MODULE 2 – Email Security

 

Ransomware is currently the biggest moneymaker for criminal hackers.  They access corporate networks, run software to encrypt their valuable data, then charge the one company they know really cares about the data: the company that owns it. They give the company a link to an untraceable cryptocurrency account and a short deadline, threatening the release, destruction, or permanent encryption of the data.

Attackers typically begin this type of attack by PHISHING. Phishing is the process of sending a targeted employee a link that looks legitimate and of interest to them, but actually leads them to download malicious software onto their company’s network.

Approximately 92% of malware gets delivered by email. It is used frequently because it’s an effective tactic.  Once malware is on a corporate network, hackers can control the network.

By sending an email that looks official enough, hackers can capture an employee’s logon credentials for a work account or a financial account they have access to. Emails asking targets to “Reset your password HERE” are common approaches. Many also ask targets to report nonexistent thefts from their bank accounts.  Any target that uses these fake login links will be directed to login pages that look similar, or identical to the their normal login sites. Once they enter their user ID and password, their credentials are captured by the criminal hackers and can be used by them on the genuine website to transfer money to an account controlled by the criminals.

 

  1. Email is the largest vector for cyber attacks
    1. 92% of all cyberattacks on corporations start with malware delivered by email.
  2. Types of cyberattacks email can facilitate:
    1. Launch ransomware to hold data hostage
  3. Ransomware is one of the biggest threats to corporate networks today. Attackers email an unwitting employee an attachment that contains a small program (malware) or link to a website that will automatically deliver malware designed to encrypt a company’s entire computer network.  When an employee clicks on the attachment, it may appear as though nothing happened, and the attachment does not open.  Within seconds or minutes after clicking on it,  a notice may appear on the employee’s computer then other computers in the company stating their network has been locked up, their data is inaccessible and will remain locked or destroyed by a certain deadline if a ransom is not paid.
  4. The ransom is usually asked to be paid in an electronic currency (called cryptocurrency) to an untraceable account held by the attackers. Often the ransom is a relatively small amount – in the tens of thousands of dollars – so victim companies view it as a almost insignificant compared to the cost of losing all their business data and not being able to continue working. Sometimes when large wealthy companies with highly sensitive data are hit by ransomware attacks they pay ransoms in the millions of dollars.
  • In a 2017 survey many workers have reported they would rather pay a ransom out of pocket rather than report it to their boss. BAD IDEA! No one in the company would know what info has been taken or what malware was left behind in the system for future exfiltration or exploitation. Hackers thrive on targets and victims keeping incidents like these to themselves.
  1. Ransomware attacks are extremely popular for attackers because:
    1. Easy – Ransomware attacks are relatively easy to execute; even hackers with little expertise can buy ransomware on dark web to use against target companies.
    2. Cheap – Attackers can send emails to many employees in a company for almost no cost. They only have to find one employee to click on a bad attachment or link to capture a network.
    3. Lucrative – Ransomware attacks bring in on average about $40,000 per attack.
    4. Data Theft
      1. Malware can be downloaded into a company’s computer network by having an unwitting employee click on an attachment that appears to be legitimate. Some malware programs may then allow attackers to search a company’s computer system for proprietary data such as:
        1. Customer credit card data,
        2. Business plans that the competition may want,
        3. Personally identifying information (PII) like social security numbers which could be sold to criminals for identity theft operations,
        4. Patient health records,
        5. Sensitive corporate financial information.
      2. Launch malware that destroys data or even computers
        1. In 2012 the largest oil company in the world, Saudi Aramco, was hit by a cyberattack that destroyed 35,000 computers. The hack started with an employee clicking on a link in a phishing email.
      3. Facilitate a range of social engineering attacks, to include:
        1. Impersonating supervisors by using their email address to order money and resources to be moved illegally.
        2. Stealing corporate identities to steal money in the form of payments or transfers.
  • Researching information about targeted employees and their colleagues to use against them to create more believable phishing information. Access to corporate email gives attackers info about their work, workplace, and life so they can craft more convincing fishing emails against their colleagues and work partners. They can also use that information to assess vulnerabilities in a company’s network or other systems.
  1. Access to an employee’s email gives access to their colleagues’ email: remember, every conversation has at least two participants.
  2. Hackers can steal and use employee’s identity to steal corporate info/resources/money IN THEIR NAME, leaving the targeted to employee to prove he wasn’t the one who committed the crime.

 

  1. Extortion/sexstortion
    1. Hackers use email to send messages to targets threatening to release compromising pictures or information they have, or falsely claim to have.
  2. Email Security Solutions Hackers Hate
    1. Hackers generally play a quantity strategy. When they encounter employees with cybersecurity training, they typically move on to the next target. They usually send many email phishing emails. Statistically, a number of people will click on the links and inadvertently give them access to their company’s network.  Most cyber criminals are usually just out for easy money and will move on if they don’t click on their bait emails.
    2. Employees should use:
      1. Strong passwords for email accounts and NEVER give them to anyone,
      2. Two Factor Authentication (2FA) or Multifactor Authentication using your cell phone text, authentication app, or hardware token;
  • Common sense and cybersecurity training to evaluate suspect emails.
  1. Email Security Procedures:
    1. Examine emails before clicking on them OR attachments, even from known senders,
    2. Use an Email Security Checklist:
  • Know sender? Know their email address (or just name “John”)?
  • Expecting this topic line? Too generic?
  • Expecting an attachment?
  • Avoid using unencrypted email when at a public wifi
  • Email from unknown people – everything above BUT WITH MORE CAUTION!

Comply with company’s password policy