials. A good campaign report shows how many users fell for each approach. A well-rounded test also includes pretexting phone calls and SMiShing (phishing via texts, or SMS messages).
  • Tie tests to current events. Hackers love capitalizing on the news with offers of Covid-related financial relief, promises of free sports tickets, etc. Your tests should simulate these tactics.
  • Customize templates with convincing details. If you’re testing savvy users, put your company logo in a message asking them to log into the company VPN. You can even add a downloadable file that displays a message on the users’ screen when they run the bogus .EXE file.
  • Target specific user groups. Hackers will do this, so your tests/training should cover this tactic. Use simulated spearfishing attacks, which include user-specific information. (If you’re testing executives, you can use the cool term of “whaling.”)

What to Learn From a Phishing Campaign

A good phishing campaign report includes a detailed summary like this:

Some phishing solutions include an Outlook extension that users can click to report a phishing e-mail. Your IT team can track how many users report the test message as potential phishing, letting you measure their growing participation in spotting the problem. This kind of detailed information also lets you provide training targeted at the groups and individuals in your organization who are struggling to spot bogus e-mails.

Are you ready to learn how Pratum’s experts can help your organization train and test your team’s security awareness? Check out our services or contact us today!

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.