Join us for the first episode in the brand new Series 3 of our Naked Security Podcast.
This week we wonder whether Cybersecurity Awareness Month is a waste of time, explain the concept of “linkless phishing“, ask if it’s ever OK to pay a ransomware demand, and advise what to do when the CEO won’t stop looking at naughty sites.
With Paul Ducklin, Kimberly Truong and Doug Aamoth.
(And thanks to Edith Mudge for our cool new intro and outro music!)
Or if you prefer the old-school approach of managing your own podcasts without using an online service or a dedicated app, just drop the URL of our RSS feed into your favourite podcatcher software.
By the way, if you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below. (Yes, you may remain anonymous. And no, we can’t promise to answer everything 🙂)
The TL;DR version of that article is, of course, exactly the same as the headline: if you connect it, protect it.
Every time you hook up a poorly-protected device to your network, you run the risk that crooks will find it, probe it, attack it, exploit it and – if things end badly – use it as a toehold to dig into your digital life.
Criminals who figure out how to commandeer a vulnerable device inside your network can use that device to map out, scan and attack your laptop – the one you’re using right now to work from home – as if they were right there beside you.
If you’ve ever played around with IoT devices, for example, you’ll probably know that many of them are based on the Linux kernel and the open source system software that typically forms the core of any Linux distribution.
Indeed, even the tiniest and most stripped-down devices often include not only special-purpose software tailored to that device, but also a host of standard Unix comand line utilities that are the same as, or very similar to, the tools you will find in any penetration tester’s toolbox.
For example, a device such as a webcam or smart speaker usually doesn’t just contain audio and video processing code.
You’ll probably also find:
One or more command shells. Shells such as bash, lash, ash or dash make it easy to run command scripts to automate system management tasks.
LAN and wireless configuration programs. Tools such as ifconfig, ip, iwlist and iwconfig make it straightforward to to map out and configure network settings.
Downloader tools. Programs such as curl and wget can be used used not only for downloading files over the internet, but also for uploading stolen data to outside websites, typically just with a single command.
Other scripting software. You will often find programming tools such as awk, mawk or gawk, a minimalist scripting language that can be used to write internet clients and servers, as well sifting and searching files, all in just a few lines of code.
Scheduling tools. Program such as cron or an equivalent make it easy to schedule programs to run at regular times even when no one is logged in, for example to watch out for computers being connected to the network and sending back a notification message.
Remote access and encryption tools. Many IoT devices include both SSH client and server software such as ssh, sshd or dropbear. These give crooks a way to create secret, encrypted network “tunnels” into and out of your network using software that’s already there.
Network and account passwords. Your Wi-Fi password may very well be stored in a plaintext file on the device, such as /etc/wpa_supplicant.conf. Password or authentication tokens for any accounts that the device is hooked up to may be lying around for the taking, too.
Generally speaking, the closer the crooks get to your computer on the internet, the more aggressively they can attack it – and the next best thing to being on your computer already is to be right next door on the same network with their favourite hacking tools preinstalled.
What to do?
By now, it might sound as though you need an enormous range of skills just to figure out where to start, let alone where to finish, in securing your own network to be robust enough for WFH. (ICYMI, that’s short for working from home.)
The good news is that you don’t need the combined practical experience of an IT manager, a tech support guru, a penetration tester and a network engineer.
We’ve come up with eight questions you can ask yourself about devices on your home network, and about the setup of your network, that will help you run a tighter WFH ship.
Step 1. Do I actually need this device online? If not, consider removing it from your network. Or if you don’t need it listening in or activated all the time, consider powering it down when you aren’t using it. (Unplugging it from the wall socket is often all you need to do.)
Step 2. Do I know how to update it? If not, find out how. If the vendor can’t reassure you about security updates, consider switching products to a vendor that does (and see step 1).
Step 3. Do I know how to configure it? Make sure you know what security settings are available, what they are for, and how to set them up (and see step 2).
Step 4. Have I changed any risky default settings? Many IoT devices come with remote troubleshooting features turned on, which crooks may be able to abuse. They also often arrive with default passwords set, which the crooks will definitely know. Some routers ship with Universal Plug and Play enabled, which can expose the inside of your network by mistake. Check and change defaults before you make the device live (and see steps 2 and 3).
Step 5. How much am I sharing? If the device is hooked up to an online service, familiarise yourself with how much data the device is sharing, and how often. You may be happy to share some data, but never feel squeezed into turning all the options “to the max” (and see steps 3 and 4).
Step 6. Can I “divide and conquer” my network? Some home routers let you split your Wi-Fi into two networks that can be managed separately. This is useful if you are working from home because it means you can put your home IoT devices on a “guest” network and your work computers such as laptops on another (and see steps 1, 2, 3, 4 and 5).
Step 7. Can I turn on “client isolation”? Some home routers have an option known as client isolation that shields devices on the network from each other. This reduces the risk of a security hole in one device being used to attack other computers “from inside” (and see steps 1, 2, 3, 4, 5, and 6).
Step 8. Do I know whom to turn to if there’s a problem? If your work has an IT department or offers access to tech support, make sure you know where to report anything suspicious. Ask them what information they are likely to need and provide it at the outset, in order to speed up the process.
By the way, if you’re an IT department looking after remote workers, make it easy for your less-technical colleagues to reach out for cybersecurity advice, or to report suspicious activity, and take the attitude that there’s no such thing as a stupid question, only a stupid answer.
In our experience, most employees are ready and willing to do the right thing when it comes to cybersecurity – after all, if they get hacked while WFH then their own digital life is at risk along with the company’s.
Set up an internal email or telephone reporting line where users can easily and efficiently possible attacks and get the whole company to be the eyes and ears of the security team!
SOPHOS FIREWALL HOME EDITION – 100% FREE
If you’re a techie, or have willing techie friends to help you set it up, you can run the Sophos XG Firewall Home Edition 100% free as your own secure home network gateway. You will need to provide your own virtual machine or a dedicated comuter (a recent but retired laptop might do the trick for you) but you get all the product features for free, including email filtering, web filtering, a home VPN, and more. It’s an industrial-strength cybersecurity product for free at home.
Or if you prefer the old-school approach of managing your own podcasts without using an online service or a dedicated app, just drop the URL of our RSS feed into your favourite podcatcher software.
By the way, if you have any questions that you’d like us to answer on the podcast, you can contact us at tips@sophos.com, or simply leave us a comment below. (Yes, you may remain anonymous. And no, we can’t promise to answer everything 🙂)
David Mitchell, Senior Director of Email Product Management at Sophos, shares his top tips to optimize workplace email security.
How many work emails have you sent and received today? Despite the rise of workplace chat and instant messaging apps, for many of us email continues to dominate business communications both internally and externally.
Unfortunately, email is also the most common entry point for cyberattacks – sneaking malware and exploits into the network, and credentials and sensitive data out.
Email security threats: the new and the enduring
The latest data from SophosLabs shows that in September 2020, 97% of the malicious spam caught by our spam traps were phishing emails, hunting for credentials or other information.
The remaining 3% was a mixed bag of messages carrying links to malicious websites or with booby-trapped attachments, variously hoping to install backdoors, remote access trojans (RATs), information stealer or exploits or to download other malicious files.
Phishing remains a frighteningly effective tactic for attackers, regardless of the final objective.
This is in part because the operators behind them continue to refine their skills and enhance the sophistication of their campaigns.
A good example is the rise of Business Email Compromise (BEC). No longer confined to poorly spelled or formatted messages pretending to come from the CEO and demanding the immediate and confidential transfer of significant funds, the latest iterations are subtler and smarter.
The attackers are doing their groundwork before launching the attack. They get to know the business and the target executives, adopting their language style and tone, and sometimes even actual email accounts.
The absence of malicious links or attachments in such emails make them difficult to detect with traditional security tools.
Scam email picked up by SophosLabs
Attackers have also learned to better mimic web domains and take full advantage of the fact that one in three business emails is now opened on mobile devices.
It is harder to check the source and integrity of a message on a smartphone, and people are more likely to be on the move or distracted and therefore easier prey.
Five steps to secure your organization’s email
With these considerations in mind, here are our five essential steps to secure your organization’s email.
Step 1: Install an intelligent, multi-capability security solution that will screen, detect and block most of the bad stuff before it ever reaches you
To defend your network, data and employees against rapidly evolving email-based attacks your starting point must be effective security software. It is worth considering a cloud-based option that allows for real-time updates, scalability and integration with other security tools for shared intelligence.
To enable your security solution to perform at its best, you also need to set appropriate controls for inbound and outbound emails. For example, do you only scan emails upon receipt or monitor what users are clicking on after they’ve opened the email?
How do you quarantine unwanted emails or those that have failed authentication, and who has the authority to configure or overrule decisions?
This brings me to the second step.
Step 2: Implement robust measures for email authentication
Your organization must be able to verify that an email has come from the person and source it claims to come from. Phishing emails often have spoofed or disguised email addresses and email authentication offers vital protection against them.
Your email security solution should be able to check every incoming email against the authentication rules set by the domain the email appears to come from. The best way to do this is to implement one or more of the recognized standards for email authentication.
The main industry standards are:
The Sender Policy Framework (SPF) – This is a Domain Name Server (DNS) record that checks the email address on inbound messages against pre-defined IP addresses that are allowed to send an email for a particular domain. If the inbound email address doesn’t match any of them, the address has likely been faked.
DomainKeys Identified Mail (DKIM) – This looks into an inbound email to check nothing has been altered. If the email is legitimate, DKIM will find a digital signature linked to a specific domain name attached to the header of the email, and there will be a corresponding encryption key back at the source domain.
Domain Message Authentication Reporting and Conformance(DMARC) – This instructs the receiving server not to accept an email if it fails DKIM and SPF checks. These checks can be performed individually, but DMARC combines them. It also ensures that a domain authenticated by SPF and DKIM matches the domain in the email header address. DMARC currently provides the best, most widely used approach for authenticating email senders.
Step 3: Educate employees on what to look out for
Alert employees who know the warning signs of suspicious emails are an awesome line of defense.
You can implement formal online training, share examples of the latest threats, run tests and show them some standard checks: does the email address look suspicious, are there unexpected language errors? If it appears to come from an internal colleague, would they normally communicate in this way etc.? Is the inbound email something you were expecting, from someone you know?
As mentioned earlier, some potential red flags are harder to spot when employees are opening the message on a mobile device. One way to address this is to introduce banners that highlight automatically when an email is of external origin even if it is pretending to come from an internal address.
Step 4:Educate employees on what to do when they find something
You need to make it easy for colleagues to report things they’re not sure of. This means providing them with a simple process, like an intranet mailbox for reporting suspicious messages.
The aim is to maximize the number of cases reported. It is never too late to stop further damage, so you should also encourage those who have fallen victim to an attack to come forward.
Step 5: Don’t forget about outbound email
Emails sent from your organization will themselves be assessed by recipients against the authentication methods listed above.
You need to ensure you have robust controls set against your own domain name. This is vital for the integrity of your organization’s communications and brand reputation and to prevent misuse by adversaries.
You may also wish to consider what else you need to monitor and control when it comes to outbound email.
Do you scan for anomalous activity or unusual behavior patterns (like emails sent regularly in the middle of the night to unverified IPs) that could indicate a compromised internal email account or active cyberattack, for example?
Do you scan for and block payment information like credit card details or other customer PPI from leaving the network, etc.?
These are sensitive areas that are as much about employee awareness and trust as they are about email security. The best place to start is by educating and supporting staff.
Email threats are evolving all the time as attackers take advantage of new technologies, new environments, or simply just hone their social engineering tactics. Review regularly your email security and make sure it’s keeping up with both changes in your organization and attacker techniques.
Three more suggestions …
If you’re looking at email security for your workplace, you may like to take a look at:
Sophos Intelix. This is a live threat lookup service that you can use in your own system software and scripts to add high-speed threat detection for suspicious websites, URLs and files. A simple HTTPS-based web API that replies in JSON means you can use Sophos Intelix from just about any programming or scripting language you like. (Registration is free, and you get a generous level of free submissions each month, after which you can pay-as-you-go if you want to do high volumes of queries.)
Sophos Phish Threat. This is a phishing simulator that lets you test out your staff in a sympathetic way, using realistic but artificial scams, so your users can make their mistakes when it’s you at the other end, rather than when it’s a cybercriminal. You can use it for free for 30 days (registration required).
Sophos Email. This is our cloud-based email security solution that blocks phishing imposters, spam, zero-day malware, and unwanted apps.
We do a show on Facebook every week in our Naked Security Live video series, where we discuss one of the big security concerns of the week.
We’d love you to join in if you can – just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time. (Note that you don’t need a Facebook account to watch our live streams, although you will need to login if you want to ask questions or post comments.)
It’s usually somewhere between 18:00 and 19:00 UK time, which is early afternoon/late morning on the East/West coast of North America.
For those of you who [a] don’t use Facebook, [b] had buffering problems while we were live, [c] would like subtitles, or [d] simply want to catch up later, we also upload the recorded videos to our YouTube channel.
Here’s last week’s video, where we dissect what we’ve dubbed “clickless phishing”, where the crooks bring a phoney webpage along with them in their phishing emails instead of giving you a link to click.
That means there’s no unusual or obviously bogus domain name to click through to, and no weirdly-issued web security certificate to stand out, and therefore fewer clues to give the crooks away.
