On Course: by Jay Lasner
It can look legit. An email from a management company that appears genuine, from someone we may know and work with, asking that an invoice be reviewed and authorized so an actual vendor we are familiar with could get paid.
Seems harmeless enough to open the email attachment, sign off the invoice, and move on.
But four months later, a menacing skull and crossbones could splash across the computer screen, demanding payment of $1,000 in an online, anonymized currency in order to access the now-encrypted computer that has just been infected by ransomware.
Remember that innocent looking email a few months ago that looked legit?
This scenario is playing out more and more, and not a day goes by when the media doesn’t trumpet a new cyber attack. The most recent “big” one was Wanna-Cry. That one made the news because it shut down much of the U.K.’s National Health Service.
But many more malware variants, cyber exploits and ransomware – a form of malware that holds us hostage – continue to spew from the computers of cybercriminals intent on ruining more than just our day.
The AV-TEST Institute recently registered 390,000 new malicious programs per day, 12 million new malware variants per month.
There is a distinction between malicious and non-malicious cyber risks. The key is intent. Events may be the result of deliberate malicious acts or they may be unintentional. The cybercriminal sends the malware in an email; unknowingly we open it and unintentionally infect our computer network at the office or aboard ship.
The cyber theft “industry” has matured enough to offer MaaS, Malware as a Service. Much as we all currently use legitimate cloud services such as Outlook, QuickBooks, Adobe and various email providers on the internet – all forms of SaaS, or Software as a Service – those with malice can, with no technical knowledge, run their own ransomware campaigns by simply subscribing to cloud malware services on the Dark Web.
That innocent-looking email I got a few months ago was really a spear phish – a highly targeted, carefully crafted phishing malware designed just for me. It was likely created through social engineering that used select information about me from social media, as well as information possibly from co-workers who innocently answered a few questions solicited in a phone call to the office, or other publicly available information about me.
Ever try searching your name in Google or Bing? Try it sometime.
I was fortunate enough to not open the email attachment, as legitimate as that email appeared. I was suspicious, analyzed the email’s metadata, made a quick verification phone call and confirmed that my hunch was right.
There are three foundations of any security process: people, policy and equipment. How these three elements interact determines the security outcome.
We can prepare our computers with firewalls and antivirus software. We can set up rules and regulations, things we must and must not do. But people continue to remain the weak link in the cyber security chain.
The Department of Homeland Security states: “End users of all descriptions are the weakest link and need to be made aware of phishing, password protections, identity theft and the like. They also need to be able to detect, diagnose and speak up when something doesn’t seem ‘quite right.’ ”
Security, including cyber security, begins with awareness.
All cybersecurity and risk management experts agree that education and training is a critical element to managing cyber risk. Though it can’t be eliminated, the risk can be managed. Most feel that 80 percent of the risk can be mitigated by appropriate management of people, policy and equipment.
Start by having a high degree of suspicion, not opening attachments or links in emails you weren’t expecting, and if you think it is legit but you aren’t quite sure, confirm that it is, in fact, legit first. It will help keep “Your Career On Course.”
Jay E. Lasner is chief executive officer of Bluewater Crew Training USA in Fort Lauderdale. Comments are welcome below.