Our cybersecurity advice section provides comprehensive information about the latest online security threats – not only the threats from unfiltered spam emails, but also the risks present on the Internet from malvertising and vulnerable websites onto which malware exploit kits may have been loaded by cybercriminals.
We also provide advice on the precautions that can be taken to heighten cybersecurity defenses and mitigate the risk of inadvertently downloading an infection. The message throughout all of our cybersecurity advice is to protect your network and WiFi systems with an email spam filter and web content control solution.
Ransomware is now one of the biggest threats faced by businesses. When hackers gain access to business networks, it is now common for large quantities of data to be stolen prior to file encryption. Ransomware gangs know all too well that businesses with good backup policies will be able to restore their encrypted data from backups, but they will need to pay the ransom in order to prevent the release or sale of the stolen data. Even when files can be recovered from backups, many businesses feel they have no alternative other than paying the ransom to ensure stolen data are deleted. Data from Coveware indicates 70% of ransomware attacks now involve data theft.
Ransomware attacks are incredibly costly, even if the ransom is not paid. Universal Health Services Inc. in the United States suffered a Ryuk ransomware attack in September 2020 and the health system choose not to pay the ransom. Add up the recovery costs which included data restoration, cybersecurity consultants, notification letters to patients, and the loss of many services during the remediation process, and the cost of the attack rose to $67 million.
While expensive, that high cost is just a fraction of the cost of the recent Conti ransomware attack on Ireland’s Health Service Executive. The May 2021 ransomware attack caused massive disruption to healthcare services in Ireland. Without access to patient records, patient safety was put at risk, non-urgent appointments had to be cancelled, and there were major delays getting test results.
A few days after issuing a ransom demand of €20 million, the Conti ransomware gang gave the HSE the decryption tools free of charge. Even with the valid tools to decrypt data, recovery has been slow and incredibly costly. It has been around a month since the tools were provided to decrypt files, but many systems are still inaccessible. HSE Chief executive Paul Reid said it is likely to take months before all systems are brought back online.
Simply eradicating the attacker from the network and recovering encrypted data is only part of the story. IT systems need to be upgraded, security greatly improved, and a security operation center needs to be set up to monitor the network to prevent any further attacks. The initial costs incurred as a result of the attack were reported to be well over €100 million, but the overall cost of the attack is expected to rise to around half a billion Euros – Around $600 million.
An attack on such a major healthcare provider is naturally going to be incredibly costly, but ransomware attacks on small businesses can be catastrophic. Following a ransomware attack, an estimated 60% of small businesses fail within 6 months. One study showed the cost of remediating a ransomware attack doubled between 2020 and 2021, with the average cost now around $1.85 million. Attacks are also increasing. An analysis of the data leak sites used by ransomware gangs by cybersecurity firm Mandiant showed there has been a 422% increase in ransomware-related data leaks between Q1, 2020 and Q1, 2021.
How to Improve Your Defenses Against Ransomware
The most prolific ransomware gangs operate under the ransomware-as-a-service model. The creators of the ransomware do not conduct attacks, instead they employ affiliates to do they attacks for them. That means more attacks can be conducted. The creators run the operation and take a cut of any ransom payments generated, with the affiliates retaining the bulk of the ransom payments from their attacks.
Affiliates conduct attacks using a variety of methods and no two attacks will be exactly the same. Preventing ransomware attacks therefore requires a range of different measures to block all of the attack vectors, but the best place to start is by improving phishing defenses. Phishing emails are increasingly used as the initial entry point into business networks, so if these malicious emails can be blocked at the email gateway, they will not be delivered to inboxes where they can be opened by employees.
That is an area where TitanHQ can help. TitanHQ has developed two advanced solutions that are effective at preventing ransomware attacks. SpamTitan is a powerful email security solution that filters out malicious messages to stop them from causing harm. Rather than be delivered, emails with malicious links and attachments are quarantined.
WebTitan is a DNS-based web filtering solution that complements SpamTitan to provide even greater protection against ransomware and malware attacks. WebTitan prevents employees from visiting the malicious websites where malware and ransomware are downloaded.
Both solutions are consistently given top marks on software review sites such as G2 Crowd, with the solutions given a maximum of 5 stars by users of Spiceworks and Capterra. SpamTitan has also received over 37 consecutive Virus Bulletin Spam awards.
If you want to improve your defenses against phishing, ransomware, and web-based attacks, give the TitanHQ team a call. If you would like more information about protecting against attacks, also be sure to attend the upcoming TitanHQ/Osterman Research webinar on June 30, 2021:
It used to be quite easy to identify a phishing email, but over the past few years, scammers have really upped their game. Some of the phishing emails now being sent can fool even the most security conscious and well-trained people, but if you know the signs of phishing email, you should be able to identify and avoid all but the most sophisticated phishing attempts.
What is Phishing?
Phishing is the name given to a tactic used by cybercriminals to obtain sensitive information through deception, often by impersonating a trusted source. Phishing is also used to deceive people into taking an action that allows the attacker to achieve their aim. This could be installing malware or even changing security settings on a device.
Phishing can be viewed as the digital equivalent of a confidence trickster, so these tactics are certainly nothing new. The attack technique gets the name from fishing. With fishing, a lure or bait is used to trick a fish into swallowing a hook. With phishing, a lure is used to trick an individual into taking an action in the belief that the request is genuine.
Phishing can take place over the telephone, in person, via text messages, social media networks, or chat platforms, although most commonly it occurs via email. Attacks are easy to perform, as all that is needed is an email address to send the messages and a phishing template. If credential theft is the goal, a website hosting a phishing kit is required to harvest credentials. Phishing kits are widely available on hacking forums and malware can also be purchased, so an attacker really only needs email accounts to send the messages.
Phishing emails can range from basic to highly sophisticated, and while email security solutions are effective at identifying phishing emails and ensuring they are not delivered to inboxes, no email security solution is capable of blocking every phishing threat without also blocking unacceptable numbers of genuine emails. It is therefore essential for employees to be told how to spot the signs of a phishing email and for them to be conditioned how to respond when a suspicious email is received.
Phishing Tactics are Constantly Changing!
There are tried and tested phishing techniques that are used time and time again because they are effective, but new lures are constantly being developed to trick individuals and evade email security solutions. It is not possible to train employees how to recognize every lure they are likely to receive, but it is possible to teach employees the most important signs of a phishing email, as there are commonalties shared across most phishing campaigns.
The aim of any training is not to ensure that every employee will recognize every phishing email, only to reduce susceptibility of the workforce to phishing attacks. Over time, employees will get better and will be able to recognize phishing emails and will get used to reporting suspicious emails to their security team.
What Are the Signs of a Phishing Email?
Every email received could potentially be a threat, even emails that appear to come from a known individual or other trusted source. Just because the sender’s name is familiar or the correct logos and contact details of companies are used, it does not mean that the email is genuine.
Some of the most effective phishing lures that are used to target businesses mimic genuine business communications such as purchase orders, receipts, invoices, job applications, shipping notifications, and non-delivery notifications. You should perform some quick checks of any email you receive, specifically looking for the following signs of a phishing email.
Urgency and Threats
Most phishing emails try to get the recipient to act quickly without thinking or checking for the signs of a phishing email. Some of the most effective lures require quick action to be taken to avoid negative consequences. Scare tactics are used, such as the threat of arrest or legal action, loss of service, loss of money, or even fear of missing out (FOMO).
Spelling and grammatical errors
Spelling and grammatical errors are common in phishing emails. These can be accidental – Google translate errors – or can be deliberate. Why deliberately include spelling errors? Anyone who still falls for the email will be more likely to then fall for the next stage of the scam.
When businesses send emails, they are usually careful to ensure there are no spelling and grammatical errors. Most businesses have a spell and grammar check configured for all outbound emails.
Unnecessary or Unusual Attachments
Email attachments are commonly used in phishing emails that distribute malware. Attachments may not be what they seem and could have a double extension. A Word document could in fact be an executable file that installs malware when double clicked. Malicious scripts such as macros are often added to files that will execute and download malware if allowed to run. Malicious hyperlinks are often hidden in attachments such as PDF files, Word documents and Excel spreadsheets to hide them from email security solutions. Exercise caution when opening any attachment, scan it with your AV software before opening, and do not enable content or macros – you do not need to in order to see the contents of a genuine document. If in doubt do not open.
Hyperlinks are often included in phishing emails to direct the recipient to a website hosting a phishing kit. These links may appear genuine from the link text, but links are often obfuscated to make them appear genuine. Check the true destination before clicking by hovering the mouse arrow over the link. If the link is clicked, make sure the domain you land on is the correct domain used by a company, and be exceptionally careful if you are asked to enter sensitive information such as your Office 365 credentials.
Phishing emails will try to get you to take an action you would not normally take. If the request deviates from the normal request received via email you should be suspicious. This could be a request to send sensitive data via email, install a program, or make a call or click a link to install a security update. It pays to make a quick phone call to check the legitimacy of any odd request using previously verified contact information – never contact information in the email. Also look out for unusual greetings and overly familiar or overly formal emails from contacts – These deviations could indicate an email impersonation attack.
Unfamiliar Email Addresses and Domain Names
Phishers often hijack email accounts so phishing emails can come from genuine email accounts, but it is most common for free email accounts to be used or for attackers to create email accounts on their own domains. Those domains often closely resemble the brand that the attackers are impersonating. Watch out for hyphenated domains – e.g. microsoft-updates.com; transposed or missing letters – e.g. mircosoft.com; use of irregular characters – e.g. m1crosoft.com; and subdomains microsoft.phishingdomain.com. Carefully check the email address and the domain name.
Block Phishing Emails with TitanHQ
If run a business and want to improve your security defenses, you should train your employees how to identify the signs of a phishing email. You should also ensure you have an effective email security solution in place that will block the vast majority of email threats to stop them from reaching inboxes. You should also consider implementing other anti-phishing solutions to create layered defenses.
This is an area where TitanHQ can help. TitanHQ offers two award-winning anti-phishing solutions for SMBs and managed service providers (MSPs) serving the SMB market: SpamTitan Email Security and WebTitan Web Security. Both can be used in tandem to greatly improve your defenses.
SpamTitan blocks malware and phishing emails at source and keeps inboxes free of threats, while WebTitan protects against the web-based component of phishing attacks, blocking attempts by users to access known malicious domains and stopping malware downloads from the Internet.
For further information on these solutions and how they can improve your phishing defenses, give the TitanHQ team a call today or drop us a line on email. If you want to test the solutions, both are available on a no-obligation free trial.
Learning how to identify phishing emails is an important skill: One that all employees need to master. Many phishing emails are easy to spot if you know the signs of a phishing email to look for.
It is not necessary to spend a couple of minutes checking every email at work, after all, that would leave little time for doing anything else. There are some quick and easy checks that take a few seconds and can easily allow you to identify phishing emails quickly. Performing these simple checks on each inbound email should become second nature before long.
5 Easy Ways to Identify Phishing Emails
Listed below are 5 basic checks that should be performed to identify phishing emails. These will allow you to identify the most common techniques used by phishers to steal your credentials or get you to install malware.
Check the Sender’s Email Address
Many emails will have a different display name to the actual email address, so it is important to check who the real sender is. The display name can be easily configured by the sender to make you think an email is genuine. You may receive an email that has PayPal as the display name, but the sender’s email address could have a non-PayPal domain or have been sent from a Gmail account or another free email service. Free email services such as Gmail, Yahoo, Hotmail are not used by businesses.
Check that the domain – the part of the email address after the @ symbol – matches the sender. For PayPal that would be PayPal.com. Also check to make sure the domain name is spelled correctly and that there are not any transposed or replaced letters. It is common to replace an i to be replaced with a number 1 for example, an m to be switched to an rn, or hyphens to be added to domains to make them look official. Pay-Pal for instance.
Carefully Check Hyperlinks in Emails
Phishing occurs via email, but the actual credential theft usually occurs online. Hyperlinks are included in emails that direct people to a web page where they are asked to enter sensitive information such as their email login credentials. These web pages are usually carbon copies of genuine login prompts for services such as Office 365, apart from the domain on which the page is hosted.
You should be suspicious of any hyperlink in an email. Even clicking a link could be enough to trigger a malware download. You should check the true destination URL of a link, which may be masked with a button or legitimate looking text. Hover your mouse arrow over any link to check the destination URL.
The domain should match the sender and be the official domain used by the company. If the email has been sent from a company, visit the website by entering the correct domain into the address bar of your browser rather than clicking the link. If you believe the link to be genuine, remember to double check the page you land on, as you may have been redirected to a different website.
Be Wary of Email Attachments
Email attachments are often used in phishing to hide malicious content. Malicious hyperlinks are often added to Word documents and PDF files rather than include them in the message body of the email to evade security solutions.
Attachments commonly have macros – code – which will perform malicious actions if allowed to run. When you open these files, you will be prompted to “enable editing” or “enable content.” Doing so will allow the code to run. You will not need to enable any content in order to view a legitimate file.
Executable files are often attached to emails that will install malware if double clicked. Executable files include files with a .exe, .js, .bat, .scr, .vbs extension. Also check for double extensions, such as .doc.exe or .pdf.exe. Windows may hide the actual extension of the file if it is known and only display the first part. If in doubt, do not open attachments, especially those in unsolicited emails. If you believe the attachment to be genune, make sure you scan it with antivirus software before opening.
Spelling and Grammatical Errors
Many phishing emails are poorly written and contain spelling and grammatical errors. Official emails from a company will have been checked prior to being sent, so spelling and grammatical errors are extremely unlikely. Businesses often have spell checks on emails enabled by default. Many phishing messages are sent from Eastern Europe or other non-English speaking countries and have been translated using Google Translate so may sound a little odd.
Also be wary of any odd or unusual requests, such as a request to open a file when information could easily have been included in the message body or requests to send sensitive information via email.
Threats and Urgency
Most phishing emails attempt to get the recipient to take fast action and not consider the request too carefully. There is often a threat of bad consequences if action is not taken quickly, such as the closure of an account or loss of service. Phishers rely on fear (or fear of missing out) to get people to take action that they would normally not take and to act without thinking.
You may receive an email warning that your Netflix account will be closed due to a security issue unless you login. Emails often threaten arrest or lawsuits of you do not take immediate action. You may receive a too-good-to-be-true email offering you an incredible bargain or claiming you have won a competition you did not enter. Sceptics are less susceptible to phishing!
Phishing is the biggest cyber threat faced by businesses. Phishing emails are malicious email messages that use deception to obtain sensitive information or trick individuals into installing malware. During the pandemic, cybercriminals took advantage of COVID-19 trends and created phishing emails that spoofed trusted entities such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention offering up to date information on the coronavirus. Companies offering personal protective equipment (PPE) were impersonated when there was a shortage of supply, and recently pharmaceutical firms have been spoofed to send offers related to COVID-19 vaccines.
One of the primary aims of these scams is to obtain Microsoft 365 credentials, which give the attackers access to the treasure trove of data that is typically found in email accounts. The compromised emails accounts are used in email impersonation attacks on other individuals in the organization, or in business email compromise (BEC) attacks to trick finance department employees to make fraudulent wire transfers. A single compromised Microsoft 365 account can give attackers the foothold they need for a much more extensive attack on the organization, with phishing emails the initial attack vector used to deliver ransomware.
These phishing emails can be difficult for employees to identify, even when they are provided with security awareness training. Once an email lands in an inbox, there is a high chance to that email being opened and an employee taking the action requested in the email, so it is essential for businesses to have an effective email security solution in place that can identify and block these malicious messages.
Malware Delivery via Email is Increasing
Recent research has shown that phishing emails are now the primary method used to deliver malware and the number of emails distributing malware is increasing. A study recently published by HP in its threat insights report shows 88% of malware is now delivered via email, with the volume of messages distributing malware increasing by 12% from the previous quarter. Many of these emails contain executable files that directly install the malware on devices or run malicious code that launches memory-only malware.
Traditional antivirus software solutions often fail to detect malware variants sent via email. Antivirus software is signature based, so in order for malware to be detected, its signature must have been loaded into the AV software’s virus definition lists. If there is no signature, the malware will not be detected as malicious. The HP study showed almost a third of all phishing emails used to distribute malware involve previously unseen malware variants.
The threat groups conducting these phishing campaigns use obfuscation techniques and packers that allow malware to evade antivirus software. It typically takes an average of 8.8 days for the hashes of malware variants to be added to AV engines.
Blocking new malware variants is difficult, but not impossible. One of the ways that these emails can be detected is through the use of a sandbox. Email security gateways with sandboxes first scan inbound messages and check attachments using AV engines. Email attachments that are suspicious but are not determined to be malicious from the AV scan are then sent to the sandbox for in-depth analysis. Within the secure environment of the sandbox, the files are investigated for any malicious actions such as command and control center callbacks.
No anti-malware controls will detect all malware variants but using a spam filtering solution such as SpamTitan that uses sandboxing technology will greatly improve the malware detection rate and will help to keep your inboxes malware free. SpamTitan also allows rules to be created for departments, job roles, and individuals that will further improve protection against malware attacks. Rules can be set to prohibit certain file types from being delivered to inboxes – the types of files that are commonly used to deliver or mask malware.
With phishing and malware attacks increasing, businesses need to ensure that their cybersecurity defenses are up to scratch and are capable of detecting and blocking these and other email and web threats. If you are receiving spam and phishing emails in your inboxes, have suffered a malware attack via email, or simply want to improve your defenses against email and web-based threats, give the TitanHQ team a call to find out more about cybersecurity solutions that can greatly improve your security posture at a very competitive price.
Network segmentation is the act of dividing a computer network into smaller physical or logical components. Two devices on the same network segment can then talk directly to each other. For communication to happen between segments, the traffic must flow through a router or firewall. This passage allows for traffic to be inspected and security policies to be applied.
Network segmentation is one of the mitigation strategies in terms of protecting against data breaches and multiple types of cyber security threats. In a segmented network, device groups have the connectivity required for legitimate business use only. The ability of ransomware to spread is greatly restricted. However all too often organizations operate an unsegmented network.
Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior.
If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks.
Network Segmentation Security Benefits
There are many benefits to be gained from network segmentation, of which security is one of the most important. Having a totally flat and open network is a major risk. Network segmentation improves security by limiting access to resources to specific groups of individuals within the organization and makes unauthorized access more difficult. In the event of a system compromise, an attacker or unauthorized individual would only have access to resources on the same subnet. If access to certain databases in the data center must be given to a third party, by segmenting the network you can easily limit the resources that can be accessed, it also provides greater security against internal threats.
Best Practices for Network Segmentation
Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are groups of servers and systems that have similar security requirements and consists of a Layer3 network subnet to which several hosts connect.
The firewall offers protection by controlling traffic to and from those hosts and security zones, whether at the IP, port, or application level. There are many network segmentation examples, but there is no single configuration that will be suitable for all businesses and all networks, since each business will have its own requirements and functionalities. However, there are network segmentation best practices that should be followed. We have outlined these and firewall DMZ best practices below.
Suggested Firewall Security Zone Segmentation
Suggested Firewall Security Zone Segmentation
In the above illustration we have used firewall security zone segmentation to keep servers separated. In our example we have used a single firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.
The servers in these DMZ zones may need to be Internet facing in order to function. For example, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most vulnerable to attack so should be separated from servers that do not need direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.
In the diagram above, the allowed direction of traffic is indicated with the red arrows. As you can see, bidirectional traffic is permitted between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been placed in a separate DMZ to the application and database servers for maximum protection.
Traffic from the Internet is allowed by the firewall to DMZ1. The firewall should only permit traffic via certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not permitted, at least not directly.
A web server may need to access a database server, and while it may seem a good idea to have both of these virtual servers running on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and placed in different DMZs. The same applies to front end web servers and web application servers which should similarly be placed in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be necessary, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication via active directory.
The internal zone consists of workstations and internal servers, internal databases that do not need to be web facing, active directory servers, and internal applications. We suggest Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.
Note that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be permitted.
The above configuration provides important protection to your internal networks. In the event that a server in DMZ1 is compromised, your internal network will remain protected since traffic between the internal zone and DMZ1 is only permitted in one direction.
Risks of an Unsegmented Network
A real world example of an unsegmented network and resulting attack is the massive Target data breach of 2013. Reportedly, the Target breach had its origin in a phishing email opened by an employee at a small HVAC company that did business with Target. The malware lurked in the HVAC network for two months before moving on to attack the Target network.
Once inside they were able to move laterally through Target’s internal network, eventually installing malware on point-of-sale (POS) terminals throughout the stores. In the wake of the attack, Target implemented network segmentation to prevent the lateral movement that allows the attackers move with the system in this breach.
It’s no surprise a breach this huge is massively expensive and the cleanup represents an almost overwhelming challenge. Bloomberg BusinessWeek reported that Target spent $61 million through Feb. 1 on the breach.
The data of 110 million customers was compromised.
Over 100 lawsuits have been filed.
Banks have already spent $200 million related to the Target breach, and it’s unclear if there’s an even bigger payout on the horizon.
Effective network segmentation also makes it easier to detect signs of an attack. It’s not uncommon for a company’s Intrusion Detection System to generate such a large number of alerts that many go uninvestigated.
By concentrating on alerts related to sensitive parts of the network, security teams can prioritize incidents likely to be the most dangerous. Network segment traffic can also be monitored for unusual patterns or activity potentially indicating an attack.
Effective Network Segmentation is not enough
Many sectors including manufacturing, retail and industrial are prime target for cyberattacks. Often organizations in these sectors are not up to date in terms of implementing key cybersecurity controls in order to be prepared for advanced and evolving attack methods.
By adhering to network segmentation best practices, you can optimize network security. There’s no silver bullet to take down every attacker, but it’s possible to implement several layers of security that work together as a whole to defend against a myriad of attacks.
Layered Security to Prevent Data Breaches
Layered security allows for each security layer to compound with the others to form a fully functioning, complete sphere of security. The internal network (ideally segmented) and its data are surrounded by powerful, interwoven layers that an attacker must defeat. These layers make security much more complex for a successful breach.
Cybercriminals are already exploiting the lack of security at the DNS layer to conduct phishing attacks and gain access to proprietary enterprise data. Not securing the DNS layer is making it far too easy for hackers to take advantage. Securing the DNS layer is a straightforward process that requires no additional computer hardware or even any software installations. Many vendors now offer cloud based DNS filtering solutions that can be set up in minutes.
Isn’t it about time you started securing the DNS layer and making it much harder for cybercriminals to compromise your network? If you’re looking to get enterprise-grade protection from malware and phishing, check out WebTitan Cloud DNS filtering today.
What does network segmentation mean?
Network segmentation is concerned with dividing a network up into smaller segments called subnets. This can improve network performance and is important for security. By using firewalls between each segment, you can carefully control access to applications, devices, and databases and can block lateral movement in the event of a successful cyberattack.
What is logical network segmentation?
Logical network segmentation is a popular way of segmenting a network. Instead of segmenting physical parts of the network such as routers and access points, logical segmentation uses concepts built into network infrastructure for segmentation, such as creating virtual local area networks (VLANS) that may share physical hardware.
Is network segmentation necessary for PCI compliance?
Organizations that store, process, and/or transmit cardholder data must comply with PCI DSS. One of the requirements is to use network segmentation to keep the cardholder data environment (CDE) separate from other parts of the network. Through network segmentation, organizations can isolate credit card data from all other computing processes.
Can network segmentation protect against ransomware attacks?
Network segmentation is a best practice that can help to reduce the damage caused by a malware or ransomware attack. If a computer is compromised, attackers will attempt to more laterally and access other devices and parts of the network. With network segmentation, lateral movement is much harder, so it is easy to contain malware and limit file encryption by ransomware.
What are the main benefits of network segmentation?
There are three main benefits of network segmentation. First is security. It reduces your attack surface and limits lateral movement in the event of a breach. Second, you can improve network performance, as traffic will be confined to the part of the network where it is required. Thirdly, it makes compliance easier by allowing you to separate regulated data from other computer systems.
Phishing remains the number one cyber threat to businesses and there are no signs that cybercriminals will be abandoning phishing any time soon. Phishing is defined as the use of deception to fraudulently obtain sensitive information, which often involves impersonating trusted individuals and using social engineering techniques to trick people into disclosing their login credentials.
It is not necessary to be a hacker to conduct phishing campaigns. All that is needed is a modicum of technical expertise and the ability to send emails. The actual phishing kits that are loaded onto websites to harvest credentials do not need to be created from scratch, as they can simply be purchased on hacking forums and dark net websites. A potential phisher only needs to pay for the kit, which typically costs between $20 and $1,000, then host it on a website, and send emails, SMS messages, or instant messages to direct users to the website.
The ease of obtaining a phishing kit makes this this method of attacking businesses simple. All that is needed is a plausible lure, and many people will disclose their credentials. Figures released by security awareness training companies show just how frequently employees fall for these scams. Around 30% of phishing emails are opened by recipients, and 12% of those individuals either open attachments or click hyperlinks in emails.
One 2020 study, conducted on 191 employees of an Italian company, showed no significant difference between employees’ demographics and susceptibility to phishing. Anyone can fall for a phishing scam. Interestingly, that study, published by the Association for Computing Machinery, also found that while the employees believed their security awareness training had been effective, it did not appear to have any effect on their susceptibility to phishing attacks.
Phishing is popular with cybercriminals, it is one of the easiest scams to perform, and it is often successful and profitable. Security awareness training will help to prepare employees and, if performed properly, regularly, and with subsequent phishing simulations to reinforce the training, can help to reduce susceptibility, but what is most important is to ensure that phishing emails do not land in inboxes where they can be opened by employees.
To block the phishing emails at source you need an advanced email security solution. Many email security solutions are heavily reliant on blacklists of IP addresses and domains that have previously been used for phishing and other malicious activities. Along with SPF, DKIM, and DMARC to identify email impersonation attacks, it is possible to identify and block around 99% of phishing emails.
However, to block the remaining 1% without also miscategorizing genuine emails as potentially malicious requires more advanced techniques. SpamTitan achieves independently verified catch rate of 99.97%, which is due to standard anti-phishing measures coupled with greylisting and machine learning techniques.
Greylisting is the process of initially rejecting a message and requesting it be resent. Since phishers’ mail servers are usually too busy on spam runs, the delay in the message being resent is a red flag. Along with other indicators, this helps SpamTitan catch more spam and phishing emails. Machine learning techniques are used to identify the typical emails that a company receives, which allows deviations from the norm to be identified which raises a further red flag.
In addition to a high detection rate and low false positive rate, SpamTitan is easy to implement and use, and regularly receives top marks in user reviews. SpamTitan has achieved 5 out of 5 on Expert Insights, is the most reviewed and best reviewed email security solution on G2, and is also a top-rated solution on Capterra, GetApp, and Software Advice.
SpamTitan works seamlessly with Office 365 and greatly improves phishing email detection, is priced to make it affordable for small- and medium-sized businesses, and has a much-loved managed service provider offering, allowing MSPs to incorporate highly effective spam and phishing protection into their service stacks.
If you want to improve your defenses against phishing attacks, why not give SpamTitan a try. You can trial the solution for two weeks free of charge, during which time you will be able to try the full product and will have access to full product support, should you need it.
Give the TitanHQ team a call today to find out more!
DNS filtering – or Domain Name System filtering to give it its full title – is a technique of blocking access to certain websites, webpages, and IP addresses. The DNS is what allows easy to remember domain names to be used – such as Wikipedia.com – rather than typing in very difficult to remember IP addresses – such as 126.96.36.199. The DNS maps IP addresses to domain names to allow computers to find web resources.
When a domain is purchased from a domain register and that domain is hosted, it is assigned a unique IP address that allows the site to be located. When you attempt to access a website, a DNS query will be performed. Your DNS server will look up the IP address of the domain/webpage, which will allow your browser to make a connection to the web server where the website is hosted. The webpage will then be loaded. The actual process involves several different steps, but it is completed in a fraction of a second.
So how does DNS Web Filtering Work?
With DNS filtering in place, rather than the DNS server returning the IP address if the website exists, the request will be subjected to certain controls. DNS blocking occurs if a particular webpage or IP address is known to be malicious. The DNS filter will use blacklists of known malicious websites, previous crawls of new websites and web pages, or web content will be assessed in real time if the web page or website has not previously been crawled and categorized. If the website trying to be accessed is determined to be malicious or otherwise violates pre-defined policies, instead of the user being connected to the website, the browser will be directed to a local IP address that displays a block page explaining why the site cannot be accessed.
This control could be applied at the router level, via your ISP, or by a web filtering service provider. In the case of the latter, the user – a business for instance – would point their DNS to the service provider. That service provider maintains a blacklist of malicious webpages/IP addresses and access to those sites is prevented.
Since the service provider will also categorize webpages, the DNS filter can also be used to block access to certain categories of webpages – pornography, child pornography, file sharing websites, gambling, and gaming sites for instance. Provided a business creates an acceptable usage policy (AUP) and sets that policy up with the service provider, the AUP will be enforced. Since DNS filtering is low-latency, there will be next to no delay in accessing safe websites that do not breach an organization’s acceptable Internet usage policies.
Will a DNS Filter Block All Malicious Websites?
Unfortunately, no DNS filtering solution will block all malicious websites, as in order to do so, a webpage must first be determined to be malicious. If a cybercriminal sets up a brand-new phishing webpage, there will be a delay between the page being created and it being checked and added to a blacklist. However, a DNS web filter will block the majority of malicious websites.
The purpose of a web filter is to reduce risk, not eradicate it entirely. Since the vast majority of malicious web content will be blocked, risk can be significantly reduced and there will only be a low chance of a website being accessed that violates your policies.
Can a DNS Filtering Service be Bypassed?
The short answer is yes. Proxy servers and anonymizer sites could be used to mask traffic and bypass the DNS filter. Your DNS filtering service should allow you to easily block access to anonymizer websites and prevent the use of proxy servers and virtual private networks (VPNs). Configuring the DNS filtering service to block access to these services will prevent all but the most determined employees from bypassing the DNS filtering service.
The other key way of bypassing a DNS filtering service is to manually change the DNS settings locally, so it is important for these settings to be locked down. Determined individuals may be able to find a way to bypass DNS filtering, but for most end users, a DNS filter will block any attempt to access forbidden or harmful website content.
There may be a legitimate need to bypass a DNS filtering service. Some DNS content filtering solutions have a feature that allows administrators to temporarily remove content filtering controls. WebTitan Cloud uses cloud keys for this. The cloud key can be issued to a user to bypass content filtering settings for a set time period, such as if research needs to be conducted.
DNS Content Filtering for CIPA Compliance
Schools and libraries in the United States are required to comply with the Children’s Internet Protection Act (CIPA) in order to receive E-rate discounts and qualify for federal grants. There are several requirements of CIPA, one of the most important being to block or filter Internet access to prevent access to images that are obscene, involve child pornography or child abuse, or could otherwise be harmful to minors.
DNS content filtering is the easiest and most cost-effective way of complying with this requirement of CIPA and applying content filtering controls for both wired and Wi-Fi networks. DNS content filtering solutions require no hardware purchases, no software needs to be installed, and they are easy to implement and maintain. DNS content filtering solutions have highly granular filtering controls and allow precision control over content, without overblocking.
DNS Web Filtering Software from TitanHQ
Now you have a better idea about how DNS filtering works, we will introduce you to WebTitan Cloud. WebTitan Cloud is a powerful, easy to implement DNS filtering solution that allows you to filter the internet and block access to malicious content and enforce your acceptable internet usage policies. Being DNS-based, there are no hardware requirements and no software downloads are required. To get started you simply point your DNS to WebTitan, set your filtering parameters through an easy to use web-based interface, and you will be filtering the internet in minutes.
WebTitan Cloud can be used to protect users on and off the network, so it is the perfect choice for protecting remote workers from online threats as well as office staff. The WebTitan DNS web filtering solution – WebTitan Cloud – is a feature-rich, cloud-based solution with a low maintenance overhead and a three-tiered filtering mechanism for maximum granularity. Universally compatible and infinitely scalable, WebTitan Cloud has SSL inspection to provide the highest level of defense against online threats.
WebTitan Cloud can be integrated with multiple management applications (Active Directory, LDAP, etc.) for easier administration. WebTitan can also be remotely configured and adjusted from any Internet-enabled device. An unlimited number of users can be filtering at any time.
Try DNS Filtering Software with SSL Inspection for Free
If you would like to evaluate the benefits of the WebTitan DNS filtering solution in your own environment, please get in touch. Our team of experienced security professionals will answer any questions you have about DNS Internet filtering and guide you step by step through the process of registering for your free trial.
Once you are registered, we will walk you through the process of redirecting your DNS to receive our service. There are no credit cards required, no contracts to sign and no commitment from you to continue with our DNS filtering software once the trial period is over. Simply call us today, and you could be adding an extra level of security to your organization´s web browsing activity within minutes.
WebTitan incorporates an intelligent AI-based component that provides real-time classification of websites for precision control over the content that can be accessed. WebTitan Cloud provides real-time categorization of over 500 million websites, and 6 billion web pages in 200 languages, including coverage of Alexa 1 million most visited websites. Industry leading antivirus is also incorporated to identify and block malware and ransomware threats. A full suite of reports gives you full visibility into the online activities of your employees and any guest users of your network. The reports can be scheduled or run on demand.
These and more features will allow you to block web-based threats and carefully control online activities for only a few dollars per user per year.
Why WebTitan is a Vital DNS Web Security Layer for Your Business
DNS Security Layer – Filter URLs, detect malicious threats, create flexible policies, and more with an API driven DNS security filter
Full Path Detection – Provide analytical credibility to any activity marked as malicious with page and path-level reporting.
User Identification – Assign custom policies to a user or group of users with uniquely identifiable user names.
Scaleable Support – Handle any volume of usage with no latency and receive support from our top-class team.
Reporting – full suite of reports including behavior, trend and security reports.
API Driven – robust API set that allows our MSP customers to easily incorporate WebTitan DNS filtering directly into their existing cloud offering.
URL Filtering – block access to websites known to contain malware.
Remote & Roaming Users – allows off-network roaming by users while continuing to apply their policy.
Content Filtering – highly granular content controls with multiple integration options and comprehensive malware protection.
AI Threat Intelligence – real time AI driven DNS protection from malicious online threats such as viruses, malware, ransomware, phishing attacks and botnets.
What WebTitan Customers Have to Say
“WebTitan is an outstanding tool for most reliable content filtering. The monitoring feature of this specific product is quite unique that totally monitors all the process of online working and also secures all the data. Additionally, its set-up is superb easy and it can be done in just few minutes that save my time and energy as well.” Kristie H. Account Manager
“WebTitan is fairly easy to setup. It is available as a cloud based solution or on prem. You can get as simple or as complicated with your filtering as you like, it will handle most situations with ease. [It] has provided us with a stable web filtering platform that has worked well for us for many years. “Derek A. Network Manager
What 3 things are most important about employee internet access?
Employees need internet access to complete their work duties, but it is essential to develop an acceptable Internet usage policy and get employees to sign it, that policy should be enforced using a web filtering solution, and you should have a sanctions policy for when employees violate the rules.
What is best, a web filtering appliance of cloud-based web filter?
Both options will provide clean, safe Internet access, but cloud-based web filtering does not require the purchase of a costly appliance, it is more flexible and scalable, and there is no patching burden. For SMBs and MSPs, cloud-based web filtering is the easiest and most cost-effective Internet filtering solution.
Does web filtering slow Internet speed?
Some web filtering solutions involve a degree of latency, but a DNS filtering solution will not slow internet speed as all filtering takes place at the DNS lookup stage of a web request before any content is downloaded. Filtering occurs in the same time as it takes to perform a standard DNS lookup so there is no latency.
How can I provide DNS filtering as a managed service as an MSP?
Adding the WebTitan DNS filtering service to your service stack couldn’t be easier. WebTitan is can be set up in minutes, APIs allow easy integration into your existing back office systems, you will be provided with a white label version ready to take your branding, and you can even host the solution in your own environment.
How much does DNS content filtering cost?
There is considerable variation in price between different web filtering solutions. The most expensive solution will not necessarily be the best option for your business. Price depends on contract term, the number of users, and add-ons. TitanHQ’s DNS content filtering solution, WebTitan, typically costs around $1 per user, per month.
COVID-19 presented many new opportunities for cybercriminals, many of which have proven to be highly successful. In the early days of the pandemic, when it became clear that the new coronavirus was spreading beyond the borders of China and concern about the virus grew, cybercriminals switched from their normal phishing campaigns and started adopting COVID-19 lures.
Phishing campaigns were conducting offering advice about the virus, potential cures, and advice as people craved information that was in short supply. Fake COVID-19 tracking apps and websites were set that collected sensitive information or installed malware, and PPE shortages saw fake shops set up offering non-existent supplies. Then there were fake charities, disinformation campaigns, and phishing scams related to job retention schemes, self-employment income support, government coronavirus loans, and fake tax rebates.
The move to remote working due to the pandemic saw hackers targeting vulnerabilities in remote working solutions such as VPNs and throughout 2020, ransomware gangs have been extremely active, especially in Q3 and Q4, 2020 when attacks soared.
As we move into 2021, cybercriminals are likely to continue to exploit the pandemic to steal credentials, access sensitive data, and spread malware and ransomware, so it is important for businesses not to let their guard drop and to continue to ensure that they have appropriate protections in place to block threats.
The Cyber Threat Landscape in 2021
The high level of ransomware attacks in the last quarter of 2020 is likely to continue in 2021. There are no signs that cybercriminals will reduce attacks, as they are still proving to be profitable. The healthcare industry is likely to continue to be targeted, with cyberattacks on pharmaceutical and clinical research firms also extremely likely.
Now that COVID-19 vaccines have been approved and are starting to be rolled out, cybercriminals have yet another opportunity. The vaccine rollout is likely to take many months and it could well be the autumn or later before most people receive the vaccine. Cybercriminals have already adopted COVID-19 vaccine lures to obtain sensitive information and spread malware and ransomware.
These COVID-19 vaccine scams have impersonated the World Health Organization, Centers for Disease Control and Prevention, and vaccine manufacturers, and are likely to increase over the coming weeks and months. Campaigns have been identified in 2021 that impersonate public health authorities and trick users into clicking links and download files that install Trojans when opened.
We are also likely to see the scams offering financial support, virus information, and infection alerts continue, and offers of fake vaccine can be expected over the coming weeks and months.
One vaccine-related scam to be recently identified involved messages sent to businesses asking recipients to click a link to confirm their email in order to receive the vaccine. Clicking the link directed them to a phishing website where Microsoft 365 credentials were harvested.
Since many employees will continue to work from home in 2021 until the risk of infection is reduced, attacks on remote working infrastructure are also likely to continue.
There is good reason to be hopeful in 2021 now that the vaccines are starting to be rolled out, but it is important for businesses not to let their guard down and to ensure that they have adequate protections in place to identify and block current and new threats.
Many scams are conducted via email, as it is the easiest way for cybercriminals to obtain the credentials they need to gain a foothold in business networks. It is therefore important to ensure that email security is up to scratch and an advanced spam filtering solution is in place that can block phishing and malware threats. If it is possible to implement multi-factor authentication, this should be widely used, especially on email accounts and remote access solutions.
Web filtering solutions are an important cybersecurity measure to deploy to block the web-based component of phishing attacks and to prevent malware and ransomware downloads over the internet. Web filters can be used to block access to known malicious websites and restrict access to risky websites, and cloud-based solutions are easy to deploy to protect both office-based and remote workers.
With many employees still working remotely, it is important to provide regular updates on threats and security awareness training on the threats they are likely to face. Patches and software updates should be applied promptly to prevent cybercriminals exploiting vulnerabilities, especially in remote access solutions such as VPNs which are being actively targeted.
Since ransomware attacks are an ever-present risk, ensure your critical data is regularly backed up and test your backups to make sure data recovery is possible in the event of disaster. A good strategy to adopt is the 3-2-1 approach. Make three backups, store on 2 separate media, and make sure one copy is stored on a non-networked device.
The 2021 threat outlook may be bleak, but with preparation and the above solutions in place, it is possible to prevent most attacks, detect attacks in progress, and recover quickly should an attack succeed.
The importance of choosing strong and unique passwords for every account you create has been highlighted by a recent data breach at the music streaming service Spotify. Security researchers identified a database that had been exposed on the Internet which contained the usernames and password combinations of around 300 million individuals. It is unclear where the database came from, although it is likely that it had been amalgamated from data leaks from several major data breaches of online platforms.
Interestingly, within the 300 million-record database was a field stating whether the username/password could be successfully used to login to a Spotify account. According to the researchers, an estimated 300,000 to 350,000 Spotify accounts had been breached.
This breach clearly demonstrates how a data breach at one company can provide the usernames and passwords to gain access to accounts at another. When a username/password is obtained in a cyberattack, it can be used to try to access other accounts that share the same username. A username is often an email address. People may have more than one email address, but there is usually one that is used across most platforms. There is nothing wrong with that of course, but there is a problem with using the same password with that email address on multiple online platforms.
If there is a breach at one platform, the password can be used to access many other accounts. In this example, up to 350,000 Spotify users had reused their password on more than one platform. The Spotify breach victims may well have had several other accounts breached if they used their password on other platforms too.
The credentials to the breached Spotify accounts could easily be sold to anyone who wanted a cheap Premium Spotify account. There have been many reports of passwords being changed to block the real account holder out of their account. The accounts also contain personal information that could be used in further attacks, such as to make convincing phishing emails to obtain the information necessary for identity theft and other types of fraud.
Trying 300 million username and password combinations is a time-consuming process, but that process is automated. An army of bots will work its way through a huge list of username/password combos to see which passwords work. Hackers can also include a list of commonly used passwords against a particular username which will increase the hit rate further. Many people choose easy to remember passwords for their accounts, which are also easy to guess.
The process of trying multiple passwords against a username is called credential stuffing, and it is an effective way of breaching accounts. Recently there have been a swathe of credential stuffing attacks on companies in the retail, travel, and hospitality sectors. One report indicates that out of the 100 billion credential stuffing attacks between July 1, 2018 and June 30, 2020, 64% were on companies in those sectors.
Successful data breaches can result in the theft of hundreds of millions of usernames and password combos. Those credentials could be used on a wide range of different accounts, and since many people reuse passwords from personal accounts for their work accounts – such as Office 365 – one set of Spotify credentials could easily lead to a business Office 365 breach. An Office 365 account is all that is needed to launch further attacks on the company and achieve a more widespread and harmful data breach.
The solution to protecting against credential stuffing attacks is simple. Use a unique, strong password on every different account and use a password manager so you do not have to remember all of those passwords. Just set a very strong password for your password manager, and that means you just have one password to remember.
Businesses also need to take steps to block these attacks and prevent compromised credentials being used to access employee accounts. Multi-factor authentication is a must to block attempts to use stolen credentials to access accounts. Breaching Spotify accounts was easier than on other platforms as Spotify does not yet support multi-factor authentication.
An email security solution such as SpamTitan Cloud is also important for protecting against the email vector in the attacks on businesses. SpamTitan Cloud blocks malicious messages such as phishing attempts and, through outbound email scanning, will help you prevent any compromised mailboxes from being used in more extensive attacks on your organization.
Many companies now allow employees to work from home for at least some of the week. The number of companies allowing remote working increased by 300% from 1996 to 2016, according to a Gallup poll. In 2016, Gallop found that 43% of employees said they spent at least some time working away from their co-workers.
Then came the COVID-19 pandemic, which forced companies to allow virtually their entire workforce to work from home as countrywide lockdowns were introduced. Lockdowns have now been eased and employees are returning to their offices, but many have got used to home working and want to have the option to continue. Since many employers noticed no drop in productivity – some even saw productivity increases – it is likely that some employers will continue to allow employees to work from home if preferred. A study by cartridge People in the UK found 32% of UK office workers were planning to continue to work from home after the lockdown was eased.
Remote Working Increases Security Risks
While productivity may not decrease and employees may be happy with some employees working from home, home working is not without its risks. There are security concerns with remote working. It is harder for IT teams to secure devices and networks when the workforce is spread geographically and are not under the protection of the corporate firewall. With many workers connecting to their corporate networks remotely, it becomes harder to identify malicious connections. It is also much easier for threat actors to attack remote workers who connect to the Internet via consumer-grade routers, which are often never updated and have many security holes.
With office workers, it is easy to check if a request to change bank account information is genuine or other out-of-band request is made. All it takes is a quick visit to the employee’s desk. While phone calls can be made, performing these checks is more time consuming and complicated with remote workers. The pandemic also forced many companies to allow their employees to work remotely using their personally-owned devices, which may lack the security measures implemented on corporate-owned devices.
There are also many distractions in the home that are not present in the office, which can increase the risk of mistakes being made such as responding to a phishing email. Many employees have reported working longer hours during the COVID-19 lockdown and have felt pressured to do so, or at least check their emails outside of standard office hours in an effort to show that they are present and productive.
These long hours and the reduction in true off-time, along with the distractions in the home, can make mistakes more likely. Mistakes are more likely to occur when workers are stressed, tired, or distracted. One recent study conducted by a Stanford University researcher found 47% of employees who fell for a phishing scam were distracted, and 57% of remote workers said they are more distracted working from home.
The boundaries between home and work life become blurred with home working, and there is a tendency for work computers to also be used for personal purposes, especially personal internet access, which further increases risk.
Managing Home Working Security Risks
Remote working is here to stay, but employers have a responsibility to their remote workers and must take steps to ensure that those workers remain productive, do not feel overworked, and to reduce the risk of burnout, cases of which have increased during the pandemic.
Steps must also be taken to ensure that cybersecurity doesn’t suffer. Additional measures should be implemented to reduce the risks associated with home working and with phishing the leading cause of data breaches, taking steps to improve protection against phishing attacks is a good place to start.
It is essential for cybersecurity training to be provided to the entire workforce, but especially remote workers. If workers are not taught how to identify phishing emails, they cannot be expected to spot a phishing email when one lands in their inbox. Training needs to be provided frequently and should include training on the new techniques being used by phishers. Phishing email simulations should also be conducted to identify employees that are susceptible and to single them out for further training.
Anti-phishing solutions need to be implemented to block phishing emails at source. No single solution will provide total protection, so it is best to implement multiple overlapping layers of protection to block phishing and other email-based cyberattacks. If you are using Office 365, you will have Microsoft’s Exchange Online Protection (EOP) protection in place, which is provided free with the license. You should also layer a third-party solution on top of EOP, as many phishing threats bypass EOP. TitanHQ has developed SpamTitan to work seamlessly with Office 365 and complement Office 365 antispam and anti-phishing protections and greatly increasing protection against phishing and social engineering attacks.
Phishing attacks usually have an email and web-based component. Users click links in emails and are directed to malicious websites where credentials are harvested. A web filter will help to protect against the web-based component of the attack by preventing employees from visiting known phishing websites and for blocking malware downloads from the Internet. WebTitan, for example, can be used to protect both office and remote workers with no latency.
These protections will help you to block phishing attacks, but should one succeed and credentials be obtained, multi-factor authentication will help to prevent the credentials from being used to access accounts. Not all MFA solutions are created equal, so it is important to evaluate each solution to ensure it does not affect usability.
It is also important for Virtual Private Networking (VPN) solutions to be used for remote access, but these are not without their weaknesses. VPN software must be kept up to date as vulnerabilities are targeted by threat actors. MFA for VPN logins must also be used. It is also important to log all events and to monitor those logs for signs of compromise and investigate any anomalous behavior.
With these measures in place, employers and employees can enjoy the benefits that come from remote working while effectively managing and reducing security risks.
Phishing is one of the biggest cyber threats faced by businesses and stopping phishing attacks from succeeding can be a big challenge. The purpose of phishing is usually to obtain sensitive information, most commonly employee credentials to email accounts, cloud services, social media accounts, or credit card or banking credentials. This is also achieved through the use of malware that is delivered using phishing emails.
Phishing attacks can take place over the telephone, via text message, social media networks, instant messaging, or any other form of communication, but most commonly the attack vector is email. For a phishing attack to be successful, user interaction is usually required. An employee must be convinced to part with the information that the phisher is targeting, and a wide range of lures are used to encourage that. Social engineering techniques are also used to encourage prompt action to be taken – To respond without really thinking too much about the legitimacy of the request.
At its most basic level, a phishing attack requires little skill and next to no financial outlay; however, many phishing campaigns now being conducted have been carefully crafted, research is conducted on the companies and individuals being targeted, and the websites used to harvest credentials are skillfully created and often carbon copies of the genuine websites that they spoof. Phishing emails often appear to have been sent from a trusted brand or contact, either by spoofing a genuine email address or using a compromised email account.
Some phishing attempts are laughable and are easily identified, others are much harder to identify, with some of the most sophisticated phishing emails virtually indistinguishable from genuine email requests.
As a business, you should take steps to improve your defenses against phishing attacks, as failure to do so could easily result in a malware or ransomware infection, costly data breach, theft of intellectual property, and damage to the reputation of your company.
Tips for Businesses to Improve Their Defenses Against Phishing Attacks
To help you improve your defenses and prevent phishing attacks from succeeding we have listed some of the steps you can take below. No one solution will be totally effective. The key to preventing phishing attacks is to implement overlapping layers of protection. For a phishing attack to succeed, it should be necessary for an attacker to bypass several layers of security.
Use an advanced spam filtering solution
The number one protection against phishing is a spam filter. A spam filter will prevent the majority of phishing and other malicious emails from reaching inboxes where they can be opened by employees. Advanced spam filters such as SpamTitan use many different methods to detect phishing emails. The message body and email headers will be analyzed for the signatures of phishing, blacklists are used to block emails from known malicious IP addresses and domains, and machine learning techniques are used predict the likelihood of a message being malicious. SPF and DMARC is used to block email impersonation attacks, along with greylisting to identify new IP addresses that are being used for phishing.
Provide regular anti-phishing training to employees
Even with an advanced spam filter, some phishing emails will sneak through so it is essential for employees to be trained how to identify phishing emails. They should be taught cybersecurity best practices, the dangers of macros and email attachments, and conditioned not to click on embedded hyperlinks in emails. You need to train your employees and provide regular refresher training sessions. You should also conduct phishing email simulations, otherwise you will not know if your training has been effective.
Implement 2-factor authentication
2-factor authentication requires the use of a second factor in addition to a password to gain access to accounts. In the event of a password being compromised in a phishing attack, without that second factor, it is difficult for the attacker to access the account. Many businesses fail to implement 2-factor authentication, even though it is highly effective at preventing unauthorized account access using stolen credentials.
Implement a web filtering solution
Spam filters are important, but many businesses fail to implement measures to block the web-based component of phishing attacks. A web filter will block attempts by employees to visit known phishing sites when they click links in emails, but also block redirects to phishing websites from general web browsing. Not all phishing attacks involve email. With a web filter in place, any attempt to visit a known malicious website will see that attempt blocked.
Make sure you patch promptly and update your software
Phishing emails are not always concerned with getting employees to disclose their credentials, oftentimes the aim is to simply get them to click a link in an email and visit a malicious website. Compromised websites are loaded with malicious code that probes for vulnerabilities and exploits those vulnerabilities to silently download malware. After the link is clicked, no further user interaction is required. By patching promptly, these exploits will not work.
TitanHQ has developed two anti-phishing solutions for SMBs and managed service providers (MSPs) serving the SMB market. SpamTitan is a powerful anti-spam solution with advanced features for blocking phishing attacks and is an ideal solution for layering on top of Office 365 to improve your phishing defenses. WebTitan is a cloud-based web filtering solution that prevents employees and guest users from visiting malicious websites. For further information on these solutions, to register for a free trial, or to book a product demonstration, give the TitanHQ team a call today.
The Emotet botnet sprang back to life and started sending large volumes of malicious spam emails earlier this month. The botnet consists of hundreds of thousands of computers that have been infected with Emotet malware and is capable of sending huge spam campaigns.
Emotet malware steals usernames and passwords for outgoing email servers, which are used to send emails from a company’s legitimate email server. This tactic helps to ensure the emails are delivered because the mail servers used to send the messages are trusted. The volume of emails sent from those mail servers is also limited to stay under the radar and avoid detection by security teams.
The emails contain a malicious attachment or a hyperlink that directs the recipient to a website where Emotet malware is downloaded. These malicious sites often change, and most commonly are compromised WordPress sites. The attachments are commonly Word documents with malicious macros, which launch PowerShell commands that download the Emotet payload.
Once installed, Emotet starts sending emails to infect more devices but is also used to deliver other malware payloads, typically a banking Trojan such as TrickBot or QakBot. Both Trojans have been distributed by Emotet malware in the latest campaign.
Emotet is one of the main malware threats, and was the leading malware threat in 2018 and 2019. It is also one of the most dangerous. Infection with Emotet will eventually also see a banking Trojan downloaded, and that Trojan is often used to deliver ransomware.
The Emotet gang targets businesses and uses a wide range of lures in its campaigns. Fake invoices, shipping notices, job applications, and purchase orders are often used. A commonly used tactic used which has proven to be extremely effective is the hijacking of email threads. Emotet uses legitimate email threads and inserts links and attachments. The hijacking of email threads adds credibility to the emails, as it appears that the email is a response to a previous conversation with a known and trusted contact. The response appears to be a follow up on a past conversation.
The latest campaign has seen the Emotet gang adopt a new tactic, one that has not been used before. Emotet has been updated to allow email attachments to be added to the emails, in addition to hijacking email threads. Researchers at Cofense intercepted emails sent by Emotet malware, one of which included a hijacked email thread along with 5 legitimate email attachments, a combination of rich text Files (.rtf) and PDFs. The email asked the recipient to “see/review attached”, and a link was included in the body of the email. The attached files were benign, but the link was malicious.
Emotet infections demonstrate quite clearly why it is important to not only filter inbound emails, but to also adopt an email security solution that scans outbound email messages, including outbound emails that are sent internally. Emotet is often spread internally in an organization, so one infected machine often leads to several on the network being infected. These attacks can be incredibly costly to resolve. An Emotet attack on the City of Allentown, PA cost in excess of $1 million to fix.
Spam filtering solutions need advanced threat detection capabilities such as sandboxing to identify malicious attachments, and since emails often change, machine learning capabilities are necessary to identify zero-day attacks – New tactics, techniques, and procedures that have previously not been used.
SpamTitan incorporates all of these advanced threat detection measures and will help to protect you from Emotet and other malware and phishing threats delivered via email. For more information on the capabilities of SpamTitan, to register for a free trial to test the solution, or to book a product demonstration, give the TitanHQ team a call today.
There has been an increase in phishing attacks on remote workers using COVID-19 as a lure over the past few months. Multiple studies suggest the number of COVID-19 related phishing attacks have soared. The anti-phishing training company KnowBe4 placed the rise at about 600% in Q1, 2020, and that rise has continued in Q2.
As was pointed out by Microsoft, the total number of phishing attacks has not increased by any major degree during the COVID-19 public health emergency, as cyber actors have finite capabilities for conducting attacks. What has happened is threat actors have abandoned their standard phishing campaigns and have repurposed their phishing infrastructure and are now using COVID-19 lures, and with good reason.
People crave information about the 2019 Novel Coronavirus, SARS-CoV-2, and COVID-19. There is a thirst for knowledge about the virus, how it infects people, how to prevent infection, and how great the risk is of catching it. With little information available about this new virus, finding out more information required following the news from countries around the world that are involved in research. Unsolicited emails offing important information naturally had a high open rate, so it is no surprise that COVID-19 phishing attacks have increased.
To control the spread of the virus, countries have gone into lockdown, so businesses have had to allow their employees to work from home. The increase in home workers happened very quickly, so businesses did not have the time to prepare properly and that meant new risks were introduced. It is therefore no surprise that there has been an increase in data breaches during the COVID-19 pandemic. Cybercriminals have taken advantage of lapses in security, insufficient staff training, and the vulnerabilities that are introduced when employees are forced to work in an environment that has not been set up remote working.
IT teams have had to rapidly purchase new laptops to allow employees to work outside the office and there has not been time to properly secure those devices. VPN infrastructure was not sufficient to cope with the rapid increase in users. Home networks lack the security of corporate networks, and training employees on working from home securely had to be rushed. In order to allow remote workers to access the data they need, data has had to be moved to the cloud, and that has inevitably resulted in vulnerabilities being introduced. In short, the attack surface has increased considerably, huge numbers of devices are being used outside the protection of the corporate firewall, and new working environments have greatly increased the potential for errors.
Cybercriminals have taken advantage of these new vulnerabilities. Unpatched VPNs and software flaws are being exploited, RDP is being targeted, but phishing and spear phishing attacks offer the easiest way of gaining access to sensitive corporate data and spreading malware and ransomware. Improving phishing defenses is therefore critical.
Important Phishing Defenses for Remote Workers
Improving phishing defenses is one of the most important ways of protecting remote workers, their devices, and the networks and data that they are accessing remotely. Listed below are simple steps you can take to improve security and reduce risk.
Improve Email Security
The easiest way to thwart phishing attacks is to block the emails at source, and that requires a powerful anti-phishing solution. Many businesses have been relying on the standard anti-phishing measures provided with Office 365 – Exchange Online Protection (EOP). EOP is effective at blocking spam and standard (known) phishing attacks, but it is not particularly effective at blocking zero-day threats: New, previously unseen phishing and malware attacks. There have been a great many of zero-day attacks during the COVID-19 lockdown.
They key to improving email security is layered defenses. Adding an extra layer of email security on top of EOP will greatly improve detection rates. It is best not to put all your eggs in one basket and opt for the second (paid) tier of protection offered by Microsoft (Advanced Threat Protection or APT), instead use a third-party dedicated anti-spam and anti-phishing solution that features predictive threat detection and advanced anti-phishing mechanisms to detect zero-day threats. SpamTitan features machine learning, predictive technology, threat intelligence feeds, sandboxing, dual anti-virus engines and more to ensure that zero-day threats are blocked. SpamTitan adds an important extra layer of security, and SpamTitan itself includes layered defenses against phishing attacks.
Implement a Web Filter
Security can be further improved with a web filtering solution such as WebTitan. A web filter adds another layer to your anti-phishing defenses by blocking the web-based component of phishing and malware attacks. If a phishing email does reach an inbox, a web filter can prevent a click on a hyperlink from turning into a data breach. WebTitan provides time of click protection to block attempts by employees to visit malicious websites, such as those used to phish for credentials or distribute malware. WebTitan can be used to block web-based attacks for office and remote workers and allows different controls to be set depending where employees connect to the internet.
Train Staff and Conduct Phishing Simulations
Remote employees need to be trained how to work and access data securely, and that means refresher cybersecurity training should be provided to reeducate employees about cybersecurity best practices. Trai9ning must also be provided on how to work securely from home.
Phishing is the easiest way that employees can be attacked, so they must be trained how to recognize a phishing email. It is also useful to run phishing email simulations on remote workers to find out which employees have taken the training on board and who needs further training. Training can reduce susceptibility to phishing attacks by up to 90%.
Cybercriminals are taking advantage of the 2019 Novel Coronavirus pandemic and are exploiting fear to spread malware and steal data. These tactics many not be new, but these campaigns pose a significant threat in the current climate of global fear and worry.
People are naturally worried about contracting COVID-19 and will be concerned about the wellbeing of their friends and family members. Many people crave new information to help avoid them avoid illness and protect their families. If that information arrives in an inbox, email attachments may be opened, and links clicked to malicious websites.
Even when training is provided to employees and they are taught not to respond to unsolicited messages, open email attachments, or click links in emails from unknown senders, mistakes can still be made. During the COVID-19 crisis, stress levels are high, and this can easily lead to decisions being taken that would not normally be made.
Businesses have been forced to allow their employees to work from home, many of whom are now working in a home environment where there are many distractions. Many people do not have home offices where they can quietly work, and a challenging working environment also makes mistakes more likely. Those mistakes can prove very costly.
Phishing campaigns are being conducted targeting home workers as they are seen as low-hanging fruit and an easy way to gain access to business networks to install malware, ransomware, and steal sensitive data. Several campaigns have been detected that offer important advice on the 2019 novel coronavirus that impersonate authorities on disease control and prevention such as the U.S. Centers for Disease Control and Prevention (CDC), U.S. Department of Health and Human Services, UK National Health Service, and the World Health Organization (WHO). The phishing campaigns are credible, claim to offer important advice, and are likely to be opened by many individuals. These campaigns seek remote access credentials and distribute malware.
Coronavirus maps that display the number of cases per country are being used on many websites, including a legitimate COVID-19 case tracking map on Johns Hopkins University website. One campaign has been detected that uses a carbon copy map and urges users to download a desktop application that allows them to track new cases. The application installs the information-stealing AZORult Trojan. As the COVID-19 crisis has deepened, these phishing and malspam campaigns have increased significantly.
With more people working from home and self-isolating, the risk of malware and phishing attacks has increased significantly. It is therefore important for businesses to make sure that they are properly protected and manage risk. During this difficult time, it is important to provide security awareness training to staff to keep them aware of the threat of cyberattacks and to help them identify malicious messages. Phishing simulation exercises are a useful way of assessing risk and identifying individuals that require further training.
It is also important to implement additional control measure to block attacks at source. There are two main attack vectors being used to target remote workers: Email and the web. Due to the high risk of mistakes by employees it is essential for businesses to have an effective email security solution in place.
The key to improving email security is defense in depth. Layered defenses will greatly improve resilience to phishing and malware attacks. If you are using Office 365 and have yet to augment protection with a third-party email security solution, now is the ideal time. One 2019 study showed that Office 365 protections only block around 75% of phishing attempts. Given the increase in phishing volume, a great many malicious emails will land in inboxes unless protection is improved.
The more time people spend online, the greater the risk. With many workers housebound and self-isolating, online time has increased considerably. Unsurprisingly, the of number of malicious domains being used to distribute malware has increased and drive-by malware attacks have spiked. With corporate laptops being used at home, steps should be taken to limit what employees can do on those laptops. Blocking access to ‘risky’ websites such those distributing pirated TV shows and movies will help to reduce the risk of a malware download, along with controls to prevent the downloading of risky file times such as software installers and executable files.
A web filtering solution will allow you to control the sites that remote employees can access on their corporate laptops and prevent malicious websites from being visited. A cloud-based web filtering solution is the ideal choice as it can be easily implemented to protect all remote workers, without causing any latency issues.
TitanHQ can help you protect your telecommuting workers from email and web-based threats. SpamTitan is a powerful email security solution that compliments Office 365 anti-spam and anti-phishing controls and enhances protection against phishing, spear phishing, and zero-day malware. WebTitan is a cloud-based DNS filtering solution that is simple to implement that allows you to carefully control the online activities of remote employees and block drive-by malware downloads and other web-based threats.
Both solutions can be implemented in a matter of minutes and will greatly improve protection against web and email-based threats. For further information, to book a product demonstration, or to register for a free trial, contact TitanHQ today.
Today there is an increasingly mobile workforce. Workers are able to travel and stay connected to the office and many employees are allowed to work remotely for at least some part of the week. While workers are in the office, security is not a problem for IT departments. Workers connect to the internal network, be that a wired or wireless network, and thanks to the protection of the firewall, their devices and the network are protected. The problem comes when workers move outside the protection of that firewall. Here IT departments struggle to ensure the same level of protection.
When workers are travelling for work or are between the home and the office, they often connect to public Wi-Fi hotspots. Connecting to those hotspots introduces risks. While connected, sensitive information could potentially be disclosed which could be intercepted. Malware could also be inadvertently downloaded. When a connection is made to the work network, that malware could easily be transferred.
Connecting to untrusted Wi-Fi networks is a major risk. These could be legitimate Wi-Fi services provided on public transport, in coffee shops, or city-wide Wi-Fi networks. While these networks may be safe, there is no telling who may be connected to that network. These Wi-Fi networks are often not monitored, and cybersecurity protections may be poor.
There are several possible attack scenarios where an individual could perform malicious acts on users of the Wi-Fi network. One of the biggest risks is a man-in-the-middle attack. In this scenario, a Wi-Fi user will be connected to the network and will believe that they are securely accessing the internet, their email, or even the work network, when the reality is that their connection is anything but secure.
A hacker could be listening in and could obtain information from that connection. Through ARP poisoning, a hacker could trick the Wi-Fi gateway and the user’s device into connecting, and traffic would be routed through the hacker’s device where it is intercepted. An attacker could also create an evil twin hotspot. Here a rogue hotspot is created that closely mimics the genuine hotspot. A Wi-Fi user may mistakenly connect to the evil twin thinking they are connected to the legitimate hotspot. Since the evil twin is operated by the attacker, any information disclosed while connected can be intercepted.
Remote workers must be told never to connect to a Wi-Fi network unless they do so through a VPN than encrypts their data. Employees may forget to connect to their VPN, and if weak passwords are used, even if they are encrypted they could be cracked relatively easily, but with a VPN and password policies, risk will be reduced to a reasonable level.
Wi-Fi networks tend not to have the same protections as corporate networks, so there may be little restrictions on the types of website that can be accessed while connected. To protect remote workers, a DNS filter such as WebTitan should be used.
A DNS filter performs content control at the DNS lookup stage when a user attempts to access the internet. When a web address is entered in the browser, the DNS server looks up the fully qualified domain name (FQDN) and matches it with the IP address of the website. The browser is provided with the IP address and the server is contacted and the content is downloaded. With a DNS filter, before any content is downloaded, it is subject to certain rules. For instance, category-based filtering could be used to prevent adult content from being accessed. An attempt would be blocked before any content is downloaded. Importantly for security, the DNS filter would prevent the user from visiting any known malicious website. A phishing site for instance or a site known to harbor malware. With a cloud-based DNS filtering service, all filtering takes place in the cloud and there is no latency regardless of where the individual is located. DNS filtering protects workers on corporate networks as well as remote workers.
A further control that is useful is an email filtering solution, such as SpamTitan, that incorporates Domain-Based Message Authentication, Reporting, and Conformance (DMARC).
In the event of a user’s email credentials being obtained in a man-in-the-middle attack via a rogue Wi-Fi hotspot, their email account could be accessed by the attacker. Since legitimate credentials are being used, this would not generate any alerts and the attacker could peruse the email account in their own time. If the account is used to send phishing messages, as they often are, DMARC will prevent those messages from being delivered and will alert the company to the issue.
The DMARC element of the spam filter checks the sender’s IP address to make sure it matches the IP on the DNS servers for the sender’s organization to make sure they match. If the IP is not authorized to send messages from that domain, the messages will be rejected or quarantined, and the company would be alerted to the phishing attack. The same is true for spoofing of email addresses.
SpamTitan also includes dual anti-virus engines to identify malware sent via email and sandboxing to help catch previously unknown malware variants that have yet to have their signatures uploaded to AV engines. Any malware sent via email will also be quarantined to keep inboxes free of threats.
If you run a business and allow workers to connect remotely, speak to TitanHQ today to find out more about how you can better protect your remote workers, and your business, from cyberattacks conducted via email and the web.
Our team of highly experienced staff will walk you through the benefits of DNS and spam filtering, can schedule a personalized product demonstration, and will help you get set up for a free trial of SpamTitan and WebTitan. You can then evaluate both solutions in your own environment. Both solutions can be set up and protecting you in a matter of minutes.
The increase in cyberattacks on law firms has highlighted a need for greater security protections, especially to protect against phishing, malware, and ransomware.
According to a recent Law.com report, more than 100 law firms are known to have experienced cyberattacks in the past five years: Cyberattacks that have resulted in hackers gaining access to sensitive information and, in many cases, employee, attorney, and client information.
Investigations such as this are likely to uncover just a small percentage of successful cyberattacks, as many are resolved quietly and are not reported. Many law firms will be keen to keep a cyberattack private due to the potential damage it could do to a firm’s reputation. The reputation of a law firm is everything.
As Law.com explained, there are different data breach reporting requirements in different states. If there is no legal requirement to report the data breaches, they will not be reported. That means that only if reportable information has potentially been compromised will the breach be reported to regulators or made public. It is therefore not possible to tell how many successful cyberattacks on law firms have occurred. However, there has been a steady rise in reported cyberattacks on law firms, as is the case with attacks on other industry sectors. Law.com’s figures are likely to be just the tip of the iceberg.
From the perspective of cybercriminals, law firms are a very attractive target. The types of information stored on clients is incredibly valuable and can be used for extortion. Information on mergers and takeovers and other sensitive corporate data can be used to gain a competitive advantage. Cybercriminals are also well aware that if they can deploy ransomware and encrypt client files, there is a higher than average probability that the ransom will be quietly paid.
Based on the information that has been made public about law firm data breaches, one of the main ways that law firms are attacked is via email. Many of the data breaches started with a response to a phishing or spear phishing email. Phishing allows cybercriminals to bypass even sophisticated cybersecurity protections as it targets a well-known weakness: Employees.
Employees can be trained to be more security aware and be taught how to recognize potential phishing emails, but phishers are conducting ever more sophisticated campaigns and every employee will make a mistake from time to time. That mistake could be all that it takes to compromise a computer, server, or a large part of a network.
One firm contacted for the report explained that it had implemented advanced cybersecurity protections that were undone with a phishing email. The digital security measures it had in place greatly restricted the harm caused, and there was no evidence that the attacker had accessed sensitive information, but the attack did succeed.
In response, the law firm implemented more advanced security protocols, implemented a more aggressive spam filter, multi-factor authentication was used more widely, and it revised its policies and procedures and training. Had those measures been implemented in advance, it may have been possible to block the attack.
The response was to implement more layered defenses, which are critical for blocking modern cyberattacks. Overlapping layers of security ensure that if one measure fails, others are in place to prevent an attack from succeeding.
This is an area where TitanHQ can help. TitanHQ has developed cybersecurity solutions that can fit seamlessly into existing security stacks and provide extra layers of security to block the most common attack vectors. TitanHQ’s email and web security solutions – SpamTitan and WebTitan – provide advanced protection without compromising usability.
Since many clients prefer to communicate via email, it is important for all incoming attachments to be analyzed for malicious code. Extensive checks are performed on all incoming (and outgoing) emails, with SpamTitan able to block not only known malware but also zero-day threats. SpamTitan also includes DMARC email authentication to block email impersonation attacks and sandbox to analyze suspicious files and identify malicious or suspicious activity.
WebTitan provides protection from web-based threats. Most malware is now delivered via the internet, so a web security solution is essential. WebTitan is a DNS filtering solution that protects against all known malicious sites. It is constantly updated in real time through threat intelligence services to ensure maximum protection. The solution provides advanced protection against drive-by downloads and malicious redirects to exploit kits and other malicious sites and provides and important additional layer of security to protect against phishing attacks.
Law firms will no doubt prefer to host their cybersecurity solutions within their own environments or private clouds, which TitanHQ will happily accommodate.
For further information on TitanHQ’s cybersecurity solutions for law firms, contact the TitanHQ team today. Managed Services Providers serving the legal industry should contact TitanHQ’s channel team to find out more about the TitanShield program and discover why TitanHQ is the leading provider of cloud-based email and web security solutions to MSPs serving the SMB market.
Ransomware attacks slowed in 2018 but the malicious file-encrypting malware is back with a vengeance. Ransomware attacks on educational institutions have soared this year, and as the attackers are well aware, these attacks can be extremely profitable.
There have been 182 reported ransomware attacks so far this year and 26.9% of those attacks have been on school districts and higher education institutions. The increase has seen education become the second most targeted sector behind municipalities (38.5%) but well ahead of healthcare organizations (14.8%).
The reason why the number of ransomware attacks on educational institutions, healthcare, and municipalities is so high compared to other sectors is because attacks are relatively easy to perform and there is a higher than average chance that the ransoms will be paid.
Attacks on municipalities mean they can’t access computer systems, and essential services grind to a halt. Police departments can’t access criminal records, courts have to be shut down, and payments for utilities cannot be taken. If hospitals can’t access patient data, appointments have to be cancelled out of safety concerns. In education, teachers cannot record grades and student records cannot be accessed. Administration functions grind to a halt and a huge backlog of work builds up.
Some of the recent ransomware attacks on school districts have seen schools forced to send students home. Monroe-Woodbury Central School District in New York had to delay the start of the school year due to its ransomware attack. If students need to be sent home, there is often backlash from parents – Not only because their children are not getting their education, but childcare then needs to be arranged.
The costs of these attacks are considerable for all concerned. Each day without access to systems costs schools, universities, municipalities, and hospitals a considerable amount of money. Downtime is by far the biggest cost of these attacks. Far greater than any ransom payment.
It is no surprise that even when ransom demands are for tens or hundreds of thousands of dollars, they are often paid. The cost of continued losses as a result of the attacks makes paying the ransom the most logical solution from a financial perspective. However, paying the ransom sends a message to other cybercriminals that these attacks can be extremely profitable, and the attacks increase.
The huge cost of attacks has seen educational institutions take out insurance policies, which typically pay the ransom in the event of an attack. While this is preferable financially for the schools, it ensures that the attackers get their pay day. Some studies have suggested that attackers are choosing targets based on whether they hold insurance, although the jury is out on the extent to which that is the case.
In total, 49 school districts and around 500 K-12 schools have been affected by ransomware attacks this year. While the ransomware attacks on school districts have been spread across the United States, schools in Connecticut have been hit particularly hard. 7 districts have been attacked, in which there are 104 schools.
Prevention of these attacks is key but securing systems and ensuring all vulnerabilities are identified and corrected can be a challenge, especially with the limited budgets and resources of most schools. Cybersecurity solutions need to be chosen wisely to get the maximum protection for the least cost.
A good place to start is by addressing the most common attack vectors, which for ransomware is Remote Desktop Protocol and email-based attacks.
Remote Desktop Protocol should be disabled if it is not required. If that is not possible, connection should only be possible through a VPN. Rate limiting should also be set to block access after a number of failed login attempts to protect against brute force password-guessing attacks.
Email security also needs to be improved. Massive spam campaigns are being conducted to distribute the Emotet banking Trojan, which serves as a downloader for Ryuk ransomware and others. Embedded hyperlinks in emails direct end users to sites where they are encouraged to download files that harbor malware, or to exploit kits where ransomware is silently downloaded.
Advanced spam filters should be deployed that incorporate sandboxing. This allows potentially suspicious email attachments to be checked for malicious activity in a safe environment. DMARC email authentication is also important as it is one of the best defenses against email impersonation attacks. SpamTitan now incorporates both of these measures.
A DNS based content filtering solution is also beneficial as an additional protection against malware downloads and phishing attacks. Not only can the content filter be used to ensure compliance with CIPA, it will prevent end users from visiting malicious websites where ransomware is downloaded.
Email attacks usually require some user interaction, which provides another opportunity to block the attacks. By educating all staff and students on the risks, they can be prepared for when malicious emails arrive in their inboxes and will be conditioned how to respond.
It is often the case that breached entities only implement these measures after an attack has occurred to prevent any further attacks from succeeding. By taking a more proactive approach and implementing these additional security measures now, costly, disruptive attacks can be avoided.
For more information on ransomware defenses such as email and DNS filters for educational institutions, give the TitanHQ team a call today. You are likely to find out that these security measures are far cheaper than you think… and naturally a great deal less expensive than having to deal with an attack.
2017 was a bad year for ransomware attacks, but as 2018 progressed it was starting to look like the file-encrypting malware was being abandoned by cybercriminals in favor of more lucrative forms of attack. Between 2017 and 2018 there was a 30% fall in the number of people who encountered ransomware compared to the previous year, and the number of new ransomware variants continued to decline throughout 2018; however, now, that trend has been reversed.
2019 has seen a sharp increase in attacks. Figures from Malwarebytes indicate there was a 195% increase in ransomware attacks in Q1, 2019 and that increase has continued in Q2. A new report from Kaspersky Lab has shown that not only are attacks continuing to increase, the number of new ransomware variants being used in these attacks is also increasing sharply.
Kaspersky Lab identified 16,017 new ransomware modifications in Q2, 2019, which is more than twice the number of new ransomware modifications detected in Q2, 2018. In addition to updates to existing ransomware variants, Q2, 2019 saw 8 brand new malware families detected.
Kaspersky Lab tracked 230,000 ransomware attacks in Q2, which represents a 46% increase from this time last year. Far from ransomware dying a slow death, as some reports in 2018 suggested, ransomware is back and is unlikely to go away any time soon.
Not only are attacks increasing in frequency, ransom demands have increased sharply. Ransom demands of hundreds of thousands of dollars are now the norm. Two Florida cities paid a combined total of $1 million for the keys to unlock files encrypted by ransomware. Jackson County in Georgia paid $400,000 for the keys to unlock the encryption that crippled its court system, and recently, a massive ransomware attack that impacted 22 towns and cities in Texas saw a ransom demand of $2.5 million issued.
Earlier this year, the developers of GandCrab ransomware shut down their popular ransomware-as-a service offering. They claimed to have made so much money from attacks that they have now taken early retirement. Despite GandCrab ransomware being one of the most widely used ransomware variants for the past 18 months, the shut down has not been accompanied with a reduction in attacks. They continue to increase, as other ransomware-as-a-service offerings such as Sodinokibi have taken its place.
Ransomware attacks are increasing because they are profitable, and as long as that remains the case, ransomware is here to stay. Businesses are getting better at backing up their data but recovering files from backups and restoring entire systems is a difficult, time-consuming, and expensive task. When major attacks are experienced, such as those in Texas, recovering systems and files from backups is a gargantuan task.
Attackers realize this and set their ransom demands accordingly. A $400,000 ransom demand represents a sizable loss, but it is a fraction of the cost of recovering files from backups. Consequently, these sizable ransoms are often paid, which only encourage further attacks. It is for this reason that the FBI recommends never paying a ransom, but for many businesses it is the only option they have.
Businesses naturally need to develop plans for recovering from an attack to avert disaster in the event of ransomware being installed on their network, but they must also invest in new tools to thwart attacks. At the current rate that attacks are increasing, those tools need to be implemented soon, and that is an area where TitanHQ can help.
To find out more about email and web security solutions that can block ransomware and protect your network, give the TitanHQ team a call.
A Google Calendar phishing campaign is being conducted that abuses trust in the app to get users to click malicious hyperlinks.
Cybercriminals are constantly developing new phishing tactics to convince end users to click links in emails or open email attachments. These campaigns are often conducted on organizations using Office 365. Campaigns are tested on dummy Office 365 accounts to make sure messages bypass Office 365 spam defenses.
Messages are carefully crafted to maximize the probability of an individual clicking the link and the sender name is spoofed to make the message appear to have been sent from a known and trusted individual.
Businesses that implement email security solutions that incorporate DMARC authentication can block the vast majority of these email spoofing attacks. Office 365 users that use a third-party anti-phishing solution for their Office 365 accounts can make sure malicious messages are blocked. Along with end user training, it is possible to mount a solid defense against phishing and email impersonation attacks.
A new phishing tactic is being used in an active campaign targeting businesses which achieves the same aim as an email-based campaign but uses a personal calendar app to do so.
Phishing campaigns have one of two main aims – To steal credentials for use in a further attack or to convince the user to install some form of malware or malicious code. This is most commonly achieved using an embedded hyperlink in the email that the user is urged to click.
In the Google Calendar phishing attacks, events are added into app users’ calendars along with hyperlinks to the phishing websites. This is possible because the app adds invites to the calendar agenda, even if the invite has not been accepted by the user. All the attacker needs to do is send the invite. As the day of the fictitious event approaches, the user may click the link to find out more. To increase the likelihood of the link being clicked, the attacker sets event reminders so the link is presented to the user on multiple occasions.
This attack method is only possible with Google Calendar in its default setting. Unfortunately, many users will not have updated their settings after installation and will be vulnerable to Google Calendar phishing attacks.
To prevent these attacks, on the desktop application settings menu click on:
Event Settings > Automatically Add Invitations
Select the option, “No, only show invitations to which I’ve responded.”
Navigate to “View Options”and ensure that “Show declined events” is not checked.
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning about the increasing number of phishing websites using HTTPS.
The green padlock next to a URL once gave an impression of security. Now it is a false sense of security for many internet users.
HTTPS or Hyper Text Transfer Protocol Secure to give it its full name, indicates the website holds a valid certificate from a trusted third-party. That certificate confirms that the website is secure and any data transmitted between the browser and the website will be encrypted to prevent interception in transit.
The public has been taught to look for the green padlock and HTTPS before entering card details or other sensitive information. However, the padlock does not mean that the website being visited is genuine. It only means any information transmitted is secured in transit between the browser and the website.
If you are buying a pair of shoes from Amazon, all well and good. If you are on a website controlled by a cybercriminal, HTTPS only means that the cybercriminal will be the only person stealing your data.
Cybercriminals create realistic phishing webpages that imitate well-known brands such as Microsoft and Google to obtain login credentials or banks to obtain banking information. These phishing pages can be set up on dedicated phishing websites or phishing kits can be added to previously compromised websites. Traffic is then generated to those webpages with an email phishing campaign.
If one of the links in the email is clicked, a user will be directed to a website that requests some information. If the website starts with HTTPS and displays the green padlock, the user may mistakenly believe the site is genuine and that it is safe to disclose sensitive information.
The IC3 alert was intended to raise awareness of the threat from HTTPS phishing and make the public aware of the true meaning of the green padlock and never to trust a website because it starts with HTTPS.
Businesses should take note and make sure they include HTTPS phishing in their security awareness training programs to raise awareness of the threat with employees.
A web filter can greatly reduce the risk of HTTPS phishing attacks, provided the web filter has the capability to decrypt, scan, and re-encrypt HTTPS traffic.
WebTitan provides real-time protection against web-based attacks and uses a constantly updated database of 3 million known malicious sites to block attempts to visit phishing websites. WebTitan is capable of SSL inspection and can inspect HTTPS traffic, block specific applications within a webpage, and display alerts or block sites with fake https certificates.
If you want to improve protection against web-based attacks, contact the TitanHQ team today for more information about WebTitan.