I recently wrote a blog post about how to spot a phishing attack (read it here), and also incorporated some of the content in a webinar we did with Precursor Security which showed how easy it is to was to compromise a Microsoft 365 account (watch it here). In both I mentioned that if you had a sufficient Email Security Gateway in place then it should help to catch and block phishing attempts. Here I will go into more detail about what an Email Security Gateway is, and what it can do for you.
What is it?
An Email Security Gateway is effectively a security barrier between your email solution and the outside world. It has visibility of all emails sent / received and interrogates them looking for malicious content.
How does it work?
When an Email Security Gateway is put in place, the MX records for your email domain are changed to the servers of your chosen provider. This then points all email traffic to your chosen solution which will then forward the email traffic to your email servers after interrogating them. Connectors are also configured within your email solution to allow mailflow to and from the Email Security Gateway.
How does it protect you?
Traditionally, an Email Security Gateway would be hosted on-premises scan an email’s attachments for viruses and that would be that. These days an Email Security Gateway is based in the cloud and will protect you against much more. Here are just a few of the attack types that a competent solution will prevent:
Denial of Service (relevant to on-premises email servers)
Malicious links in emails
Email account takeover
Low reputation senders
Some numbers for you…
91% of cyberattacks start with an email
85% of organisations were hit by a phishing attack in 2020
1 in 7 organisations experienced an account takeover in 2020
$200,000 is the average ransom fee paid in 2020
“But I am using Microsoft 365 which has built in protection”
While technically this is true, the Microsoft Defender for Office 365 product requires a license uplift to get only some of the comparable features that a dedicated Email Security Gateway would provide. Being a dedicated solution, a 3rd party product would sanitise email traffic before it even hits Microsoft 365 and provides protection against more threats than Microsoft. Additionally, in independent tests Microsoft 365 ATP tends to perform poorly against the competition (full test here):
An Email Security Gateway would also provide an Email Continuity solution should the Microsoft 365 email servers ever go down (which they have done in the past). See a brief diagram from Barracuda on how this would work:
Email servers working
Email Servers NOT working – Barracuda’s Email Continuity service takes over
What do we recommend?
Planet IT recommends a capable 3rd party Email Security Gateway like Barracuda or Mimecast to protect your business against email threats, as both solutions provide all the tools and protection you need to keep your organisation safe.
If you would like to discuss further how Planet IT can help you secure your email environment and protect your users from scams like the above email, please get in touch via DM or email email@example.com.
My name is Adam, and I am a security-focused Technical Architect. My job is to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to! Want to hear more of my thoughts on Cybersecurity and other technology news? Connect with me on LinkedIn
https://www.planet-it.net/wp-content/uploads/2022/06/Email-Security-Gateway-01.png6281200Adam Harrisonhttps://www.planet-it.net/wp-content/uploads/2020/07/pitheaderlogo-margin.pngAdam Harrison2022-06-27 10:41:362022-06-27 10:41:36Email Security Gateway – What is it and why should you have one in place?
Cyber Essentials is an effective, government-backed and industry-supported scheme to help organisations protect themselves against common online threats.
Cyber-attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. Cyber Essentials looks to guide you to better understand these threats and help to keep that metaphorical front door firmly shut.
What are the differences between different Cyber Essentials Accreditations?
There are two levels of Certification: Cyber Essentials Basic and Cyber Essentials Plus, which I have expanded on in some more detail below to help you decide what’s right for you and your business.
Fundamentally the Cyber Essentials framework was designed to provide a security baseline for every business in every industry against the following 5 key areas:
Firewalls and routers
What’s new to Cyber Essentials for 2022?
Due to the COVID-19 global pandemic, businesses operational models have drastically changed and adapted over a relatively short amount of time.
To continue operating, most businesses were forced to adopt a fully digital model and allow remote or hybrid working. This transformation and rapid adoption of cloud services that has prompted these changes to the existing Cyber Essentials scheme to ensure organisations uphold the basic level of cyber resilience which reflect the current working environments and cyber security risks.
Some of the key updates to Cyber Essentials will specifically cover changes to cloud services and web applications, bring your own device (BYOD), and security updates including password management and multi-factor authentication (MFA). Other changes include, but are not limited to the below:
Some questions have been expanded upon with more details needed in your answer.
Cloud services are now in scope of your basic and Plus assessments.
The Cyber Essentials Plus test will include local admin rights checks and a MFA test for each workstation tested.
The Two Levels Certification
Cyber Essentials Basic is obtained by completing and independently verified Self-Assessment. This option gives you protection against a wide variety of the most common cyber-attacks. This is important because vulnerability to basic attacks can mark you out as target for more in-depth unwanted attention from cyber criminals.
Certification gives you peace of mind that your defences will protect against most common cyber-attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place
Cyber Essentials Plus is a little more involved and to achieve Cyber Essentials Plus, a business must also first complete the online Cyber Essentials assessment as part of the Cyber Essentials Plus certification or have received the basic Cyber Essentials certification a maximum of 90 days prior to applying for the Cyber Essentials Plus
Unlike the Self-Assessment method for the basic certification, a hands-on technical verification is required to be carried out. Similarly, however, a qualified assessor examines the same five controls, testing that they work through a technical audit.
Another benefit of a Cyber Essentials plus certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and have less than £20m annual turnover.
So, is it Essential?
The threat landscape to businesses is changing rapidly, with modern working practices always evolving. More and more businesses and IT professionals placing a higher level of emphasis on the security strategy, and this is where the new changes to Cyber Essentials, will help to strengthen businesses overall cyber security stance.
Not only is Cyber Essentials cost-effective and easy to implement but it will ensure businesses deter hackers from targeting their infrastructure once the necessary Cyber Essentials technical controls are in place.
You will also give your customers and partners the reassurance that you are working to secure your IT against cyber-attacks. In an ever-competitive landscape these certifications will also display the emphasis your business is placing on security and may even help attract new business with the knowledge of these cyber security measures in place.
If you would like to discuss with myself or any of the Technical Architecture team at Planet IT about how you can get ready for a Cyber Essentials certification you can reach us using the contact details below.
A phishing attack is sending emails that appear to be from trusted sources to gain personal information, deliver malicious payloads, or compromise account credentials. Phishing attacks are usually transmitted to many email addresses. The contents are not specific to the receiving user and are generally along the lines of “Your Netflix account has been locked, CLICK HERE to unlock” or similar.
What is spear-phishing?
Spear Phishing is a method of cyber-attack that tries to convince users to provide access or information by pretending to be someone important who is in some way relatable to the targeted user. CEOs are a common vector of attack, as is a potentially lucrative new client. These attempts influence the recipient to do something such as transfer money or buy Amazon / Google Play vouchers.
I received this email on my account not too long ago and thought I would use it as an excellent example of a phishing attempt. At first glance, you can see why people would think it is genuine:
But let’s look a little closer. Notice the sender email is using the @msn.com domain, suggesting that this is a free Microsoft email account that has been set up for this purpose:
If we hover over the Confirm Your Email Address link, you will see it wants to take you somewhere that is NOT Microsoft:
If we click the link, we can see that the site we are forwarded to does not look professional at all:
As expected, a login box to steal your credentials:
Also, note that the tone of the email is assertive and trying to portray urgency. Even though it is the first you have heard of it, according to the email, you absolutely MUST click the link within 48 hours to make sure you keep your account. Many people don’t even log into their emails every 48 hours, so this is a ridiculous request.
Finally, the grammar is not good and certainly not what you would expect from an official email from Microsoft. Spelling and Grammar errors are good indicators of a malicious email. Sometimes they are even included on purpose as the assumption is if you miss them, then you will miss other signs and therefore be more gullible to fraud!
What advice can we give?
If in doubt, don’t click! Hover over links in emails if you are not sure they are from a trusted source. A phishing email may claim to be from a legitimate company. When you click on the link, it may look like the actual website, but double check by hovering over the link and checking the URL.
Never give out personal information online – as a rule, you should never share personal or financially sensitive information over the internet. If you are paying for an item or service, check that the website is secure and the address starts with “HTTPS”.
If the email contains spelling mistakes or has grammatical errors – this could indicate that it is a scam email; people write many phishing emails outside of the UK, so the standard of English is usually not good.
If the email asks you to do something urgent – claiming that your account will be closed unless you submit your details instils a sense of panic, double-check that it is from a natural source.
An unusual attachment – if you receive an unexpected email from a company that contains an attachment, it could include a malicious virus – don’t open it! These generally come in Word / PDF documents claiming to be an invoice or remittance advice but can be anything.
Phishing attacks are one of the most common types of cyber-attacks today. It is so important to keep alert and question any suspicious-looking email that you receive. There are several 3rd party solutions that can help you mitigate this risk:
Email Security Gateway – this sits between your email provider and the outside world, filtering spam, phishing, fraud attempts and other malicious email categories.
Training & Testing – there are several trusted vendors that provide end-user training on how to spot a phishing email, as well as running test campaigns to keep everyone on their toes!
Multi-Factor Authentication – the main aim of a phishing email is to forward you to a fake website and have you enter your credentials, so they are stolen and the account used for malicious activity. If you have MFA enabled on your email accounts (Office 365, for example), even if a user falls for a phishing email and enters their credentials, they cannot be used without the MFA code from a separate device.
If you would like to discuss further how Planet IT can help you secure your email environment and protect your users from scams like the above email, please get in touch via DM or email firstname.lastname@example.org.
My name is Adam, and I am a security-focused Technical Architect. My job is to provide expert advice on security solutions and assist our customers with protecting their environment from viruses, ransomware, and other nasty attack vectors! My background is in Security as a Service, Infrastructure and Helpdesk Support; I keep myself up to date with the latest threats and security products, so you don’t have to! Want to hear more of my thoughts on Cybersecurity and other technology news? Connect with me on LinkedIn: https://www.linkedin.com/in/adam-e-harrison/
https://www.planet-it.net/wp-content/uploads/2022/05/What-is-Phishing-01.png6281200Adam Harrisonhttps://www.planet-it.net/wp-content/uploads/2020/07/pitheaderlogo-margin.pngAdam Harrison2022-05-16 09:48:282022-05-16 09:48:28What is Phishing?
Cyber-attacks happen and are increasing in frequency. Certain sectors are naturally susceptible to these attacks; banking, government, healthcare, and energy sectors will always be targets due to the nature of what they do. But did you know that the Education sector is also very high up the list?
Around 20% of all educational institutions have been specifically targeted by cyber criminals, and a MASSIVE 83% of UK schools had experienced at least one cyber security incident. There are many other scary statistics that can be quoted, and you would think that with this information being readily available for review, schools and other institutions would take cyber security seriously; you would think wrong.
It’s just not good enough
Here at Planet IT, we have many dealings with the education sector, whether that be providing fully managed support, running security health checks or just the facilitating the procurement of specific classroom hardware, we have seen how vulnerable a lot of school environments are. We talk to schools daily and something that keeps coming up is the widespread use of Microsoft Windows Defender as the sole endpoint security solution. Something else that keeps being apparent on most calls we join is that the on-site IT team are too busy being reactive and fighting fires to spend the time being proactive and looking at the bigger picture.
Microsoft Windows Defender is a consumer-grade antivirus that is native to Windows 10 and comes preconfigured. There is an anti-ransomware element to it, but the testing we have done in the past shows that it is not capable of detecting most live ransomware threats:
So, what should you do?
Well, you should start with an industry-leading endpoint / server security solution such as Sophos Intercept X Advanced which will detect ANY Ransomware attack using the CryptoGuard element (this detects any file encryption attempts and rolls them back using Windows Shadow Copy if any encryption has started by the time it is stopped). This combined with the award-winning Endpoint Protection / Server Protection means that your endpoints and servers would enjoy a very high level of cyber security protection.
With any good security solution should come a good EDR product. EDR stands for Endpoint Detection & Response. This provides additional reporting and threat mitigation tools for your environment.
But does this really happen?
A real-world example that I have seen first-hand – we have a large private school as a customer. They were hit by ransomware which took down some critical file servers AND compromised the backups. With Sophos Intercept X Advanced with XDR (Sophos’ EDR offering), we were able to see that not only did Windows Defender not stop the ransomware from running but didn’t even detect it as a threat.
Also, with the recent Log4j vulnerabilities, and further back the Hafnium vulnerability, XDR was a requirement to investigate customers’ environments to easily check if they were open to attack due to these vulnerabilities. With Hafnium, XDR could report what hosts were vulnerable but also if they had been compromised and the location of the remote consoles that had been deployed by the bad actors. We at Planet IT saw at least 2 instances of Microsoft Exchange servers that had been compromised, and our job was made easier with XDR.
What if my team just don’t have the time to manage XDR.
The downside of adding XDR to Sophos Intercept X Advanced is that you need the resources to respond and investigate detected threats. Sure, Sophos Intercept X Advanced will of course detect and block any threats it comes across, but any advanced solution like this requires the time to configure and monitor to ensure you get the value from the product.
This is where MTR comes in; MTR (or Managed Threat Response) is a managed SOC (Security Operations Centre) provided by Sophos themselves, and will give 24/7 threat detection and activity reporting among many other benefits that are essential for any security conscious educational institution. With the Sophos MTR service, you can focus your time on ensuring your local infrastructure is running well safe in the knowledge that your Sophos environment is being looked after competently.
Planet IT recommends Sophos Intercept X Advanced with XDR and MTR Standard as the minimum level of protection for any educational institution.
The Log4j vulnerability is effecting everything from development tools and games like Minecraft to cloud and security devices and even your car. Therefore the question is what do we look for?What is the latest information about keeping you and your business safe?
Firstly, what is Log4J?
Log4J is a flaw in a Java library.
For those reading this who are less technically included, Java is baked into many pre-made applications and used across a number of services. Therefore this vulnerability is prevalent across a number of attack vectors. Because of this it is currently the most talked about and high risk security vulnerability on the market at the moment with everyone scrabbling to patch out the risk.
The library is developed by the open-source Apache Software Foundation and is a key Java-logging framework. As detected in the vulnerability logged as CVE-2021-44228, a remote code execution flaw in Log4J, was already being exploited in the wild. Any system which has the same vulnerability is at serve risk. Warnings have been issued by the UK’s National Cyber Security Centre (NCSC).
What is at risk?
Basically any device which is exposed to the internet is at risk if it is running Apache Log4J versions 2.0 to 2.14.1. Now, the list of applications that have this would fill pages and pages – everything for Minecraft servers to Tesla’s car OS, with companies like Apple and Amazon also being pulled into the mix. Because of the way that Apache package software this vulnerability as per the NCSC notes, can also be found in anything running Apache Struts2, Solr, Druid, Flink, and Swift frameworks. With AWS having detected and working to patch the vulnerability currently, pushing mitigation protections via its CloudFront service.
Vendors with popular products known to be still vulnerable include Atlassian, Amazon, Microsoft Azure, Cisco, Commvault, ESRI, Exact, Fortinet, JetBrains, Nelson, Nutanix, OpenMRS, Oracle, Red Hat, Splunk, Soft, and VMware. And this list will continue to grow as product try to patch out the issue and make it known they have the vulnerability.
What can I do right now?
Because there is currently no direct patch for this, the best option is possible is to Airgap any system that is using or known to have Apache components or frameworks as part of its services from the internet. If you can’t do this then get a Web Application Firewall in place in front of any public facing system as it is very likely that these players will be able to provide WAF rule sets quicker than Apache can get a new version of Log4j tested and out into the wild.
As soon as a patch is available, get your Apache systems patched and up to date and ensure that you check all of your systems, as many IT administration tools install parts of the Apache framework for running web front ends or even systems of management and control for your devices.
The best action you can take as an IT system owner is to review anything you have that is publicly facing or publicly accessible. You need to take action now as this attack does allow the system to have complete control taken over by the attacker and it is not yet known how other defence tools are responding to this infiltration as the Java libraries are normally a trusted location and as such can leave a business open to attack.
If you are concerned about the security of your business then I implore you to call Planet IT today. One of our security specialists will be able to join you on a call and discuss the mitigation actions you can take and advise you of the best way to ensure your business is protected.
If you would like to discuss with myself or any of the cyber security team at Planet IT about how you can better protect you business, should that be with new technology, strategies or even better back ups you can reach us using the contact details below;
https://www.planet-it.net/wp-content/uploads/2021/12/Log4J-01.jpg6281200James Dellhttps://www.planet-it.net/wp-content/uploads/2020/07/pitheaderlogo-margin.pngJames Dell2021-12-14 09:41:112021-12-14 09:41:11Log4J Zero-Day Flaw – Are you are risk? And How Do you Protect Yourself?
We are all too aware that the cybersecurity landscape is changing and will continue to change as the technology we use every day continues to adapt, develop, and alter our daily lives.
Put very simply, this trend is clear when you compare your 2010 Honda Civic to the latest release from Tesla; technology is embedded into every corner of our lives and it now even governs your driver safety.
Because of this, the drive to protect business and individuals from threat actors has never been more important. With an ever-shifting set of cybersecurity goalposts becomes the need to understand, adapt and overcome whatever threats may come your way.
As such in this article I am going to take you through five trends we are seeing when looking a cybersecurity and the defence of your IT infrastructure.
1. The Expanding Cyber-Attack Surface
According to cybersecurity ventures, the world will store 200 zettabytes of data by 2025. This data is coming from thousands upon thousands of different sources and a considerable amount of the data is now being driven by IOT and smart technologies.
As I mentioned in my introduction, think of all the data that every Tesla on the road today is generating, the pure volume of telemetry data, decisions, battery health and all the other statistics these mobile computers are generating is staggering. Now think about your smart home, with fridges that can be remotely controlled, lighting, cooling, heating and even garage doors that can triggered from anywhere across the globe, then add into the mix home security systems link Ring Doorbell. All of this sits outside the realm of what for many would have previously considered data that needed to be secured. However, it is easy to see how data like the time you leave your house, the speed you drive and direction you travel, could be of value to a threat actor and even worse could be data they leverage against you.
This however is just to the point, the fact that as businesses are having to daily adjust the scope of what is and is not part of the business attack surface, this leaves the threat actors room to move and the gaps they need to turn your secure system into Swiss cheese.
5 years ago, CCTV may or may not have been the responsibility of the IT department. Today, with digital cloud driven solutions, this firmly sits within a business IT attack surface and is a clear technological risk.
Similarly, take the smart card reader that opens your office doors and your car parking barrier. This is a business attack surface which in the traditional IT model we would have simply been able to ignore. This is no longer the case. It sits on the list which will continue to grow of new areas where CISO, cyber security experts and IT teams in general need to protect.
This trend will of course continue. As IT professionals we must adjust our
security posture and consider how this effects the technologies we use to protect our data and our systems.
There is by no means a golden bullet but there are key markers for success in this area.
2. Ransomware as a Cyber Weapon of Choice
Ransomware has been around for almost two decades and has grown in popularity because it can more easily bring financial rewards to hackers. It is estimated that there are now 124 separate families of ransomware and hackers have become very adept at hiding malicious code.
The reason is that ransomware became a weapon of choice for hackers in the last 18 months was drive by the COVID-19 pandemic. This instantly altered a digital landscape that for many businesses had been slowly changing. In fact, most were stuck to the traditional walled garden of onsite infrastructure and controlled working environments. Now, with the transformation of so many companies and how we operate as a mostly digital, this creates more targets for extortion. According to a research, ransomware increased by 435% in 2020 as compared with 2019.
In 202, the estimated cost of ransomware was £14.5 billion – a rise from £8 billion in 2019 and £5 billion in 2018. That trend will continue to grow.
The likely impact for the near-term future is that there will be more ransomware attacks against institutions and corporations who are less cyber secure and cannot afford to have operations impeded. This includes health care, local governments, and educational institutions. For these sectors the need to adapt and overcome the finical challenges of protecting their businesses has never been more paramount.
3. Increase in adoption of cloud services
Cloud vulnerability continues to be one of the biggest cyber security industry trends. Again, the rapid and widespread adoption of remote working following the pandemic increased the necessity for cloud-based services and infrastructure drastically, with huge security implications for organisations. For many, these implications where not understood or ignored as the business threw themselves into a cloud strategy in sheer panic in 2020.
Don’t get me wrong, cloud services have become essential and offer a range of benefits – scalability, efficiency, and cost savings – but they are also a prime target for attackers.
Misconfigured cloud settings are a significant cause of data breaches and unauthorised access, insecure interfaces, and account hijacking. All of these are avoidable but for many businesses they simply don’t know the vulnerabilities are there. During our webinar series, I often talk about the shared responsibility model. It is key to keeping the door closed to attack but is greatly misunderstood or even ignored by a lot of businesses.
4. Social engineering attacks getting smarter
Social engineering attacks, like phishing, are by no means new threats but have become more troubling amid the widespread remote workforce of the last 18 months. Attackers target individuals connecting to their employer’s network from home because they make easier targets. The attack looks to exploit the weak link in most businesses’ security posture, the end user.
As well as traditional phishing attacks on employees, there has also been an uptick in whaling attacks targeting executive organisational leadership. This trend sees CEO, CFO and other business managers being impersonated to other employees or customers to gain financial details or gain credentials.
SMS phishing – sometimes known as ‘smishing’ – is also gaining prominence, thanks to the popularity of messaging apps such as WhatsApp, Slack, Skype, Signal, WeChat, and others. Attackers use these platforms to try to trick users into downloading malware onto their phones, which for many are now heavily linked to the corporate network be that via email or shared file access. For many businesses, MDM or MAM are technologies they still haven’t invested in.
Organisations are increasing their protection against phishing, but criminals are always looking for new ways to stay ahead. This includes sophisticated phishing kits which target victims differently depending on their location. To stay ahead of these trends, businesses need to ensure their staff understand and can act as the human firewall against these attacks – social engineering is not something that technology alone can protect your business from.
5. The Future, Privacy-enhancing computation techniques.
To change pace slightly now and look less at the trends around attack vectors and how the threat actors are getting in and more around how the cyber security industry is helping us all fight back.
Privacy-enhancing computation (PEC) techniques are emerging that protect data while it’s being used — as opposed to while it’s at rest or in motion.
This marks a dramatic shift in the level of protection we can leverage onto data and how we can continue to work to lock out the threat actors from data at all stages of its life cycle. This technology will also enable secure data processing, sharing, cross-border transfers and analytics, even in untrusted environments.
This technology is rapidly transforming from academic research to real projects delivering real value, enabling new forms of computing, and sharing with reduced risk of data breaches.
I would expect to see these products in your security portfolio in the next 12 months.
With the landscape continuing to move beneath our feet daily, as IT professionals, we need to stay ahead of the trends and ensure that we are looking at what threats are just over the horizon.
No IT team can afford to rest on their laurels as the successes of yesterday will not protect you from the threats of tomorrow.
If any of this is of concern to you, whether you are an IT professional, a business leader or simply have cybersecurity fears, please reach out to me or one of my team and we will be more than happy to assess your situation. We are in this war together, and we can’t let the bad guys win!
https://www.planet-it.net/wp-content/uploads/2021/08/2021-cybersecurity-trends-01.png6281200James Dellhttps://www.planet-it.net/wp-content/uploads/2020/07/pitheaderlogo-margin.pngJames Dell2021-08-25 16:38:162021-08-25 16:38:16Top 5 Cybersecurity Trends So Far This Year
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.