It seems not a day goes by without another security breach story hitting the headlines, like the 500 million Marriot customers potentially affected by a data breach.
A recent research report identified:
There’s often heated debate over these high-profile attacks, creating a perception of inevitability. How do we protect our enterprise applications? How do we engage our organisations to raise their consciousness of potential attacks and increase our capability to identify and prevent them? I think it starts with a common route for malicious attacks and the most widely used of business tools – our email accounts.
A recent report revealed that 44% of organizations were victims of targeted email attacks launched via a compromised account1. This can happen when someone’s credentials are stolen by malware, phishing, man-in-the-middle Wi-Fi, or quite simply by someone looking over your shoulder – in the office, on the train, or in the coffee shop. Unfortunately even multifactor authentication cannot prevent this. There have been reports of such attacks defeating MFA, using man-in-the-middle Wi-Fi or splash pages. Unfortunately this isn’t the only serious, large-scale challenge facing enterprise security.
The worrying reality is that anyone with admin privileges can access any mailbox, any SharePoint or OneDrive folder. Once they have gained access such people can impersonate any individual in the company, including sending emails as if from the CEO. They can have emails automatically forwarded in any way they wish. Just think about just what potential damage could be done through a simple email from the CEO!
When you have a large organisation with multiple support, IT and service teams and likely outsourced suppliers as well, it’s very hard to keep track of all privileged access. Even the most advanced Privileged Access Management platforms do not identify malicious actions as they occur. Standard tools make it almost impossible for IT teams, and even users, to keep track of who has what permissions to see which SharePoint and OneDrive folders.
This means data is invisible to any type of governance and leads to unintentional or malicious sharing internally or externally.
The heavily reported Deloitte breach last autumn was a result of a combination of the first two attack vectors: an honest admin was successfully phished. They gave up their admin credentials, which were then used by a hacker to set up a rule to bcc all incoming email for a number of executives to the hacker’s mailbox. This was an almost symptomless crime that allowed 1TB of data to be exfiltrated over nine months.
Most solutions available today simply store all the logs from all the systems, 99.9% of which are perfectly OK. They then try to find the anomalies amongst all this data, however, many malicious actions don’t actually show up as anomalies because they appear to be legitimate. Unfortunately, without the direct input of the one group of people who actually best placed to spot them – the end-users, it’s almost impossible to quickly identify the right problems.
The end-user knows if they have a new iPhone, or have delegated authority to someone new, or are accessing the system from a new location – they are the ones best placed to identify whether a potential anomaly is a real breach. If you have a tool that can make these actions visible and can send send appropriate alerts directly to the user, in user-friendly terms you can dramatically improve identification and prevention.
In this way, a significant part of the cybersecurity problem is effectively crowd-sourced to the end-users, building their confidence in the security of the email system and heightening their awareness of the risks and of their role in preventing them.
We have a member firm who deliver just this service. Please contact us if you would like to find out more about them and how they do this.
Email innovation@clustre.net
1 https://info.digitalshadows.com/BECResearchReport_Reg-Homepage.html