Provides monthly in-depth coverage of company news and cybersecurity trends shaping the financial industry.
Phishing alert: One in 61 emails in your inbox now contains a malicious link
Be careful when you click. That email might not be as innocent as it looks.
By Danny Palmer | |
The number of phishing attacks is on the rise, more than doubling in recent months, with one in 61 emails delivered to corporate inboxes found to contain a malicious URL.
Analysis by security provider Mimecast found that between August to November and December to February, the number of emails delivered despite featuring a malicious URL increased by 126 percent. These malicious links are one of the key methods cyber criminals use to conduct criminal campaigns: by distributing phishing emails which encourage users to click through to a link.
The emails are often designed to look like they come from legitimate senders — like a company, or a colleague — in order to gain the trust of the victim, before duping them into clicking the malicious link.
The purpose of the malicious URL could be to deploy malware onto the PC or it could encourage the victim to enter sensitive information into a fake version of a real service — like a retailer, a bank or an email provider — in order to trick the user into giving up passwords and other data. Attackers then either use this as a jumping off point for further attacks, or they look to sell it to other cyber criminals on underground forums.
In total, Mimecast analysed 28,407,664 emails delivered into corporate inboxes which were deemed “safe” by security systems and found that 463,546 contained malicious URLs — the figure represents an average of one malicious email getting through for every 61 emails that arrive.
Given the sheer number of emails sent back and forth by employees every single day, that represents a significant security risk and a potential gateway for hackers looking to conduct malicious activity.
“Email and the web are natural complements when it comes to the infiltration of an organization. Email delivers believable content and easily clickable URLs, which then can lead unintended victims to malicious web sites,” said Matthew Gardiner, cybersecurity strategist at Mimecast.
“Cyber criminals are constantly looking for new ways to evade detection, often turning to easier methods like social engineering to gain intel on a person or pulling images from the internet to help ‘legitimize’ their impersonation attempts to gain credentials or information from unsuspecting users,” he added.
ABCs of UEBA: B is for Behavior
by Jane Grafton on February 4, 2019
We like to say, “You can steal an identity, but you can’t steal behavior.” You might compromise my credentials, but you don’t know what time I normally login, the applications I typically use, the people I regularly email, etc.Behavior is the Leading Threat Indicator
The key to predicting threats, especially unknown threats, is to monitor user and entity behavior – to recognize when that behavior starts being anomalous. Let’s take a serious example: workplace violence. You hear it over an over again after a violent incident – people close to the perpetrator say things like, “he was acting strange” or “he was keeping to himself” or “he was obsessed with social media” before he committed the violent act. There are always signs, and they are always behavior based. If you can get ahead of the threat, if you can predict it may occur, you can likely prevent it from happening. This is the premise of User and Entity Behavior Analytics (UEBA). Think about your own behavior, specifically in terms of patterns. Do you get to work at around the same time every day? Probably. If not, you likely have reasons. Maybe you have a doctor’s appointment. Maybe on Thursdays you have a standing appointment. When do you go to lunch? When do you leave for the day? People around you will notice if your behavior changes. If you start coming in late, if your lunches drag on, if you leave work early – any change in your behavior is noticeable. So, how does this same notion translate into UEBA and threat prediction?
If your office parking garage or building requires badge access, you’re creating an audit trail every time you swipe your badge. The machine learning models that power UEBA are able to detect changes in arrival and departure times, duration spent at the office or at lunch, even bathroom breaks if your office is secured by a keycard entry system. Further, if you use a keycard to enter your office, then login from a remote location with an unrecognized IP address, UEBA links those activities and flags that as an anomaly. You can’t possibly be in the office and working remotely at the same time. Linking user behavior data from the physical badging system and the Windows security log is the only way to ascertain this particular abnormality which is why the best UEBA products ingest the broadest variety of data feeds. Multiply this example by 1000s of employees and millions of transactions over time and you start to get a sense of the power of UEBA.
To predict unknown threats, UEBA examines everything users and entities are doing in real-time, then aggregates, correlates, and links that data to identify anomalies. Keep in mind an entire library of machine learning algorithms and analytics are applied against this combined and normalized data because it’s not possible for humans to detect changes in behavior patterns at this scale.
5 critical capabilities for 2019
BY ROBERT JOHNSTON
We can add NASA to the list of recent federal cyber breach victims. The space agency disclosed in late December that hackers found their way into its servers in October 2018. While NASA is still investigating the extent of the breach, the agency knows the hackers accessed personal data of both former and current employees. Unfortunately, other agencies will surely find themselves in NASA’s shoes in 2019. Here’s why:
Cyber criminals know government IT pros have limited budgets that create resource challenges when it comes to securing a daunting array of technologies and data flows. This makes agencies at all levels of government target-rich environments for hackers. So, what’s the answer? How can government IT leaders take control of their data and reduce their vulnerability to bad actors in 2019?
The solution is straightforward, but multilayered. Government agency CIOs and CTOs need a hub-and-spoke system to collect and index data from all their IT touchpoints. These include network traffic, web servers, VPNs, firewalls, applications, hypervisors, GPS systems and pre-existing structured databases. For optimal cyber protection, all those data feeds should be run through an artificial-intelligence-authored security information and event management (SIEM) system equipped with machine-learning-powered analytics to identify anomalous and malicious patterns.
The hub-and-spoke approach should enable four critical capabilities: log/device management, analytics, account/system context and visualization of user privileges across an entire network. Here’s a walk-through of the capabilities and why they matter.
1. Log/device management: This piece should include unlimited and automated coverage of logs, devices and systems as well as integrated compliance management. It should also provide real-time event log management, Windows and Linux server management, cloud and on-premise ingest, secure and encrypted log management and log data normalization.
2. Analytics: Data today is too voluminous for human analysis, so using AI and machine learning to analyze large amounts of data makes the most sense. Agencies should look for a single platform that provides automated threat intelligence, real-time intrusion detection alerts, 24/7 network vulnerability assessment, and user and device context.
3. Account/system context: Speed is essential, so agencies should look for a system that provides one-click, automated risk reporting for auditors and decision-makers that takes minutes rather than days.
4. Visualized permissions: Because cybersecurity conditions and requirements quickly change, agencies need the ability to visualize privileged users and groups in real-time across the network in order to understand who can touch an agency’s data.
5. Long-term viability: Will an agency’s technology still be viable in one, two or five years? It’s an important question, but one that is often mistakenly answered with a yes. The era of on-premise architectures is over because they are flawed by design. Tied to the constraints of initial deployment, these systems are allergic to architecture migration, software redesign, advancements in analytic capabilities and new database implementation. In the cloud, however, organizations can develop a symbiotic relationship between the service they use and new cutting-edge technologies. With today’s cybersecurity threats, agencies need to be bigger, faster and stronger than the adversary, and the cloud gives them the opportunity to deploy the best solutions available.
The hub-and-spoke approach gives government agencies a fighting chance to keep data out of hackers’ hands. What used to be nice to have is now essential. There’s just too much at stake.
About the Author
Robert Johnston is the co-founder and CEO at Adlumin Inc.
Here’s what we know. The number of healthcare data breaches has trended steadily higher over the past decade, in part because cyber criminals know healthcare IT pros are distracted and juggling multiple priorities. From IoT to traditional Windows networks, healthcare is a huge hacking target because managing and securing the large array of technologies and multiple data flows is overwhelming.
Plus, resource-constrained healthcare organizations struggle to find enough qualified security personnel, time and budget to mount a consistently effective cyber defense. And, with the next big breach lurking, stakeholders are asking if it is possible for a hospital or health system to take control of its data and make itself less vulnerable to bad actors. The answer is “Yes” but it will take commitment and a seriousness of purpose to be effective.
The best strategy is a hub-and-spoke system that collects and indexes data from the numerous sources common in a healthcare setting. These include network traffic, Web servers, VPNs, firewalls, custom applications, application servers, hypervisors, GPS systems, and pre-existing structured databases. But this is only the first step because in today’s threat environment, even that array of capabilities won’t be enough. Healthcare organizations need to be on high alert in their cyber-protection game which begins by running all data feeds through an artificial-intelligence-authored security information and event management (SIEM) system. This needs to be equipped with machine-learning-powered analytics to identify anomalous and malicious patterns.
The next level of protection for healthcare CIOs, CTOs, IT and data management pros to implement is making sure their hub-and-spoke systems provide four critical capabilities: log/device management, world-class analytics, account/system context, and the ability to visualize preferences across their entire network. All of these capabilities can be secured by using one platform as we have done at Adlumin. Below is an in-depth review of each that every healthcare IT executive should follow:
- The log/device management piece should include unlimited log/device/system coverage, integrated compliance management (PCI DSS, HIPAA, SOX, FFEIC), automated log and device ingest, and critical server log management. It also needs to have, real-time event log management, Windows and Linux server management, cloud and on-premise ingest, secure and encrypted log management and log data normalization. Storage and processing are a commodity. The days of not being able to handle your production workload are over. Security vendors should not be asking for 90% of your budget to only solve 10% of your problems.
- For the analytics, find a single platform that provides automated threat intelligence, real-time intrusion detection alerts, 24/7 network vulnerability assessment, automatic analysis of firewall and VPN log data alongside network account data, automated anomaly interpretation and user and device context. There is simply just too much data for a human to analyze. Using artificial intelligence and machine learning to analyze large amounts of data so you don’t have to is the perfect remedy. So, drop your log management solution and replace it with a cloud-native SIEM.
- The account/system context should include risk management, visualization, and analysis, plus automated reporting for auditors and compliance. It should provide the ability to understand risk with one button click to enable decision making that takes minutes rather than days. And it should power compliance audit reports. With the power of a single click you should be able to understand risk and compliance this will make your response time and network security that much better over time.
- Finally, the ability to visualize privileged users and groups across the network reveals exactly who can touch a healthcare organization’s most sensitive data. Every healthcare IT executive needs to, identify the groups and individuals that have privilege on share drives, and show auditors actual account privilege in real-time. A picture tells a thousand words. Being able to visualize privilege within your environment lets you get your job done faster and take that 2-hour lunch break you so deserve!
Chaos and lack of focus make a healthcare IT operation a ready mark for bad actors. The hub-and-spoke system outlined above, with the additional capabilities, gives healthcare data pros a fighting chance to keep vital patient and employee data out of hackers’ hands.
Robert Johnston is the co-founder & chief executive officer at Adlumin, Inc., and is the cyber detective and strategic thinker who solved the Democratic National Committee hack during the 2016 U.S. presidential campaign. He can be reached at firstname.lastname@example.org (https://abakis.wpengine.com/) @dvgsecurityand@adlumin
About Adlumin Inc.
Adlumin Inc. was founded in 2016 by Robert Johnson and Timothy Evans, experienced Marine Corps leaders, both spent time at the National Security Agency (NSA). Leveraging its principals’ extensive knowledge and experience in the cyber-security incident response, offensive, and defense arenas, Adlumin has developed a NEXGEN artificial intelligence SIEM platform that detects and confirms identity theft and allows its users to respond in real-time. Adlumin is a cost-effective Software as a Service (SaaS) solution designed to stop cyber intrusions and data breaches.PRESS CONTACT
P: (571) 334-4777