Scam Feeding Frenzy

Image courtesy National Geographic

Well corona viruses have certainly changed our landscape in a very short space of time. Last year I’d only ever read seemingly inconsequential bits and pieces about them. Now It’s impossible not to hear about them all day long.

One thing that hasn’t changed though is that criminals are still ‘crimming’ (yes that’s a word). In fact they have really upped their game in a big way. It’s almost a feeding frenzy out there at the moment. Every Crim and even Nation States are getting in on the action.
You see most scams work by getting the victim to act before thinking, and by misdirecting their attention. That is why getting people to click on a malicious link or open an attachment is so easy. All the Crim needs to do is find a topic that will get you to click (either link or attachment) without thinking.

Now nCOVID-19 didn’t create this situation, but it is certainly providing a very fertile ground for the criminals to operate from. FUD (Fear Uncertainty and Doubt) are great for getting people to act without the normal caution and forethought. Titles about the virus, or the effects, or the economic impact or… <insert current FUD topic here>.

But it’s not just FUD topics either. Opportunities for gain and wealth also play on people’s emotions and cause them to defer their normal precautions. “Earn Money from Home” , etc etc.
Brian Krebs has a good cautionary tale on this last topic, in one of his latest articles.

So what should you be telling your staff to do? Well in an ideal world you’d go through training all your staff on Cyber Security. But the world isn’t ideal, and we are where we are. So let’s look at a few things you can be doing to keep your staff and your data safe in this current situation.

The OODA Loop

The OODA loop is important. it is a great mechanism for having a simple framework to follow for people. The military use it extensively in pilot training. But we mere mortals can also take advantage of it. OODA stands for,

  • Observe
  • Orient
  • Decide
  • Act.

Observe what is going on; Orientate this with what you already know and what the current situation is; Decide on your course of action; Act.

What the criminals want you to do is observe (very fleetingly) then Act. Miss out the vital, orient, and decide steps. To act without thinking. Then it is easier to scam you. To send you to a link that will compromise your computer. Or to get you to open an attachment that you would otherwise think twice about.

What to do

So what is it that we can all do? (please be aware this is a greatly simplified list for a wide and diverse audience. Your case may well be more complex.)

Windows Best Practice

First and Foremost, have good EDR/AV system in place. EDR stands for Endpoint Detection and Response. AV Stands for AntiVirus. Basically EDR is modern AV. But you need something. On Windows systems it’s good to do these big 3 as an absolute minimum…

  1. Don’t be logged in as an administrator for everyday use. Only log in as an administrator when it is vital to administer the device
  2. Have Macros disabled in Microsoft Office, unless critical. If it is critical to use them, restrict where they can run from.
    1. Here’s a great technical guide.
    2. And here’s a good simple one
  3. Use at least Windows Defender for AV (Preferably Defender ATP)

MAC Best Practice

With MACs it’s a little simpler. The threats are the same, but there is far less MAC focused malware around. So your odds are better. But there’s still some good rules to follow.

  1. As with Windows, don’t be logged in as an administrative user unless necessary.
  2. Make sure your firewall settings are strong. (mine are maxed out. Everything is turned off, but the essentials.)
  3. Disable Macros in Office if you use it.

Vigilance

Be extra vigilant. Be suspicious of every link and every attachment at the moment (well always really). If you are at all suspicious or wondering why you have been sent this (attachment or link), don’t click on it.

  • Ring the sender and check if it is legitimate if you are really curious.
  • Or maybe take a screen shot of the details and send to your security team or IT provider and ask them.
  • Or simply, just delete it. If it really is critical, the sender will contact you again.
  • But don’t get caught by clicking links unnecessarily.

If you do inadvertently click on a link or attachment here are some warning signs to look for that it may have been malicious…

  • It takes you straight to a login page.
  • It opens up a few different sites (seen as URLs flashing in the address bar of your browser), before taking you to where you anticipated it should.
  • You see some windows open on your desktop then close again quickly. These are likely PowerShell windows if you are on a Windows PC.
  • It just doesn’t look right. (Logos are wrong, URL seems dodgy, Grammar is inconsistent)
  • Your browser “misbehaves” afterwards. (taking you to different sites or crashing unexpectedly)
  • “Odd” things happen on your computer over the next few days/weeks.
    • Files aren’t accessible (encrypted)
    • screens opening without you doing it.
    • Camera activity lights come on when you aren’t using it etc.

This is by no means a definitive list. This is just some symptoms that *May* happen.

Be quick to ask for help

If you do inadvertently click on a link or attachment that you think may be dodgy, be quick to call your security response team or IT team. Time is of the essence in these situations. Your security team will be able to assist to get things going for you again. You won’t be judged. Or if you are, ignore the judgement. You have done the right thing in alerting the response team.

Whatever you do, DON’T just hope that it’s all okay. That could be costly.

If you don’t have a Security Response Team,

If by chance your business doesn’t yet have a security response team, try the following…

  • Disconnect from the network.
    • If this is wireless, just turn your wireless off
    • If you are wired, just remove the network cable
  • Call someone who can do a scan on your computer for you. Get them to assist.
  • If you don’t have anyone,
    • try downloading MalwareBytes if you are on a PC
    • Run a scan yourself using a virus scanner of your choice

Conclusion

As I mentioned. It’s a feeding frenzy for criminals out there at the moment. Situations like this seem to bring out both the best and the worst in people. But that doesn’t mean you can’t be safe.

Check back from time to time and I’ll try to keep this post updated or if you have a specific question, Contact us to ask.

Stay safe, and the BIS and Ramtech teams wish you, your families and loved ones, safety health and prosperity.

Culture Eats Process For Breakfast

BIS Happy Team

Creating a “secure” workplace culture.

It is never more true than when it pertains to Cyber Security.

We’ve all heard the saying, “Culture eats Process for breakfast”. In other words, you can have all the processes you want in place, but if the workplace culture doesn’t support the processes happening, they never will.

You can have as many processes in place as you want, but if you have a workplace culture, where staff are “shamed”, belittled or intimidated for security indiscretions, welllll…, you’ve already lost the battle I’m sorry to say.

In an environment where staff are in some way belittled for any security related incidents (opening a phishing email, being the object of a targeted attack, getting malware on their work station or server profile, etc, etc), most people will do the same thing.  They’ll avoid being belittled of course.

In other words, they’ll try their hardest to cover up the indiscretion.  They’ll avoid being associated with any security related incident at all costs. And why wouldn’t they.  They know the “consequences…”

What to do about it.

So what is the alternative?  We all know security incidents are bad, right?  The media is constantly banging on (mostly inaccurately) about various security incidents.  Who the latest victim is, or some other sensationalised, inaccurate story.

And of course, everyone hates being the person that clicked on the link in the phishing email, or went to the site infected with malvertising, etc.  Even  the IT guy who left his companies website exposed to SQLi or XSS attacks.

But what about if we change that culture?  What about being rewarded (or at the very least thanked) for finding the spear phishing, clone phishing or whaling attack email and notifying your staff mates and IT?  What if there was a demonstrable benefit to quickly notifying your IT specialists if you suspect your devices have been compromised.  What if there was even some sort of game and reward associated with prompt action regarding any security incident?

Now you have what we like to call a warmware firewall.  An early warning and detection system to rival the best NextGen, GenIV, AI, [insert other meaningless sales term here] Firewall available.  Now we have staff and IT motivated to find, notify, and help eliminate Cyber security threats as soon as they’re detected or even suspected.

So how does this work in practice

Humans (the warmware ones we’ve already mentioned) are the ideal firewall.  They’re self learning, they possess AI (Actual Intelligence as opposed to that other sort), and they’re motivated to help naturally as opposed to programmatically.

With some simple and ongoing training, and some motivation (Warm fuzzy, financial or otherwise) they’re the perfect resource to build significant resilience to your Cyber Defense systems.

Example

Here’s an example of how I think this might work, both before and after culture change…

A users inadvertently follows a link in an innocuous (or even obvious) looking email.

  • Before culture change
    • User thinks “last time Bob mentioned something like this the IT guys laughed at him, and everyone else gave him a hard time for being so ‘stupid’.  I’m just going to shut up.  If it has done any damage, someone else might notice it and, it won’t get traced back to me.  If it does, I’ll just deny it.”
    • User shuts up and just keeps working albeit with more perspiration than before.
    • Eventually IT department finds that nightly backups are getting filled with strange files.
    • Investigation reveals most of their file system has been encrypted and held for ransom.
    • It’s taken so long to discover that the encrypted files have written over all the “good Files”
    • Company is forced to negotiate with Cyber Criminals to try to recover their encrypted files.  Unsuccessfully!
    • Everyone hopes it wasn’t their fault.  But it doesn’t really matter as they probably won’t have jobs next week anyway.
  • After Culture change to a Security Rewarding culture
    • User thinks “I better tell IT and team straight away!”
    • User immediately logs off and turns computer off, calls IT.
    • Problem is rectified with very little damage to company infrastructure.
    • User is rewarded with new Mercedes, or TimTams in the ‘fridge  [or insert more practical reward of your choice here…] for their quick action saving the company from extinction.

Some things I think staff should be rewarded for…

There’s obviously no point just creating white noise of false positive alerts.  We need to encourage staff to be alert to certain (and ever changing) events to makes this system work.  But at the top of this list needs to be the end to victimisation (or vilification) of people for reporting issues.

So if users or staff make a false positive report, use the opportunity to encourage them and maybe even educate a little on what to look for in the future.  But if they alert you or others to a real issue.  Reward them!  It’s the best firewall you’ll ever purchase.

A (very non-exhaustive) rewards list…

  • Users who use good Password hygiene…
    • who use a Password Manager to store their myriad of passwords for various sites.  (we recommend either Keepass or 1Password .)
    • who don’t use the same username/password combination on multiple sites
    • who use complex passwords (16 characters with many different types of characters)
    • Who change their passwords regularly.
  • IT People finding vulnerabilities and patching.
  • Users or IT Staff finding un-patched browsers, Apps, or OSs
  • IT Staff noticing unauthorised devices on their networks.
  • Users finding scams or phishing attempt and alerting others.
    • emails with dodgy attachments
    • emails with suspect links
    • emails from suppliers or contractors that are “unusual or unexpected”.
    • AGL electricity bills when you don’t use AGL.
    • Emails that seem to know a lot about you from people you don’t know.
    • Parcel delivery notifications.
    • Overly amorous offers from unknown people.
    • I could go on all day here.  The point is if you find them.  Let others know that it is suspect, so they may be able to spot it next time.
  • Users notifying management about unusual behavior (other staff or their own workstation)
    • Someone copying large quantities of data to USB drives.
    • Their own computer behaving unusually after visiting a site ( weird pop up etc.)
    • Their computer behaving unusually after opening an email or clicking on a link.
      • e.g. “Nothing seemed to happen when I opened the document.”
      • “it asked me if I wanted to enable Macros”
      • strange popup windows appearing.
      • It took me to a completely different site than what I was expecting
    • Finding a file that looks like it has been encrypted, or a file that now has a weird extension
      • e.g. .enc or .locky when it should be .xlsx
  • Users finding that their browser or operating system is out of date or has patches ready to be applied that they think IT may be unaware of.
  • Users finding errors when accessing websites. (e.g. “Flash player is out of date”)
  • users finding your company info in places it shouldn’t be.
  • The list could go on and on.  Maybe create your own and share it with us.

The bottom line is, let’s stop the pointless practice of shaming staff and users who have either made a mistake or inadvertently done “the wrong thing”, and start rewarding our precious “Warmware Firewalls” for their great work in helping to build the defenses of our businesses.

You have absolutely nothing to lose with this approach.  This is a secure culture.

Contact our office for more information on our Workplace Cyber Awareness programs, or any other Cyber security Related issues.

Stay Safe
Ross Marston

Business Intelligence Security