Part 5 - Cybersecurity awareness

See here for the entire series of posts, if you are just stumbling onto these posts.


As I said in part one, these post are supposed to be helpful in giving you meaningful useful advice to prevent ransomware.


You can add all the security in the world, at the end of the day it is your end-users who either click and download malware or give their credentials to a phishing site. It is our job to help them by either providing education and/or changing their behavior. This makes cybersecurity a team sport. It's a shared responsibility. It was never just a function of IT although many tried (and still do) to make it this way. The more players on your side the better the outcome you will have. You can quite easily increase the size of your team by utilizing cybersecurity awareness.


Cybersecurity awareness is quite possibly the only interaction actual users get from which they could glean a snippet of knowledge that could mean the difference between a ransomware attack and just another deleted email. Awareness training is becoming more common place now (thanks to audits and insurance questionnaires), whereas just as little as three years ago it was next to none existent. As I have mentioned elsewhere in this series, no one solution can or will stop every nasty that tries to get through. Your users could be your last line of defence, and their decision to click on a link or not could be the inflection point that is the difference. That being said,
a recent report from Tessian (the psychology of human error) is indicative of the risks posed by employees and the hackers ability to bypass even the most stringent of email security measures.

9 out of 10 breaches are caused by end user mistakes.


I'll rephrase the above for you.....90% of breaches are caused by user error. 90%. 10% shy of 100%.


Indeed the report makes for dire reading, with 25% or respondents admitting to clicking on a phishing email, with the younger (under 40), and especially males being much more susceptible than any other group. Probably the most eye-popping statistic in the report is this:


11% never think about cybersecurity at work and a further 22% rarely.


Given a combined one third of your workforce never give cybersecurity a second thought something needs to change. What needs to change is how your user population understands the risks that, for whatever reason, make it past the vast layers of security organizations have. Indeed, employees are often called the weakest link, yet they are often the last line of defence in this on-going battle to prevent the cyber criminals for gaining a foothold in your network. It would appear enterprise IT is doing a woeful job at communication and training. That cybersecurity is a shared responsibility needs to be shouted from the hills, and shouted often.

To make matters worse,
a report from KnowBe4 (Security culture report 2021) states that:

An astounding 57% of employees believe they would recognize if their device got hacked.


The above statement is an absurd notion (it's a least an order of magnitude too high, if not two), but to make matters worse only 20% of respondents reported to needing more training. Essentially if the aforementioned results hold true, then is it any surprise that organization after organization falls foul of the cyber criminals?


So how do we overcome this apparent gap in what employees believe they know and what they actually know? Cybersecurity awareness training. Spoiler alert, you simply can't do this alone. You need assistance from one of the above mentioned (or the many not mentioned) to help close the gap. Don't get me wrong, cybersecurity awareness training is no panacea, it is however a good starting point and just moving the knowledge needle 5% is still moving it. So while organizations are embracing it, I see massive room for improvement.


Episode I
Episode IV - A new hope


You may already have a program in place, but even if you do how effective is it if your employees only see it once per year? Not very. So the first step to overcoming these hurdles is to define what you are doing. A once annual 5 minute video is not going to cut it. I know KnowBe4 pretty well so that is what I will cover here, but most providers such as Barracuda Phishline also provide some of these features.  So here's a series of suggestions to add to, replace, or when creating a cybersecurity awareness program:
  • Make sure everyone understands cybersecurity is a team sport. Users can't do it without help from you, and you can't do it without help from the users.
  • Start with education in mind, never blame. If a user thinks that they may have done something to compromise security you want to them to notify you as soon as possible. Using blame is a sure fire way to ensure you will never be notified and this could be the difference between a successful defence and a successful attack.
  • Don't start with a phishing attack simulation. That just leads to huge amounts of animosity. Again. start with education in mind.
  • For new hires, you have to baseline them. You have no earthly idea what they do or do not know. Start every new hire with at least a 45 minute online class. If possible have this tied into your AD new user creation process and on-boarding process. KnowBe4 can do this, simply add a user to a specific AD group and they get added to the correct new employee training on KnowBe4. If you are just starting a program, I strongly suggest *every* employee do a baseline 45 minute class.
  • Every existing employee implement an every 6 month 15 minute refresher. If each time we run the 15 minute class we gain an additional 15% if employee knowledge that's a least a starting point. Build, build, build. Repeat, repeat, repeat. A year between training is simply too long a gap. Cybersecurity is a shared responsibility, and this is the employee's share.
  • Once you've done a 6 month cycle or two, you can do a simulated phishing attack. Again, no blame, no publicizing the results (yes, I've seen this, yes it's really, really bad).
  • Remember, it's no longer just phishing. Your education program needs to include vishing, smishing and all the other cool names for being attacked.
  • Ensure your employee policies and handbooks cover what to do in the event they suspect that have been compromised. And that these are easy to locate. Time is off the essence when a possible compromise is happening. And that these policies align with what you are trying to achieve.

With your first simulated phishing campaign (hint, never offer free money in your campaigns, it could make you famous for all the wrong reasons) you should now have a series of hard facts that you can work on:
  • How many users opened the email?
  • How many users clicked the link?
  • How may users reported that they think this is bad/a test/your all trying to trick them?
  • How many users entered credentials?
  • What your score is relative to others in your industry.

With this in hand you can now target remediation (do some users need to retake the 45 minute course? Do I need to add extra content?) or add in other tools to assist the users. Tools? Yes tools.


A lot of organizations have filters in between the users and their email. Happily rewriting links in email so as to be confusing to a human as possible but hopefully preventing the user from navigating to a malicious web site. Indeed one of the most common ways to spot a phishing email is to look at the target URL. Our additional layers of security have just negated some of the video training your users will do. Fantastic!!!  The good news is that there are tools starting to percolate out that help decipher these seemingly incomprehensible URLs. KnowBe4 have add-in named
Second Chance that for certain desktop email clients that will show the user the actual link they are clicking on. It turns this jibberish behind an email button:

Image:Ransomware Prevention Part 5 - Cybersecurity awareness
Into this warning that decodes the link:


Image:Ransomware Prevention Part 5 - Cybersecurity awareness


Now if someone could make this a universal plugin that also works with web based email, we'd have a winner. Still, it's a start and if you have KnowBe4 there's a good chance you don't know about Second Chance.


Another tool to empower users is
VirusTotal. There are plugins for most browsers that will allow users to self-check worrisome URLs and/or files. IT may not always be available or accessible, the internet  however is. Finally telling user about HaveIBeenPwned is seeing them use it is quite the sight to behold.

Password reuse


Beyond end-user training is end-user education. What they don't know because you didn't tell them can, and often will, hurt you. As I mentioned earlier, the online video how-to's are no panacea. Some don't even touch on password hygiene or reuse. From some truly shocking (not shocking) statistics on passwords, look no further than
the Compaitech Password Statistics page. Some highlights (or more correctly low lights):

Google found that :
  • 52% of users reuse a password some of the time.
  • 13% use the *same* password for *all accounts*
  • Only 35% use a different password for all accounts.

Also present in this page is maybe the most disheartening statistic (again, surprised, not surprised):


IT professional reuse password more than average users (50% vs 39%).


Yet again the IT professionals unerring belief that they are superhuman and immune from the perils that only mere mortals fall for strikes again. How the use of enterprise password managers such as
ManageEngine's Password Manager Pro or Keeper Enterprise is not mandated in every IT department on the planet is beyond me. I'm often stunned by an organization's desire to keep passwords less than or equal to 8 characters (the Windows GPO default). Simply making them longer and requiring a special character can do wonders for password security. An oldie but goodie is this LifeHacker article on passwords. I'll sum it up with this table which outlines the estimated time to brute force a password based on adding on an upper-case and special character vs lower-case only:

Image:Ransomware Prevention Part 5 - Cybersecurity awareness

Yeah, as as IT professional you'll want at least 12 characters for your own passwords, and at least 10 for your end-users. So how does on overcome the perils of password reuse, woeful complexity and overall crappy password hygiene? Multi-factor authentication or MFA. Or 2FA.


MFA is incredibly effective at prevent credential theft.
A 2019 Microsoft study has it as high as 99.9% effective. Given that success rate you would expect almost every organization to have implemented it right? In Wrong. While I admit it can be complex and relatively expensive (much less so that being ransomwared FWIW) just over half of organizations in 2019 have implemented MFA (57%). In fact a 2021 report from the Fido Alliance indicates that 91% of MFA projects are to prevent credential theft.

MFA is reported to be as high as 99.9% effective in reducing credential theft.


So *where* to you do MFA? Well, everywhere, or not. The possible exception is when you are in a trusted location (read on-network, on-LAN). There is little use having MFA enabled in your corporate LAN when accessing Office365 and you already have 12 character strong passwords and SSO is enabled. All you do is piss your users off with little effect to your overall security posture. However when accessing *anything* from outside the LAN you'd want MFA. MFA to VPN. MFA for Office365. MFA for Azure App Proxy. If I'm coming from the outside to the inside (and even if inside is an externally hosted cloud service) you need to require MFA.


Now there are some select users who should be forced to use MFA even when inside the corporate LAN. You. The IT admin. The Domain Admin. The people with the keys to the kingdom. At every logon. At every screen lock. Every time. And your critical servers too. DMZ servers. Proxy servers. Domain controller. Every. Single. Time. How you'd do this is a little complex now that Microsoft foisted Windows Hello on the world (don't use Windows Hello). but would probably involve Cisco Duo, Okta or the like. Why?


IT professional reuse password more than average users (50% vs 39%).


Because you are part of the problem. Now you can be part of the solution.

I often hear MFA is expensive and difficult (I'll give you the latter point), but every Office365 license has the ability to do MFA. Everyone license. Now you'll need something like Azure P1 or P2 (or Duo, or Okta, or any of the other providers of enterprise SSO) to get some of the more useful features such as trusted locations (not requiring MFA for Office365 on the LAN), but it does have it and you can implement it. And you should because a
2019 article from TechRepublic citing a report from Cyren and Osterman Research states that a staggering 40% of enterprises experienced Office 365 credential theft. And if those stolen credentials happen to be the ones you use for AD (because SSO and DirSync) then a users AD credentials have just been compromised. And if said user is a domain admin level of user....yeah, now you can see how these attacks you read about happen. MFA FTW!

40% of enterprises have experienced Office365 credential theft.


Conclusion


Your end-user population can the difference between a ransomware meltdown and none event. Engage them, train them, educate them. After all cybersecurity is a team sport. Build a program, create an internal blog. Because even an incremental increase in knowledge is an increase. And you need all the help you can get.


Finally, roll out MFA. Yes it's difficult. Yes it can be somewhat costly, The the results in decreasing credential theft are simply astounding. Oh, and change your password policies to at least 10 characters with a requirement for a special character.
Darren Duke   |   June 3 2021 05:22:13 AM   |    ransomware  security    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (0)

No Comments Found