Watch On-Demand
Learn more about best practices to minimize your exposure to phishing campaigns, which are typically the precursor for credential-based cyber-attacks.
- Phishing trends
- Types of phishing campaigns
- Tell takes of phishing campaigns
- Preventive considerations
- Identity-Centric PAM as a strong failsafe
-
Katy Martin (00:00:10):
On behalf of Centrify, I'd like to welcome you to today's cyber cast, minimizing phishing exposure. My name is Katie Martin, and I will be your host today. Phishing scams and schemes are becoming more creative every day as businesses and individuals are finding themselves the target of new tactics and techniques adding to the risk factors is the fact that a record number of employees are now working from home. This is an environment where workers are more distracted using less secure networks and hardware. And this is the reason why it's so critical that we verify the emails that land in your inbox are trustworthy and safe. In this context, use your education as well as beefing up your organizations. Email security systems are two essential steps that can minimize the exposure to these phishing campaigns. However, considering that most of today's cyber attacks are front ended by phishing organizations need to adapt their cyber security defenses and focus on identity as a new security perimeter to provide our audience with some insights and discuss best practices to prevent, or at least limit your exposure to phishing attacks. We thought it best to hear from a battle test that IT security practitioner, as well as a cybersecurity expert, I'd like to welcome Michelle Ellis information security and compliance manager here at Centrify as well as dr. Torsten George Centrify’s, cybersecurity evangelist, Michelle, and Torsten thank you for being here.
Torsten George (00:01:34):
Hey there. Thank you. I think first of all, I wanted to start off with some recent trends that we have observed to kind of set the foundation for our discussion today. And it’s not just not business as usual for us, because we're coming to you from our living rooms or our home offices, but also threat actors are taking full advantage of these uncertain times. They launch a new wave of cyber attacks and they leverage tactics like phishing. That's the topic that we will talk about today, but also ransomware and credential stuffing. And I think all of us need to keep in mind that the easiest way for cyber attacker to gain access to sensitive data is by really compromising the end user's identity and their credentials and things are even getting worse. If those stolen identities belong to a privileged user who has privileged access, they would therefore really provide the keys to the kingdom. At Centrify, we conducted a research study and 74% of organizations that had experienced a breach said that the source of that breach was anchored around privileged account access.
Torsten George (00:03:03):
And this number really closely aligns with Forrester estimate whereby they say 80% of today's data breaches involve privileged access credentials. And it makes sense, right, by leveraging a trusted identity hackers can really operate undetected and exfiltrate sensitive data without really raising many red flags. And that's really the result why it's not surprising that most of today's cyber attacks are really the results of phishing campaigns. And especially in the current times, we have seen a major spike, 600% increase, in phishing attacks just since February 2020, that's a huge amount, but before we kind of dive more into the details, I wanted to ask Michelle, who's a true practitioner, to help us define what is phishing about so that our audience starts from the same kind of baseline. So Michelle, how would you define phishing?
Michelle Ellis (00:04:13):
So, if we look at the Cybersecurity and Infrastructure Security Agency, or SISA, the department of Homeland Security, they defined phishing as attempts as, whether it's individuals or groups of people, trying try to obtain personal information from unsuspecting users. Oftentimes they'll use social engineering tactics, and they'll try to send messages and make it look like the SMS or email messages coming from a legitimate user organization. They want to get you to click on the link and potentially provide sensitive information or to visit a spoof site. This needs to look like a legitimate website and that website will sometimes have malicious code in it.
Torsten George (00:05:03):
Okay. Very good. Obviously we want to keep this as interactive as possible on it. It's always good to know your audience. So let’s move to the first poll question here. We asked our audience, “how many of you have experienced a phishing attack over the last three months?” And yeah, if you've seen at least one attack, if you've seen multiple attacks, or where you lucky and then didn't face any of these attacks or to be frank, you might have not even noticed an attack, which happens quite often. Asking our audience for the input. So while we're waiting, Michelle, you personally seen any phishing attacks come your way?
Michelle Ellis (00:06:09):
We get a wide variety of them and not just for working emails, but the personal emails. A lot of ones that look like shipping notifications. I've definitely seen a lot of those or COVID financial health. There there've been a lot of them where they look like they're legitimate banks, but they're just fake websites.
Torsten George (00:06:37):
Multiple texts are quite creative. I have to say I got one where somebody leveraged old data breach data. So, they had my old username, my old password, and sent me an email saying, “Oh, we installed malware on your system. And we took compromising pictures of you. And you don't want to share those with your company and your email account.” So, they threatened me to share that information if I would not pay them a ransom $2,000 in Bitcoin, and then they embedded the link. If you don't know how to pay Bitcoin, click on this link. So it was, it was quite interesting combination, but yeah, we see people get very creative. Let's see what our audience kind of you've faced. And we see, obviously this is almost a daily occurrence and then people have to be on their tippy toes here too, to not fall victim to the use attacks.
Torsten George (00:07:40):
We see half of the audience has faced multiple attacks and another 30%, at least one attack. So majority those 13% there have not seen anything yet. Good luck to you, but again, majority. But it's one thing to being attacked. It’s another thing to suffer consequences for it. So, let's follow that up with another poll. What we ask “if you, or your organization really suffered damages from these phishing attacks?” Talking to a friend of mine and we talked in preparation of this webinar and his company suffered a major incident. The attacker gathered information about the whereabouts of the CEO and leveraged that information in the phishing attack and really tricked an employee into spending money that otherwise should have not spent and, and basically send gift cards to the attacker that they consume. And it's just one out of many examples. Let's see what our audience here has experienced. So majority is saying no, not really or not being aware. So that's, that's good news. So some of your security controls might be kicking in there. So that's, that's very encouraging. So, yeah, not too bad.
Michelle Ellis (00:09:38):
And looking at these results, Torsten, are these results in line with what you're seeing across the industry?
Torsten George (00:09:45):
Quite frankly not. Cause we see typically that more than two thirds of a US-based organizations report experiencing successful phishing attacks in 2019. And that's based on this study that Proofpoint conducted, they do that on an annual basis. And quite frankly, the US market has seen more successful attacks than the rest of the world on a global average, the numbers at about 55%. But we also have to keep in mind that a lot of times when we talk about phishing attacks. The first thing comes to mind, Oh, this email has most likely malware attached. That's a myth. Reality is that 86% of email attacks are malware-less.
Torsten George (00:10:49):
So, they're more commonly, no longer doing the shotgun approach, but really are using spearphishing attacks or CEO fraud, impersonation tactics. And, so that's their new ammunition. And, but again, those phishing texts still cause a lot of damage according to the FBI's complaint center. It costs $26 billion in damages on a worldwide basis. And for the US, that meant $10 billion in losses. That's quite significant when you think about this. Well with these numbers in mind, Michelle, maybe you can share with us how cyber criminals are structuring their phishing of texts. I mean, it's not always the same, they're different flavors of it. So why don't you kind of give us an overview of that?
Michelle Ellis (00:11:54):
And I think that you hit on a really important point is that the phishing attacks aren't necessarily about malware. And that's the assumption that a lot of people take is that it's going to have a virus embedded in the email. But a lot of what they're really trying to do is gather information. So, if you look at a very common phishing campaign, such as deceptive phishing, they want to impersonate, pretend to be new package with a shipping notification to get you to log in. They want to pretend to be someone else and have you provide information to them as a trusted party. And you can think of these also as the fake banking emails and also have their spearphishing. These are very targeted attacks. And so they've done some level of research, even if it's to know what your company is about who the executives are in your company, or to do some social engineering to know information about you that way, it seems a little more personal, and it's something that you're more likely to trust.
Michelle Ellis (00:13:04):
CEO fraud, as you touched on is a very big one. And this comes in, like the example that you've provided, whereas, you know, that sense of urgency that you need to help your executive, your CEO, and people will do wire fraud or gift card fraud, or provision somebody with access. Then smishing is another, common one that you'll see. And in some of these cases, it may start out in email as a way to get your mobile number or they'll use social engineering techniques and send me your SMS text messages, and they take different approaches here, partly to get you engaged so that they can lead you down a path to get more information. And other times it's to get you to click a link following and provide information, your login credentials in there.
Torsten George (00:13:59):
Very interesting. And I think it's very important for our audience to also understand in the past email was the primary vehicle for our cyber adversaries to carry out these phishing attacks. Things really have drastically changed over the last year or so. Nowadays, cyber criminals frequently apply phishing techniques outside of the inbox. In 2019, 86% of organization really dealt with social media attacks. I mean, a lot of us spent time on social media. So it's natural that the hackers are following us. Also 84% reported SMS or texts phishing, which you call it out as the smishing. And I see a major increase just this year alone. And 83% even faced voice phishing, meaning calls coming in. And it’s really a time consuming approach, but still a large number of these attacks are now leveraging this technique. And then, at least in 2019, I'm not sure that that will apply this year,
Torsten George (00:15:11):
is that 81% reported USB drops. Obviously, with us now working from home. They might try to throw that into my driveway, but good luck. My son plays basketball there. But we have to keep this in mind. So, if we create a defense strategy that defense strategy cannot solely focused any longer on emails, but really has to extend into these other channels and be aware of that. So obviously it's our intention here, not just to talk about strategies and stuff, but really offer our audience with hands-on tips and tricks and having you here, Michelle, as a practitioner that teaches us security awareness on an annual basis, wanted to see if you can share some of the telltale of phishing campaigns that you see across the board.
Michelle Ellis (00:16:18):
Yeah, absolutely. So, we'll go through a few examples and just for everyone's background, these emails that we're going to look at are a mix of actual, legitimate phishing emails that have been received, as well as some phishing test emails that we have sent out to our internal users. So if you look at this first one and you'll see this is they do have certain telltale signs, especially if you look at information like the sender's email address or if you look at when they have a separate website to email, you'll notice that it's not an expected domain coming from Amazon. And even when they have some email, they looked very good. And if you look at some of the websites that they're asking me to log into, they're impressive, but there are also some very bad ones, but keep in mind that not all phishing email will have the telltale signs of poor grammar and awkward spacing.
Michelle Ellis (00:17:29):
If you give something like this, especially where we're all stuck in shelter in place. And during the times of coverage, we're doing alot more online shopping or deliveries. You may get more emails like this, but keep in mind that, did you sign up with Amazon using your work email? Would you expect to a shipping notification to your work? and if you do receive something like this, the best point of action is instead of clicking on anything in the email is to go directly into Amazon. That's your trusted source, go to the app, go to the website that you know is legitimate, and log in to check for the status of any packages or to see some you did order, something that you forgot on this next one. This is also a spoof email. And you can see also from the sender's email address. Now here, they're taking a different tactic.
Michelle Ellis (00:18:31):
They want you to feel that as you try to order something, and it could not be authorized. And if you hover over the link inside, it will show you that it's going to a different site. It's not going to Amazon. And what this one actually did was they had a spooky login page so that you would input your Amazon credentials and following that they had a food payment page, whether they were asking you to update your payment information. And so again, you know, the best practice is to go directly to the trusted device site or app. And then verify from there, just don't click on any of the links to meet you.
Michelle Ellis (00:19:17):
Now with this one, this is probably what people think of, usually about the awkward grammar, the awkward spacing, that sense of urgency that I need your quick reply ASAP, and it's coming from the studio, right? So, they're preying on your obligation to help the CEO. And they're also praying on the natural human instinct that you want to help people and see what you can do, especially when it's work-related. Some things to notice are going to be the sender's email address. So even if it has that friendly name, that matches your CEO's name, look at the email address and see if that is their legitimate business email. Now if you get something like this and you're uncertain what to do, and you don't want to ignore it, because what if it is legitimate, then the best course of action is to contact that person directly.
Michelle Ellis (00:20:14):
Don't reply to the email, or forward it, just create a branding email and send it to their email address or use your other internal communication methods such as a phone call. If we were in an office, I would say, just walk over and ask them, but try your video conferencing their internal corporate chat tools and ask them, Hey, I got an email from you seemed urgent. Did you really send it? And then if they say yes, then you cannot ask them what they need. But one thing to know, we were furnishing earlier. And if you look at this text message or this email, they're asking for the cell number, and oftentimes this is where they're trying to get you out of corporate email, because it's easier for them to get caught up, especially bending the rules. And they want to get you into your mobile phone so that they can pursue contacting you by text message. And then that's where they might ask you to do wire fraud, send me money or process other transactions.
Michelle Ellis (00:21:21):
And then this last one that we have is, again, preying on your sense of urgency. But this time, what they're really looking at is, Hey, we are changing our it tools and services. Now, if we were all in office, it's much easier to walk over and ask IT, Hey, is this real? Do I really have to do this right now? What is this new tool? But when we're all working remotely, it's a little easier to try to prey on the sense of isolation and what we want to explore us here is remember that you are part of a team. So, the company that you're working with, the team that you work with, reach out to them, and think about what the normal expected communication would be. Would I, me sending you an email saying this is urgent, we've changed services, and I need you to take this action, click this link right away, or would you expect that they would have sent notifications in advance saying we will be changing to the service.
Michelle Ellis (00:22:23):
Here's what to expect. Here's the timeline. And usually it would be a reasonable timeline to allow people to make the adjustments along with their normal working efforts. Other things to notice is, you know, again, the front email is invalid. The sense of urgency, the spacing, but look at who is sent to in this case, they sent you two different variations and he's modified some of it, but we want you to see, they sent it to like John, John D. So, first name, first name, last initial, first name dot last name, all at the same, the name and hear what they're trying to do is spray and hope that they'll hit one of them. And they're banking on the fact that people usually see the email that comes into them. They're not typically looking at who is on the email threads to see that if there was an attempt. Um, the other thing to look at is with the attachment. You know, if they're seeing that you have to go somewhere to look at your security policy, would they be sending it to you as a zip file in an attached email, or would they be pointing you to your internal repository of policy?
Torsten George (00:23:42):
Very good. Thanks for sharing. These insights are very helpful. So, let me try to reflect on your findings briefly. Obviously, a user should apply common sense in all their communications and really focus on kind of six main things. When it comes to identifying potential phishing schemes. The first one is don't post personal data that can be used for social engineering. So, birthdays, travel plans, personal contact information. A lot of times these data sets are being used by the attackers and they're phishing campaigns. As Michelle pointed out, check the sender's email address, but hovering over the “from” address, that's telltale sign. 99% of the cases really immediately points you to that. This is a phishing scam. Obviously don't click on links, rather go to the senders website, as Michelle mentioned.
Torsten George (00:24:53):
An example is Amazon. Well, I have bookmarked my Amazon page. It's far easier, almost quicker to call this up, then clicking on the link and really validate the authenticity of the page indicated in the email. And then when you get an email from a known source, that still seems a little bit funky, very suspicious, contact that, source with a new email, don't click on a reply, don't click on forward, just open a new email window and ask that person. Hey, I received and don't attach that email, just ask that person. I got this awkward email was that you was that your intent and really, or pick up the phone and then really read the email and check for spelling and grammatical mistakes. That was a telltale sign on the past. Attackers have gotten better. Maybe they took some English lessons, but there are some very strange phrases in there.
Torsten George (00:25:57):
And the company names sometimes are not properly spelled. Companies know how to spell the company name. Also, a lot of times when you look, if they use a graphic template, like the first example where we had the Amazon email, a lot of times these logos that they're use are distorted either kind of blurry, or the dimensions are off. And that shows that they tried to manipulate it, logos that they got from the internet. And that's another telltale sign and that really slowed down. Urgency is really what attackers bank on. It forces you not think. It really fuels the attackers and they really heavily rely on those. So sit back, take a breather and revisit the steps that we gave you here before taking any actions. I mean, your CEO can wait five minutes. You will be thankful if you avoided falling victim to a phishing attack. So that's, that's very important to kind of get to it. But so now these were kind of more best practices for the user. What about businesses? Are there any proactive measures, IT security professional, IT should consider to protect their organization, Michelle?
Michelle Ellis (00:27:26):
Oh yes, absolutely. So, organizations should be conducting security awareness training, and as part of security awareness training, they should be just covering some of these techniques that we've talked about on how it's identified phishing emails, because it's such a wide attack vector. Beyond just doing the awareness training. People usually think of all there's this course I have to do. When I start, I have to do it again every year, but we want to build habits and a good way of building these habits is to do phishing simulation or phishing testing internally, this way it gives us way to, you know, if they do click on our link and it tells them gently, here's what you did, here's what you should do moving forward. And it also helps IT have a better gauge of how many people are clicking, which types of emails people are susceptible to so that they can review their own security defenses.
Michelle Ellis (00:28:35):
That ties into having some email protection software, whether it's doing some email filtering or you're looking at your rules. And then with that even stimulation's awareness or email protection software, or any other vendors, when you're bringing in third party web services, we want to make sure that you're doing your own due diligence and doing the security review to see what risks or assess you're introducing into your environment, as well as to understand what types of mitigating controls we should be putting into place. And so, you know, as you called out, it's not just about protecting our users from clicking the link or getting now or from an email, but it's really about looking at a more robust approach. And then keeping in mind that a lot of phishing attempts, they want to gather information, especially your access information on your credentials.
Michelle Ellis (00:29:36):
We definitely recommend implement MFA everywhere. And this is because it's just another factor to help us to prevent—if you did share your credentials is as a result of efficient and link— we have some level of prevention or protection with MFA. And then with that, looking at least privilege, we always want to provision role-based access control, and least privilege, as well as look at the combination of analytics and machine learning, and really understand what type of access each individual needs. And it will also help you recognize any suspicious login activity such as somebody who is logging in at an odd hour or from a different location.
Torsten George (00:30:24):
Very good. So again, active engagement here for us is very important. We wanted to get an assessment and using this poll. What preventative measures is your organization currently deploying? We are waiting for people to vote here. Michelle, we talked about how it's important not just to run your security awareness training sessions once a year or twice a year, but really try to influence the behavior of your users and therefore run simulations. What are the consequences? I mean, I might call somebody out…yeah, you clicked on a simulation, which you should have not done. Are there any consequences?
Michelle Ellis (00:31:31):
When we're talking about with the phishing simulations, I think ultimately, we want to look at it as a learning and growth opportunity. In terms of people who are clicking repeatedly, yes, we do need to start looking at what are your habits? What kind of data do you have access to? Having more one on one training and looking at how we can address the risks that are introduced, if you're a frequent clicker. x
Torsten George (00:32:37):
That's, that's a good way to it. I mean, I have a friend who shared with me his experience, so his company is quite brutal. So, the first time you click on something, you get basically a red screen kind of telling you, Hey, you did a mistake. The second time you will get an invite to meet with IT, as well as your supervisor to sit down, take them through another one on one training. The third time you will be escorted into the room of the CEO and we'll get the pep talk from the CEO. There's no fourth time. The fourth time is your termination letter. So they're quite stringent and very strict, and the way that they structure their simulation program. So every company has different cultures, but I think the approach that you outlined is better because it's really avoids people getting frightened and not to report something that might be a real phishing attack.
Torsten George (00:33:40):
So let's jump here into the results. So security awareness, and that's often mandated by industry standards or of government regulations, are most people are doing that? I'm glad to see 64% are doing phishing simulations. So that number definitely went up over the years. I'm glad to see that. Of course, that's the only way to influence behavior. I'm a little bit surprised email protection software is only at around 69% here. I expected it to be little bit higher there. And then enforcing least privilege also surprising, 61 62%. So glad to see that that people are really using their full arsenal there and really trying to minimize their risk exposure.
Michelle Ellis (00:34:41):
Now, looking at the preventative measures, most of them seem are usually what we would expect, like security awareness, phishing simulation, and called out with least privilege being an unexpected number. And it also seems to be an outlier with what most people think of for phishing protection. Why does privileged access management makes the list in the first place?
Torsten George (00:35:09):
I talked earlier about it that a postmortem analysis shows that 80% of today's data breaches originate at privilege, access abuse. And if that's the case of phishing as only the precursor to these identity credential based cyber attacks up, do you see, it makes a lot of sense to implement privileged access management as a second line or third line of defense. Because we really have to understand there's no a hundred percent protection. When we look at security awareness, there are stats out there that show 38% of people that go through that are no longer falling for phishing text, but the majority still do. And then even if you implement things like secure email gateways, which sometimes are costly but not necessarily effective. There's a study out there that shows that nine out of 10 verified phishing emails, found their way past these perimeter defenses.
Torsten George (00:36:24):
And so, a lot of times when I talk about this and people say, Hey, we have this implemented, why is it not working? So, when it comes to the email gateway, hackers sometimes are quite smart. They're really outsmarting the email gateway by creating a gap in human perception and machine perception, or they're deploying a very agile, rapidly evolving campaign to evade the predictive modeling that is being used in the email gateways. And they're also leveraging identity deception to avoid filtering technology. In the past, we have a couple of examples where we showed particular variations of the senders, but hackers got more sophisticated. So they're no longer necessarily using these old techniques. They have really evolved. And now you can say, well, besides email gateways, I can also have spam filters. I can do, blacklists, whitelists, whatever.
Torsten George (00:37:39):
There are always permutations, especially as it relates to particular bogus domains. And, it's tough to keep up with that. A lot of hackers are also rotating the IP addresses on a global basis. So it's very tough to see a particular pattern and when they're launching, they're fully automated. So they're launching their campaigns in such a frequency and scale that these whitelist/blacklist approaches really fail. And, it's, it's really something — organization have to understand, even if they put these measures into place, there is the need for an in-depth defense strategy. So multiple, multiple layers, basically creating that. And that is really the most successful way.
Michelle Ellis (00:38:38):
You touched on a really important point. If you don't mind, I'd like to jump back into that. You mentioned multiple defense layers and for IT security practitioners, we really have to recognize that we can never be a hundred percent protected. It’s more about having the most layers so that if one layer is penetrated, then we have other layers that we can fall back on and we have other preventative measures. We really need to be looking at it as a risk based approach and taking a collective approach to it. And so, if we're looking at phishing attacks, for example, trying to access, target your access credentials, then we need to look at a next defense layer is focusing on the abuse of those credentials, um, towards, do you have any recommendations for the audience in this context?
Torsten George (00:39:32):
I think an Identity-Centric approach, especially to privileged access management or to security in general, will yield a lot of benefits. Again, if I consider 80% of today's data breaches are associated with that. If I can get technical that I can focus on the remaining 20%, which makes my life easier, I can probably find it, get some sleep at night. So, when, and we have to understand, we're living in a world of zero trust, I'm not talking about not trusting our coworkers or friends, but really, we have checked the knowledge that threat actors most likely already exist in our network. And if that's the case, we have to change our mindset and the old mantra of always trust but verify is really no longer applicable. So, you have to change it to never trust, always verify and enforce least privilege.
Torsten George (00:40:35):
And so, in the context of, of privilege access management, that really means that you have to establish a root of trust and then really grant least privilege, access based on verifying, who's requesting the access, the context of the request, as well as the risk. You talked about risk and that's very important rest of the access environment. And if you do that, you can really minimize the attack surface and improve your audit and compliance of visibility and reduce the risks, the complexity and the cost for your typically a hybrid environment. And so you see this, we call it a race track, but these arebest practices? So when we talk about establishing trust, what it means is that I should enroll my machine, be at a server, be it a workstation. I should enroll that as an identity, an authoritative source, and that can be either like active directory or that can be any IAM tool.
Torsten George (00:41:40):
And once you establish that trust relationship, it's easier to then verify, who's trying to gain access to these resources. And as part of verifying, who, which by the way, is no longer a human, the majority of identities today is non-human. These are applications, machines, API, APIs that are now running in the background, they're gaining access to other microservices. So we have to keep that in mind, that's kind of a blind spot for many organization because they still think identity equal. It's a human being, but it has changed dramatically over the last probably three years. And as part of the verification process, you mentioned earlier as one of the proactive measure, MFA. So here I can really apply MFA and it was dominant for us when, when we went into a work from home mode, when I try to access our network environment at the headquarters, I showed unusual behavior and therefore I was asked to step up authentication and prove that I'm a legit user.
Torsten George (00:42:54):
And obviously a hacker would not have the second sector available that I have. So verifying who is very important. But also again, I'm thinking about in depth defense, it's important, even if somebody would compromise my, my MFA credentials, I now should put everything into context. Let's say I'm a database administrator I'm assigned to look after a particular database. I do that to not have impact on the business every Friday at seven o'clock at night for an hour, that's my service maintenance window. So now suddenly on a Wednesday at noon, I try to log in there. It's obviously causing some suspicion because it's outside of my, typically maintenance window. So now I should take context into account. I should look for instance, my ServiceNow, tickets or any other it tickets, that system that I might use and look, this particular database does that currently has a help desk ticket that would require emergency maintenance work and that type of context I should take into account before granting access.
Torsten George (00:44:05):
And then we talked earlier about the trends that we're seeing. We see right now, not just an uptake and phishing attacks, but there's a 900% uptake and ransomware attacks. So if I use a workstation at home that is network-attached, I even if I use a VPN, which is still network-attached, I'm spreading potentially malicious and infectious data into my network environment and therefore infecting more than my machine. And so we have to think about gaining access from a clean source, from a secure admin environment. And that's something that's propagated both by the NIST, but also Microsoft. And when we talk about the secure admin environment, we're not asking you to, or it, Michelle, I need another workstation that's disconnected from the internet. No, you would say I don't have the budget for it, but rather be smart and use latest technology.
Torsten George (00:45:07):
You use a jump host that allows me via a web browser to have a secure HTTPS connection into a connector a gateway. And from there has targeted access right into the resource and not even like typically done via VPN and to entire sub segment, but really targeted access. So that's, that's another important best practice. And then definitely important grant Least privilege. a lot of times what we still see in many accounts as to their shared accounts. Yeah. It's, I'm sharing with another administrator. I trust them. No, I don't trust them. Because once this credential is compromised, the attacker has ultimate power. So you should start out with zero standing privileges, meaning I can do email, I can do internet. That's all I can do. If I now wanted to gain access to my database, that's assigned to me, I should now elevate my privileged. I should ask for access.
Torsten George (00:46:09):
And nowadays that can be done very easily. I can get a simple message on my smartphone. My supervisor clicks on his smartphone approves, and I have access to it. I should not just give access for infinitive time. I should give excess only for the time it takes for me to do my work. Because once I have privileges, I still want to minimize my exposure. If somebody still would compromise it, in that short period of time, they only have that short time of opportunity. Otherwise, it reverts back to zero standing privileges. So that's important. And then obviously we're living in a very regulated world. So, auditing everything, both for forensic reasons, as well as for governance compliance reason is very important. And here it's really coming down to almost having DVR-like recordings and being able to, when the auditor comes in and says, Michelle, show me what Torsten did two weeks ago.
Torsten George (00:47:12):
Well, you don't have to say, well, come back in three months. Cause it takes me so long to put that piece of the puzzle together. But, but really, let me pull that up. And then what are you specifically looking for? Are you looking for a particular command or a particular timeframe and custom data is indexed? Now you can get to it very quickly and really fulfill your audit requirements. And then last but not least it's about adaptive controls. I mean, our businesses need to be very agile. We have seen that over the last few months, how important that requirement is. Having static security controls in place would be a nightmare for somebody like Michelle. Of course, she would have to go back right now and change all the policies for all of our 200 plus employees to make sure that we will have access from home.
Torsten George (00:48:10):
No, it should be an adaptive control that once you leverage machine learning technology, once the machine recognized, Oh, there's unusual, suspicious behavior. The first time, the second time, I might ask to step up authentication to really verify that the right person is trying to gain access, but then once it becomes usual behavior, I'm know having worked for months from home, that's very usual behavior for me. So, then the control gets adjusted and I'm no longer presented with MFA challenges. But now if I would finally stop traveling again, because it's now in the past, I traveled a lot, but now it would become again, unusual behavior. The next time I would travel, I would get challenged because again, the machine learning technology would pick up on that user behavior. And it's really allowing you to be agile at the same time, providing additional layers of security.
Torsten George (00:49:13):
These are best practices. And we have seen with work with Forrester who run a study for us. If you apply these best practices, what are the best, what are the benefits? And that came back that organizations within three months of applying these best practices, saw a 50% cyber risk reduction. They saw millions of dollars in cost and damage exposure reduction. So, it's not just something that we put on paper, but really companies on a daily basis that follow this best practice approach really yield benefits from that. I highly encourage for people to kind of look at this approach and I mean, we're drinking our own Koolaid. We apply this internally and other organizations take a look at Google, apply the zero trust approach to their identity strategy. And since doing that, they basically have seen 0% successful phishing. And that's a testament that you follow these steps. They're very, very successful.
Katy Martin (00:50:34):
I think that that was a lot of helpful information. I'd like to thank you, Michelle and Torsten. We have a few questions. If we have time towards them, Michelle, can we go ahead and answer some of our audience questions? They will be in the Q and A window.
Torsten George (00:51:23):
Jerry submitted a question “Is CEO fraud the same as whaling?” The answers it's very close. So whaling is senior executives, which obviously also includes the CEO, but yes, it's very similar. The attacker basically, assumes the identity of senior executive of an organization then then tries to learn other senior executives. And quite frankly, statistics have shown that executives are more likely to fall for phishing in a text. So yes, it's, it's very similar. There are slight variations, but comes very, very close to it.
Torsten George (00:52:34):
“Are today's technology still an effective?” And I assume that refers to the slide where we talked about 9 out of 10 cases passing by these defense mechanisms. And we talked about a little bit, then there's even a study out there Google to the study. Whereas, they identified that 68% of phishing attempts have never been seen before and that the average phishing campaign lasts only 12 minutes. And the high frequency, the change of tactics, it's really tough for technology to adapt to that. A lot of them looking for the fingerprints, they're looking for particular pattern. If it doesn't match the pattern that technology cannot capture. Michelle, you, if you have any other kind of viewpoint on that.
Michelle Ellis (00:53:45):
Yeah. I probably shouldn't be excited by that, but it's definitely an interesting challenge because it's always changing and you're always going to see new techniques and approaches. I think it forces us to be better and forces us to keep revisiting what our risks, what our attack vectors, what mitigating controls we need to put in place. And it's really about looking at our security program collectively. We do have another question asking about “Are the threats to electric utilities or other vital systems geared towards penetrating control systems and taking them over, or are they more geared towards getting money from company officials and what a threat actors that he will take down the system unless he has paid a huge ransom?” There, there are a couple of points I'd like to touch on with this question.
Michelle Ellis (00:54:49):
With the last part of it, yes, absolutely. Threat actors look at any leverage that they can, especially when they're trying to solicit money or funding from you. If they have potential, going back to Torsten previous example, where he got a phishing email, where they said “we installed malware and we have some old breached information for you that we're going to provide to you” so that it seems realistic. “Now pay us this money.” They'll do the same thing with organizations and they would threaten to take down systems and they do. But another point to touch on is while we were talking about getting access, and we talked about certain phishing examples where they're trying to solicit money, it's really important to look at the access credentials, because it's not just about that instant gratification to get money. A lot of times you have to think about lateral movement. There are attackers who will try to get your login credentials, and they will sit quietly. And there are some may sit for years, just poking around, trying to not be caught and to see how they can keep increasing their access, keep increasing their permissions. And this is why it's very important to take a holistic approach, look at people's usual behavior, their analytics and provision least privileges point in time.
Torsten George (00:56:35):
I mean, if you're working in the electric utilities space, I don't envy you. Because they have a tough time to attract cyber talent, but more importantly, it's one of the industries that is under constant attacks. I was blessed or probably not, to be part of an incident response team in that industry. And if you really gain full access to what's happening on a daily basis in that industry, it's mind boggling
It’s probably good that the citizens of our country don't know about all these things. Cause I think there would be more concerned about that than COVID-19. And the majority of these attacks are going off to infrastructure. In the last 12 months we've seen an uptick and ransomware attack on that particular industry. But that's the overall trends that read somewhere has been the arsenal of choice for many hackers recently, but it's definitely, if you're working in that industry, it's a very tough job, but again, they're very good industry associations that share information, which is very important, cause hackers typically go after one victim and then move on to next in the same industry segment. And so, sharing with your peers is a great way to kind of minimize your risk exposure.
Torsten George (00:58:22):
We have another question “How does adaptive MFA work? Not just in the same region, but also if you're overseas?” Maybe Michelle, you can talk about, because we employees worldwide and we're using the technology. Do you see any limitations there?
Michelle Ellis (00:58:49):
No. We have personnel around the world and whether you're in the US or international, it works the same. Cases, where you'll find some difference is if you do unexpected travel or you travel to a region for the first time, then you're more likely to be prompted for it. And so what it's going to do is it's going to look at your trends, your behavior, and it's going to analyze based on that.