Pratum Blog

Silhouette of Russia

Russia’s attack on Ukraine clearly isn’t limited to tanks, planes and missiles. Russia has already and will continue to deploy cybersecurity attacks as part of a strategy to destabilize or outright shut down its opponents. Most of us don’t play a role in battling nation-state cyber warfare. But this blog covers what organizations of all sizes should know about the potential impact of these global events and how you can take common-sense steps to protect your operations and data.

New Threats From a Familiar Source

Russian hacking isn’t a new threat, so you’ve probably been battling it for years without realizing it. President Biden addressed Russia’s harboring of hackers at a meeting with Vladimir Putin in June 2021, and government and private security professionals have been fighting Russian interference for at least a decade. In January 2022, CISA issued an alert focused specifically on understanding and mitigating Russian state-sponsored threats to U.S. infrastructure.

But Russia’s attack on Ukraine brings new urgency, as Russia has already sought to bring down Ukraine’s government and critical infrastructure, mainly via denial of service attacks and malware deployments. Thus far, the U.S. Cybersecurity and Infrastructure Agency (CISA) has said in a statement that there are no specific or credible threats to the U.S. homeland at this point. But as sanctions begin to take effect, attacks may ramp up.

Few organizations face a real possibility of direct attack by nation states. But impacts could still be widespread if threat actors manage to compromise supply chains or critical infrastructure. Recent breaches involving Kaseya and Log4j have shown how quickly attacks can cascade throughout a software ecosystem. Russia’s attack on Ukraine may be your wakeup call, but regardless of the current headlines, you should incorporate the following best practices to protect your environment.

Establish Basic Protections

  • Enforce the use of strong passwords throughout your organization.
  • If you’re not using multifactor authentication (MFA), deploy it as quickly as possible. This single tool can stop nearly any attack that depends on compromised user credentials.
  • Update all your software to close known vulnerabilities.
  • Deploy a monitoring tool such as Managed Extended Detection and Response (XDR) that can identify threatening activity and help you investigate it.

Review Your Incident Response Plan

If you do suffer a breach, a calm, organized, well-planned response can greatly limit the damage and speed up your recovery time. Now is the time to pull out your incident response plan and make sure that it accurately reflects who is on your team, the tools you have in place, etc. The same goes for your business continuity/disaster recovery (BC/DR) plan, which describes how you’ll keep operations going if a crisis occurs.

Set up a tabletop exercise to walk through a simulated breach and identify any missing or unclear steps in your plan. Many organizations have only vague notes, for example, about how they would restore data from backups. Take time now to investigate how your backups work and the exact steps and timeframe it would take to restore your critical data.

Cloud-based services could be high-value targets for foreign attackers. So your IR plan should address how you’ll maintain operations if you lose access for a time to your customer relationship management (CRM) platform, document exchange service, Microsoft Office 365, etc.

Vet Your Software Supply Chain

Again, this is something that should be part of your normal practice, especially after the Log4j breach showed how rapidly compromised source code can wreak widespread damage. Many software developers have relied heavily on outsourcing work to programmers in Russia and eastern Europe in recent years. It will be a massive task to comb through all of your code for elements with Russian origins. But this process may become necessary to ensure that no allies-turned-adversaries left a pathway into your system for Russia to potentially exploit.

Report What You’re Seeing

U.S. authorities count on reports from private organizations to help them maintain an accurate picture of current threats. If you experienced an incident or spot anomalous activity, report it to:

CISA – This email address is being protected from spambots. You need JavaScript enabled to view it., 888-282-0870
FBI – Your local FBI field office or This email address is being protected from spambots. You need JavaScript enabled to view it., 855-292-3937.

If you experience a breach and need immediate assistance with assessing the situation and getting back online, call Pratum’s Breach Line 24x7 at 515-212-6634.

If you need advice on getting your policies and plans in place, contact us today.

Employees sitting at conference room table talking

Every year, Pratum consultants review information security policies for dozens of organizations as part of regular risk assessments. And while no two organizations are exactly alike, we do find one consistent theme: Most clients need to do some serious work on their information security policies. The policies are often incomplete, badly outdated or missing altogether. That means that strengthening your security posture should start by checking whether you have the following essential policies, which our consultants have ranked in rough priority order. (And, of course, you need to actually follow the policies you have in place.)

1. Information Security Policy

Start with this foundational document. It provides an overview of the topics that you can develop further in the specific documents listed below as your program matures. Your Information Security Policy covers the top-line aspects of areas such as acceptable use, password management, access control, encryption, etc.

2. Acceptable Use Policy

These are the basic rules for everyone in your organization. Make sure the policy is clear and concise and that every employee reads it and signs it on their first day of work. Writing this policy and sharing it with each employee ensures that you can enforce critical security rules in the future.

3. Incident Response Plan

Don’t start thinking about how to handle a data breach on the day you discover one. A written IR plan helps you anticipate potential issues and create a detailed checklist that tells everyone what to do when stress is running high. A recent IBM study found that organizations with a written IR plan reduced the cost of a breach by 55%. A good plan identifies your response team in advance and clearly describes each person’s duties, along with how the team will coordinate efforts. Use this guide to start creating your plan.

4. Access Authorization and Identity Access Management

Hackers always hope that compromising one set of credentials will give them access to your entire environment. You prevent that by limiting each user’s access to no more than the data they need to do their job. Write a policy for determining what access every user gets, and be sure to include a plan for regularly updating access when people switch jobs, leave the organization, etc.

5. Business Continuity/Disaster Response

Closely related to the IR plan is this policy that anticipates how you’ll avoid serious operational interruptions in a variety of scenarios. Your BC/DR plan lays out the business impact of various threats and describes how you’ll pivot to restore critical operations as quickly as possible. Be sure to plan for testing to confirm that your plans hold up in real life.

6. Risk Management Policy

This document explains your organization’s overall approach to evaluating and remediating risks. The policy will explain how you identify risks, measure their likelihood and impact, set strategies for handling them, etc.

7. Vendor and Third-Party Management

The security of your key suppliers and partners is your problem, too. If a key supplier suffers a breach, you may lose access to essential supplies and services. If one of your software suppliers gets breached, your own system could be infected with malware unwittingly delivered by someone you trust. You need a policy for reviewing the security posture of all third parties, whether that’s following your own security questionnaire or requiring something like a SOC 2 report.

8. Change Management

Who has authority to change IT elements such as firewall settings or approve a new piece of software? Your policy should ensure that only qualified people have that authority, and that proposed changes are reviewed by the appropriate stakeholders to avoid unintended consequences.

9. Security Awareness and Training

You can choose to view your end users either as the biggest threat to your security or as your biggest team of frontline defenders. That means you need a plan for purposefully educating each employee on critical security issues, with an emphasis on the “why” so everyone knows how it affects them.

10. Password Policy

Your end users interact with this policy multiple times a day as they log into their systems. Yet password policies are still widely overlooked. Compromised credentials remain one of the top ways hackers get into a system. And if you’re wondering how robust most password policies are, consider that the most popular password in 2021 was “123456.” The second most popular was “password.” Make time to update your policy to require strong passwords.

If you need expert help in reviewing your existing policies or writing new ones, contact us today to talk to a Pratum cybersecurity consultant.

Computer caught by fishing hook

Phishing has pumped up its frequency to being present in 36% of breaches (up from 25% last year).

2021 Verizon Data Breach Investigations Report

Network end users are frontline defenders that form a critical component of an organization's information security program. That’s why all cybersecurity training materials include sections on how to spot phishing, which is both rampant and increasingly sophisticated in the methods used to lure victims. When our consultants evaluate risk within an organization and discuss their phishing awareness and training efforts, we typically see advice such as “Don't click on suspicious links” and “Hover the mouse pointer over links in an email to check whether it is legitimate.” But how do you know whether a link and the associated Uniform Resource Locator (URL) lead to a legitimate site?

To evaluate links and URLs, you should understand generic Top-Level Domains (gTLDs), country code TLDs (ccTLDs), and other types of Internet domains. This article covers the basics about reading and interpreting links/URLs.

What Does "www1" Mean?

A web address looks pretty suspicious if you see “www1” or “www2” (or some other number) in the URL. But that's not a definite red flag. Some web sites may be very popular and, therefore, have multiple servers working in a load-balancing configuration to serve content when requested. Some companies choose to number their servers. So, if you see a www1 or www2, you’re just seeing which server # among multiple servers is providing the content. Seeing a www1, www2, etc., is not in itself an indicator of a phishing site.

One way to teach users to look for indicators like these is by developing a customized training program that includes phishing awareness and testing. A training consultant can develop a set of simulated phishing messages that help users learn to spot red flags. When users click the simulated malicious links, the program can point them to additional training.

How Links/URLs are Formed

So what’s the key to reading URLs in links? The basic answer is that interpreting the URL means focusing on the important stuff between the double forward-slash “//” and the first single slash, primarily in the highlighted area shown below.

The structure of a link/URL

Note: The framework above is the basic URL breakdown. In place of http:// or https://, you may see ftp:// or news://. These are different types of transfer protocols. In addition, though “www” appears in many URLs, it is not a required component. You may see additional fields prior to the generic top-level domain and secondary domain/server name. (After the first single forward slash, you’ll find less critical things such as directories, subdirectories, filenames and file types.)

Example Links/URLs

With that background information in mind, let’s look at some examples.

1. http://www.amazon.com

This is a well-known site, and the URL doesn’t include any suspicious modifications.
Assessment: LEGIT!

2. http://www.ama.zon.com/gp/cart/view.html/ref=nav_cart

URLs can be formed in almost any fashion, which makes it easy for site owners to build unique site names. It also makes it easy for phishers to build site names that closely approximate legitimate site names.

In this example, a period makes all the difference. If a person clicked on the link above, they wouldn’t go to amazon.com. The link leads to the site zon.com, which could be a site registered by phishers.
Assessment: SUSPECT!

3. http://This email address is being protected from spambots. You need JavaScript enabled to view it./catalog

In this case, a person would be directed to IP address 66.161.153.155, not amazon.com. If you see a link/URL with an “@” sign, be particularly careful. Phishers routinely use this URL-manipulation tactic.
Assessment: SUSPECT!

4. http://209.131.36.158/amazon.com/index.jsp

This URL is somewhat similar in function to #3 above. It leads to the IP address, not amazon.com, which is listed after the first single forward slash.
Assessment: SUSPECT!

5. http://www.google.com/url?q=http://www.badsite.com

This URL would refer a person from one site (in this case, google.com) to another site, badsite.com (note the “=http://” nomenclature that allows this). Referrals are not in themselves bad, but a referral could lead to a phishing site. In this case, badsite.com doesn’t look legitimate.
Assessment: SUSPECT!

To help users quickly determine the top-level and secondary domains within a URL, some companies and organizations have started to use “domain highlighting.” When a user visits a site, part of the URL will dim after a few seconds, leaving the top-level and secondary domains dark. For example:

PayPal domain

It’s always good to look for these signs of a legitimate, secure site:

  • closed padlock
  • https://
  • company name highlighted in green within the URL (such as in the PayPal example above).

If a site’s certificate is expired or otherwise invalid, some browsers, such as Internet Explorer and Firefox, or security services, will warn users. Is it safe to proceed through the warning? In this case, use other available indicators (review the URL again) to help determine whether the site is legitimate. If in doubt, do not proceed.

Why Country Domains Matter

Fifty-four countries have chosen to allow their ccTLDs to be used for commercial purposes. For example, .co, the ccTLD for Colombia, can be used in place of .com. It’s very popular, due to the burgeoning .com domain, and allows businesses to have alternative ways to form website names.

Have you seen the URL http://o.co? That’s Overstock.com providing an alternate way for you to get to the company through your browser.

You may have seen youtu.be. That’s a legitimate URL, registered by Google using Belgium’s ccTLD, .be.

Much of the entertainment industry uses Tavalu’s ccTLD, .TV. It’s a great way for the island nation to make money.

When trying to determine whether a site is legitimate, realize that many ccTLDs are also used for commercial purposes. What looks like a suspicious site could be, in fact, legitimate. However, ccTLDs can also be used to form names for phishing sites, so when in doubt, don’t click!

A Short History of Generic Top-Level Domains

We are all used to seeing gTLDs. We use them almost every day, including familiar ones such as .com, .gov and .edu. They are a key part of the structure of the Internet. They are also well understood by phishers, who manipulate URLs for fraudulent use. To best assess links within emails, as well as URLs within browsers, it’s good to know how the various domains have evolved and how they work.

In 1984, Request for Comments (RFC) 920 was used to define the original “general purpose domains”: .com, .gov, .mil, .edu, and .org. Another domain, .net, was added in early 1985 and is also considered one of the “original” domains. In 1988, .int (international) was added to meet the North Atlantic Treaty Organization’s request for a domain. Over the years, other domains were added, such as .biz and .info (2001). By early 2011, 22 gTLDs had been established. In June 2011, the Internet Corporation for Assigned Names and Numbers (ICANN) voted to remove many of the restrictions on gTLD applications and implementation, effectively opening the door for almost any gTLD to be used. Under the new rules, there are currently about 1,500 gTLDs, including .auto, .computer, .network, .social, .pizza, .organic, registered and cleared for use on the Internet. According to some security experts, this evolution in gTLDs is considered a gift to phishers because it will allow them to form a multitude of new phishing websites. For a full listing of the expanded gTLDs, see the Internet Assigned Numbers Authority (IANA) Root Zone Database (https://www.iana.org/domains/root/db).

Country Code TLDs

Country code TLDs are also part of many URLs, and, therefore, one can expect to see them in links on occasion. Countries have ccTLDs to help distinguish what country a site is registered in or originates from. For example, the ccTLD for the United States, .us, is often used by state and local governments. Other ccTLD examples are Australia, .au; Japan, .jp; and United Kingdom, .uk. When reading a link or URL, realize that the location of the ccTLD within the URL could shift (at the end of a URL, such as http://www.gov.uk, or earlier in a URL, such as https ://uk.news.yahoo.com).

Conclusion

Phishing continues to be a global problem, exacerbated by users who are unaware of phishing tactics, increasingly sophisticated phishing methods, and now, an increasing set of generic Top-Level Domains. Though links in emails aren’t phishers’ only method, they’re very common. To reduce the risks posed by phishing, you should know how to interpret links and the associated URLs.

If you are interested in learning more about social engineering, awareness and training, and risk assessment services, please contact us today.

Can You Spot E-mail Phishing? Awareness Poster

PhishingPoster

There are a number of key issues to search for in an e-mail to help identify if it is malicious. This poster will help your employees learn how to spot them.

Get Poster
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.