Individual solutions do not address the broad spectrum of defence mechanisms that are required to keep the bad guys out. A holistic approach to cybersecurity needs to be addressed on multiple levels, and our QUADSEC security package covers a significant portion of this.
Over the last few years a second pandemic has arisen and this time it’s something almost intangible and there is no vaccine. The origin cannot be pinpointed to a single source, any potential infection has devastating consequences and the efforts required to cure are running in the extremes, both financially as mentally.
Of course, I’m talking about the tsunami of scams, hacks and phising attempts that currently flood the internet and very often catch people and businesses off-guard. The weakest link in about 95% of all the breached that we see in the news, on an almost daily basis, is related to the fact that hackers where somehow able to obtain access to credentials via various ways. Whether that be through email phising that entices people to click on links, cold calling or other methods. The only way to protect ourselves is prevention by implementing defence systems that cover multiple areas.
So what comprises QUADSEC?
Credentials
Denial of Knowledge is a very valuable defence mechanism. If you do not know a password that you use on any given website, there is a next to nothing chance that you will ever give that away. Extrapolate that to all websites and services you use, the chances of having one leaked or cracked by chance, does not impact any other. This can only be achieved by computer generated passwords with a high enough entropy (mathematical complexity) that would keep computers very busy to be able to try and crack that password.
So, how are passwords stored on websites normally. Passwords are not collected and stored in clear text. The passwords are entered into some sort of tumble dryer where it will be manipulated by a so called, “hashing algorithm”. The purpose of this is that hashing is only one way, you cannot use some sort of inverse tumble dryer getting the original string by feeding it that hash. For example, one of the hashing algorithms is “sha256”. Entering the word “password” into that tumble dryer will lead to a hash as follows:
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8The length of the sha256 output is always the same. I can send the entire Gutenberg public domain library through the sha256 tool and I will get a unique string which has the same length as the one above. If I change only one character in “password”, like for example “passw0rd”, the entire string will change.
8f0e2f76e22b43e2855189877e7dc1e1e7d98c226c95db247cd1d547928334a9If someone were able to steal a database of user credentials, they would end up with a list of these hashes which would not make much sense to the human eye. The problem is however that criminals make use of the human habit that we’re notoriously bad in remembering complex things, and we tend to create things that are easy to remember or are simple to create. You often see that passwords like “qwerty123” show up in password lists and the associated hashes are known. For a criminal who has been able to obtain these user databases, it’s just putting one and one together, and he’s able to use your credentials. There are lists on the internet with millions of often used passwords in various languages, categories and other criteria that are used by hacked to see if any low hanging fruit can be used.
How do the good guys defend against that? If you register your credentials on a website, what normally happens is that your password will be prepended or appended with a, so called, “salt”. It is a randomly generated string who’s only purpose is to make your password more difficult to guess or calculate in case the user-database gets stolen. So by prepending your “password” with for example “29417cf9-99f9-438a-857e-6d1f059fbc0e” the string that will be entered into that tumble-dryer is “29417cf9-99f9-438a-857e-6d1f059fbc0epassw0rd” which will end up in a hash
ea50f000de8a878aed92cdb98f0947f2aaed1ad37b5730c463f64222035c2a87You might think that would be then impossible to guess for criminals or even to compute by large scale computer clusters. Even the problem here is that when criminals have been able to obtain the user database they most likely also have been collecting the “salt” string and thus will evidently render that mechanism useless as they simply use the same way to enter that salt and your password in the hacking tool to see if anything comes out as valid. Only if other methods are used to store and retrieve these passwords and salts, like for example out of encrypted vaults, the chances are that these validation attempts fail. It all depends on how deep and long an attacker has been able to access the system and how much data and processes they have been able to retrieve.
So how do we circumvent that?
The main thing is to have your password 1. Being unique, 2. As long as allowed and 3. As complex as possible. This will ensure a few things. It will not be susceptible of being used on other websites in case one gets hacked, and 2 and 3 ensure that the “entropy” is as high as possible so that computers would take an extremely long time to be able to brute-force calculate the original value. The more effort and resources hackers need to throw at cracking credentials, the less profitable their business becomes.
1Password.
Password managers like 1Password are designed to ensure your credentials are as complex as possible, can be used across multiple devices, keep your credentials safe by storing them in encrypted vaults, and also warn you if you have passwords that are not complex enough or have already been seen on previously compromised websites.
Email phishing and impersonation
About 95% of all scams and breaches have an email phising campaign as source. This mean that at some stage a victim has received an email that looks eerily like an authentic email, has clicked on a link and is lured into giving his or her credentials or personal information that then can be further exploited. With the sheer amount of sophistication that is used these days to craft these emails, it is not surprising that the success-rate is relatively high when such emails make it to the inbox of the victims. Be aware that in most cases you are not a direct target. These scammers operate on a business level sending out millions of emails a day to a vast amount of unsuspecting people and this is indiscriminate of who you are and which function you have. Anyone can receive these emails, and most often your inbox can have a fair few of them collected in a very short timeframe.
It is therefore of the utmost importance to be able to weed out these emails and prevent them from even hitting your inbox. As a person who is simply using email to do business, it is most often very annoying to have to deal with these things, let alone the time it takes to try and determine if a particular email is legitimate or not. Also as a business owner, you cannot expect your employees to look at email source information as that would not make any sense to most people anyway. Verifying DKIM signatures and SFP validation already sounds like magic to the majority of mankind let alone if this needs to be done by hand and inexperienced people. Email identification and classification is also incredibly hard for computers as well, as you would need to “train” certain algorithms to figure out what email is spam/scam/phising or simply valid. In order to achieve that, you need enough data to teach those algorithms, have the personnel to classify these in case the algorithms cannot, and then even act on the email itself. If you’re a sales-account manager selling items and with a sales target on your back, you don’t want to be distracted by these annoying emails that pollute your inbox.
Edge filtering
In these cases you would need a system that looks at each email, compares this to a massive spam/scam/phising information database, classifies and categorises these and take action based upon a policy that you set. This includes being able to mark them as junk, scan them for viruses, put them in a quarantined area, and notify the relevant people, so an informed decision can be made on what to do with them.
Proofpoint
Proofpoint is such a solution. Proofpoint handles around 4 billion (yes with a b) emails a day from businesses all over the world and does exactly that.
This allows to constantly monitor changing behaviours in types and models of emails, changes in traffic sources and destinations, email patterns and certain validation characteristics.
This allows to constantly monitor changing behaviours in types and models of emails, changes in traffic sources and destinations, email patterns and certain validation characteristics.
As a pre-emptive security measure, the links in these emails can also be rewritten to have these be redirected for a security validation check before it actually directs to the intended website. This allows a security measure to be in place that could prevent a malicious website being accessed even long after the initial email did not trigger any problem at the moment it was analysed by the inbound filters. This is often a tactic done by hackers to bypass filters in order to strike later by changing the content of the website and provide malware. By re-writing the links in emails, the software can still tag the website as malicious and subsequent clicks can still be blocked.
Proofpoint also provides a comprehensive monitoring dashboard, alerting mechanisms and a plethora of options to put policies in place that allow your email security to act as your business requires.
Humans
The factor that can be least relied on is the person sitting being the keyboard. He or she is the one that hackers try to manipulate and trick him/her into clicking links or provide details to be able to extract as much money as possible. Scammers are pretty much masters in human behaviour analysis and working their way into the predictability of humans. The same goes for email phishing attempts. Even though if you have systems in place such as Proofpoint, you may still run into a situation where an email slips through. As no solution in isolation is 100% full proof, it often comes to humans to interpret the information in front of them and check if what he/she sees in front of him/her, is actually valid or not. This cannot be achieved by sticking a wet finger in the air and hope for the best. Just clicking on links is also not an option, as that in itself would already be devastating in case malware gets installed. The only option is that being able to assess an email’s validity is obtaining knowledge on how to do this. That knowledge needs to be built by initial and continuous training. Given the fact scammers and hackers are constantly evolving their methodologies, it is important to keep up with the changes that these incur.
KnowBe4
KnowBe4 is such a training solution that is constantly keeping an eye out for evolving threats and includes these in the training material. It also provides various testing models to see where your organisation sits from a human exposure side and can adapt the training, so employees are more effective in identifying threats and act accordingly. There will always be cases where doubt may creep in and employees are not 100% sure of what to do with a certain email. KnowBe4 provides a solution which allows your employees to report suspicious emails automatically with a click of a button, which then get analysed by experts who do this for a living. They will report back if an email contains suspicious content or not. That email may then also be anonymised and used in subsequent training material for other employees.
The last line of defence
If all the above did not prevent an employee being targetted by online criminals, he or she may be tricked into providing credentials and MFA (Multifactor Authentication) information. This often happens via cold-calling social engineering techniques where scammers try to gain a certain trust level after which the victim is then sucked dry of anything these criminals can get their hand on.
The key part here is that even the MFA technique doesn’t work. If a victim gets an SMS, or any other code based application notification, which he or she then reads out to the scammer, all bets are off. As soon as they have access to the account, the scammers are then able to basically do anything they want. From changing passwords to updating payment details and simply locking you out of your own account.
Despite best practises of informing people not to give any details to anyone on the phone, the daily trend is that it keeps on happening and many people are caught out only to find their life savings have vanished.
In order to prevent this from happening is to have a solution that basically prevents you from even knowing these MFA tokens and have solutions like Yubikey do that for you.
Yubikeys allow you to register a hardware token with a website based on a public and private key based mechanism.
Yubikeys allow you to register a hardware token with a website based on a public and private key based mechanism.
These keys are created dynamically and are mathematically linked. This means that what is encrypted with the public key can only be decrypted with the private key. This means that when the registration process is completed, the website or other 3rd party service, has the public key and your private key is stored on the USB stick. When you then want to log in to that website, it first asks you for your username and password and when that is valid, the website sends a so-called “challenge”. This contains a piece of information encrypted by that public key, and thus can only be read by your computer when you have the USB inserted and actively have pushed the activation button. That challenge is then answered with a so-called “response message” which is sent over the already secured link back to the website. The website then validates the response based on the information it expects and only when that is deemed to be OK, it will allow you access.
You can see the benefit here. You have no idea what the challenge is, even if you were able to intercept the challenge you have no idea what it is as it is encrypted, and you would need the USB stick plus push the validation button. Even if a scammer would have your valid credentials, he would not be able to bypass or social engineer, his way into your account as his computer does not have that USB stick with that private key.
So how to proceed from here?
As you’ve seen, each individual solution does not provide a comprehensive method of fully preventing scammers, email phishing campaigns and other activities that criminals impose on your organisation. When it comes to significantly reducing the risk of accounts being compromised, it would require an end-to -end solution that does all of the above. QUADSEC combines the above 4 solutions and elevates your organisations’ defence to a very high level and gives you, and your employees, confidence in how to handle threats in the digital world.
Contact us to know more.
