It was 2010 and the monthly ISSA meeting featured speaker was Major Gen. Dale Meyerrose, VP of Harris information assurance at the time. Dale asked if we should teach being a responsible cyber citizen in our schools. Back then I had just started working in a large Public School District that had never before had an information security analyst. I had lots to share about information Security and lots more to learn about educating users in the business of Education!
I think this is a very appropriate term. So how long have you been a responsible cyber citizen? Where did you learn to become one? We all learned how to drive a car and hopefully we are responsible drivers, at least there is training and a test for drivers of automobiles. What about being a responsible cyber citizen? There is no official curriculum in our schools for it? Can you actually cause your country and yourself significant monetary losses or worse, just by not being aware of the dangers that lurk on the internet? The point is, over time malware has become quite sophisticated, what started as a prank in the 1980s is now a multi-billion dollar cyber-crime industry.
Well that was back in 2010. So what's changed since then? Unfortunately not much! Yes we have new and better technology that keeps getting exploited. Microsoft, Adobe, Apple and now Android are slinging out patch after patch. Attacks still include hacktivism, cyber espionage, cyber-crime, and cyber warfare. Oh, now we have more ransomware; it surged in Q2 of 2013. Contrasting more of the 2010 Verizon data breach report to the latest, you will see that over 80% of attacks were not highly difficult. Verizon also states in the 2012 report, regarding Human Sensors: "once again, end users represent the most effective means of detecting a breach internally."
On compliance, the 2010 Verizon data breach investigations report stated that 79% of victims subject to PCI DSS compliance had not achieved compliance, in the new Verizon 2014 PCI compliance report it was noted that only 11% of companies passed all 12 PCI compliance requirements. This only adds to our need for human sensors!
A real world example of how a user, human sensor caught what our technology missed. It was just another day when I got a call from a user that said they had a suspicious email that somehow made it past one of our many malware detection systems. Here is the email:
Kindly check the attached TT deposit copy of your invoice and arrange to dispatch the materials as soon as possible.
:20A SENDER'S REFERENCE
:23B BANK OPERATION CODE
:32A CURRENCY/INTERBANK SETTLEMENT
:33B CURRENCY/INSTRUCTED AMOUNT
:50K ORDERING CUSTOMER
Please check with your bank and confirm asap.
Part one: Spam Email Sent to Corporate Accounting
As you can see, it was quite easy for our human sensor to pick up on this as being worthless and just delete it. But our intelligent systems are looking at domain reputation and actual file contents. But what if it's a Zero day exploit? And what if the attacker is switching out bad domains faster than we can blacklist them? It had an attachment that was analyzed by a forensics expert.
Here is the response from our INTEL Team.
I looked at the email and the attached Word document that you provided. Unfortunately there's not much we can tell based on the information given.
For the email itself, the content appears to be a standard financial-type phish message. We have not previously seen email address [REMOVED]@gmail.com. Without a copy of the email headers, I can't really tell much more. (Headers may contain information such as the email client used to send the message, the originating IP address, etc. Note that if the email was actually sent from a Gmail account [if the sending address was not faked or spoofed], then Gmail masks sending IPs, so Gmail headers are of limited use in any case.)
As for the Word file itself, the file is fairly small (12KB) so at first I did not think it contained any malicious content — that it was simply a social engineering attempt to get the recipient to contact the sender and provide bank routing or other sensitive information. However, a screen shot from our proprietary tool shows what appears to be an embedded executable file, payment.exe.
However, when attempting to extract the embedded file using our proprietary tool, it says there is no embedded file. So, I believe that either the docx file is malformed or damaged in some way; or else it is simply failing to execute properly in our sandbox for some reason. (The document attempts to do a certificate revocation check in the sandbox, but since it never receives a valid CRL response, it doesn't do anything more.)
My gut feeling is that this is "routine spam" — it's likely malicious (either as a social engineering scam, or else the document is designed to do something nasty — perhaps download an exe from an external site, if opened on a Vulnerable system), but given the form / format is more likely related to financial crime (botnets, financial theft, identity theft, etc.).
I believe [COMPANY NAME], given the nature of their business, is likely square in the crosshairs of multiple targeted threat groups, but this does not look or feel like an APT attack. Please let me know if you have additional questions.
Part two: Forensic report
So there you have it, a normal every day user, our trusted human sensor knew that it was not good, but our complex systems tied to global threat intelligence have a long way to go to catch every unsolicited email like this one. The real question is how many curious users, not fully educated Human Sensors would have opened the attachment just to see what it was?
The Pentagon recently confirmed that Chinese hackers have stolen data from almost every major US Defense Contractor. More recently, we have the Target data breach of 110 million credit cards that tracks back to the HVAC contractors receiving a Phishing email and Targets lack of network segmentation.
It's pretty easy to see that our users are at the end point in every case, either our users or an intruder are on all end points right? So why not reach out to all our intelligent endpoints, our users? We certainly can't do much about intruders except to detect them upon unauthorized entry, Gartner points this out in a paper titled "Prevention is Futile in 2020 protect information via Pervasive monitoring." A summary of that excellent report follows:
- Information security can no longer prevent advanced targeted attacks.
- IT will not own the majority of user devices or services that users consume.
- Too much information security spending has focused on the prevention of attacks and not enough has gone into security monitoring and response capabilities.
- Individual enterprises will not be able to defend themselves without the collective sharing of threat and attacker intelligence.
- Begin a project now to understand where sensitive information is created, moved, transformed, stored and archived in your enterprise. Use this to prioritize investments.
- Architect for pervasive monitoring. Budget for increased monitoring each year for the next five years, expanding the depth and breadth of monitoring technologies.
- Invest in your incident response capabilities. Define and staff a process to quickly understand the scope and impact of a detected breach.
- Favor security solution providers with a broad view across large numbers of enterprises to provide visibility of threats and attackers
Forget 2020, Prevention is futile applies right now! We must continue to work towards 100% compliance every day, not just when we expect an auditor to show up. Speaking of Compliance, I like how NIST defines due diligence in respect to compliance in the latest revision of NIST 800-53 Rev 4. Granted it's on page 11 of 457, so it's easy to miss, but it's rather important. "compliance is not about adhering to static checklist or generating unnecessary FISMA reporting paperwork, rather compliance necessitates organizations executing due diligence with regard to information security and risk management."
So back to our users; the new security perimeter. Reach out to them in a monthly newsletter, cover topics in a web based format with interactive videos and one single topic like phishing, mobile malware, or data privacy. US-CERT has an excellent area for cyber security tips. Remember that your company likely has a cross section of employees from boomers to Millennials and they all learn in different ways. The millennial group will really appreciate any type of interactive learning and videos and yes even games. OnGuardOnline.Gov and YouTube have some great videos and games that cover cyber security. Be creative and show passion for cyber security, it will get users excited about learning. Make it personal, tell them this is not just applicable to work, its applicable to you and your family's daily life.
One size does not fit all. Make sure to review the latest cyber news regarding our current threat landscape from CSO and other great online resources. And share them weekly with your IT department. How about our executives? Yes, carefully include them in select cyber issues that you know should matter to them and your business. Finally, make sure you are covering security awareness for all new hires. I work for a fast growing company and have weekly opportunities to present to our new hires. This is your chance to practice and refine your presentations and market information security. Remember, it's not just IT Security anymore, It's information assurance that impacts the business and the bottom line. Compliance helps win contracts and keep them, but it's not the same thing as being secure; being secure is all about proactive security measures and pervasive monitoring and involvement of every user.
Our most important asset is always our people; I just hope they don't mind being called Human Sensors, the new security perimeter. Finally, here is my security motto: Users need to know that no matter what physical and technological devices are in place. Ultimately, it is user knowledge and action that will achieve the utmost security for you.
George Grachis, CISA, CISSP is the ISSM, Information Systems Security Manager for Satcom Direct, a Global leader in satellite communications for air, land and sea. He is also Board member of ISSA, ISACA, InfraGard and the Space Coast Technology Council's Cyber Committee. He can be contacted at GGrachis@hotmail.com.