They typically land in no more than 25 inboxes in an organization — on a weekday first thing in the morning, posing as an urgent or time-sensitive email from a co-worker or executive. Business email compromise (BEC) scams represent just a small fraction of spear-phishing attacks overall, but these lucrative campaigns contain a few telltale traits.

Barracuda Networks analyzed the characteristics and trends of 1.5 million spear-phishing emails — of which just BEC made up just 7% — to determine the key methods scammers are using in their BEC campaigns. Don’t let the tiny percentage fool you: BEC scams caused $26 billion in losses to businesses in the past four years, according to the FBI.

Some 91% of BEC attacks occur on weekdays, a tactic to blend in with the workday and appear more legitimate, the Barracuda study found. Attackers, on average, target up to six employees, and some 94.5% of all BEC attacks target less than 25 people in an organization. They do their homework on their targets, too, using real names of human resources, finance, and other executives as well as of the targeted employees.

The BEC emails often are written with a sense of urgency in order to rush the recipient into doing the attacker’s bidding, with 85% marked as urgent, 59% requesting help, and 26% inquiring about availability, according to Barracuda’s findings. And while users click on one in 10 spear-phishing emails, BEC emails are three times more likely to be opened. That doesn’t necessarily mean the target fell for the message or followed the scammer’s request, though, notes Asaf Cidon, a Barracuda adviser and professor of electrical engineering and computer science at Columbia University.

“We can’t tell whether they went into a website and gave up their credentials,” he says, or took other actions. The bottom line is when attackers impersonate someone in a position of authority or who appears legitimate, they get three times the click rate on the email, he says. 

Cidon says some attackers are making an extra effort to create very personalized messages, unlike mass phishing email campaigns. “BECs are probably going after larger amounts of money, not just trying to compromise single credentials. They are trying to extract a wire transfer out of an organization, [for example], so they are willing to do more research and spend more time” on their targets, he says.

Barracuda’s study jibes with what other researchers have found in their BEC studies. “Successful BEC attacks are usually quite simple and mimic requests that could be reasonably expected to come from an employee’s executive or supervisor,” notes Crane Hassold, head of Agari’s cyber intelligence division.

He says wire transfer or payroll attacks usually target just one or two employees, typically in the finance or human resources department. But gift card BEC scams, where the attacker poses as a supervisor requesting the victim purchase and send him or her gift cards, often are sent to dozens of employees in an organization, he notes.

Barracuda saw the most BECs on Mondays, and Agari saw the most on Tuesdays (one out of four), with scams dwindling for the rest of the week. The emails most often arrive in the morning, with 9 a.m. as the bewitching hour since that’s when most employees are first getting to their desks. Some 47% of BEC attacks are sent from Gmail accounts, and just 3% of BEC attacks come with a rigged URL or attachment. About 8% of BEC scams involve payroll requests, according to the security firm’s report.

While most of the attacks originate from Nigeria, they now also come out of Ghana, Malaysia, and the United Arab Emirates, notes Agari’s Hassold. 

The best way to beat back BECs: multifactor authentication to protect user credentials that get stolen and the usual mantra of educating users about the scams and how to spot one, including confirming an email address. Barracuda also recommends setting specific policies for financial transactions, banning email requests for any financial transactions, and adopting DMARC authentication, as well as machine learning technology, to protect the organization’s domain from being spoofed.

But even with all of the best practices, there’s no way to guarantee a user won’t get duped by a BEC email. “There’s no single silver bullet,” Cidon says.

Related Content:

• Business Email Compromise Attacks Spike 269%
• The Minefield of Corporate Email
• New, Improved BEC Campaigns Target HR and Finance
• 6 Ways to Beat Back BEC Attacks

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What’s in a WAF?“

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/anatomy-of-a-bec-scam/d/d-id/1336425?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most of us are likely to agree that if we want to continue to evolve to be our best selves, we need some form of conflict or challenge. If we want to be stronger, we lift more weights or add more repetitions. If we want improved brain function, we solve puzzles or learn new skills. We may restructure our diets or diversify our exercise regimes, but, in any event, such activity almost always requires a change in behavior, a commitment to discipline, and a flexibility of approach to achieve optimal results.

And yet as security practitioners, many of us discard this type of training when we walk through the doors at work. We stay in a known, comfortable place. We ignore the independence and creativity of our own thinking and — almost as if by default — we transform into yes men and women, agreeing with our management teams and our boards about the right ways to handle risk and cyber threats.

Ironically, to much of the rest of the organization, we transform into what I call the Department of No, a group of well-intentioned but risk-averse executives who develop complex policies that restrict employee behaviors in a misguided attempt to reduce risk levels. Our go-along-to-get-along approaches, whether positive or negative and whether we realize it or not, reveal inherent biases and predisposed behaviors that may seem benign in themselves but that carry new vulnerabilities (and therefore new risks) into the workplace.

The truth is, a CISO’s job inherently has conflict. We strive to strike a balance between things like cost and quality or security and usability knowing that we’re basically making trade-offs, reducing one part of the equation to give the other more weight, and those trade-offs typically show us where our bias lies. Bias resulting from our backgrounds, training, or whatever makes us inclined toward certain assumptions and contributes to our potential misperception of risk and unintentional increased vulnerability. It’s hardly a path that enables us to do our best work.

Fragmented organizational responsibility is another inherent conflict. One department may be responsible for FedRAMP certification, another for SOC standards, and still others for privacy, information security, and compliance. Risk and control responsibilities may therefore be siloed in both decision-making and outcomes. When each department requires its own audits, controls, policies, and priorities, separating bias and working toward a common framework becomes increasingly challenging, making it easier for us to stay within our respective teams and again, perhaps unintentionally, weaken our organizations by working at cross-purposes.

We all view risk in our own way, like light shining through a prism. Depending on the angles we use, we see different refractions and reflections of light. The color and intensity of light changes as it traverses the prism into a spectrum of dispersed or mixed colors. Our evaluation of risk and the controls we use to mitigate vulnerabilities are just as diverse — diversity that is healthy if it is recognized and managed, but divisive and unnecessarily conflicting if not. The end result leaves wedges between organizations that should be working together to optimize the spectrum of information risk.

Disagreement Is Not Disloyalty
To get there requires the same commitment to discipline and flexibility of approach we bring to other areas of our lives. It requires us to pose high-contrast questions that foster constructive conversations and ensure we are open to exploring all available possibilities. Too often, especially as we rise through the ranks of an organization, we censor ourselves and agree with our CEOs and our boards because we don’t want to be perceived as disloyal.

But loyalty is often simply another form of bias. Despite what we have been taught to believe, disagreement does not equal disloyalty. In fact, I believe the reverse is true: Disagreement can be the highest form of loyalty, although that loyalty may be toward our customers or shareholders or even society at large if not to our management teams.

We cannot be so flexible that we lose sight of our duty to protect the right things at the right times in the right order. Nor can we be so rigid that our attempts to challenge a harmful status quo create equally ossified and restrictive ways of thinking. In other words, too much “yes” is dangerous, too much “no” is dangerous, but constructive conflict is essential to ensure contrasting opinions thrive and the truly serious issues at hand are met with the best approaches to solving them successfully.

We know we cannot eliminate risk entirely, but we can make good choices and strive continually toward optimization by:

1. Ensuring the cyber safety of people first — whether employees, customers, contractors, partners, or shareholders

2. Understanding and safeguarding the data relevant and necessary to keep people safe

3. Implementing a holistic framework of overarching governance that protects the long-term health of the business by putting controls in place that solve for the whole and not the sum of its parts

Independence and objectivity are key to our success and credibility. As CISOs and risk professionals, we need to cultivate the mettle necessary to do the right thing rather than allowing bad decisions to occur on our watch because we want to appear loyal.

Conflict is OK. Tension is OK. Seen through the right lens and managed toward positive outcomes, tension and conflict allow opposing ideas to flourish and be discussed, evaluated, and discarded in turn, increasing the chance that the decisions we ultimately make will provide the best overall protection to our organizations.

It might be trite in this day and age to say “if you see something, say something,” but in fact that’s precisely what we should be doing. If we can’t go to our management teams, we must go to our boards. But we can’t be afraid to stand our ground, even if it means putting our own jobs at risk to save our organizations. We owe it to the larger constituencies that depend on us — customers, shareholders, communities — to remain objective and foster dialogue that frees us from the tyranny of “yes” or “no” and allows us to keep asking “how.”

Related Content:

• 13 Security Pros Share Their Most Valuable Experiences
• Help Wanted: Security Heroes Heroines Only Need Apply
• 5 Cybersecurity CISO Priorities for the Future

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “8 Backup Recovery Questions to Ask Yourself.”

Malcolm Harkins is the chief security and trust officer for Cymatic. He is responsible for enabling business growth through trusted infrastructure, systems, and business processes, including all aspects of information risk and security, as well as security and privacy policy. … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-department-of-no-why-cisos-need-to-cultivate-a-middle-way/a/d-id/1336391?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The gap between trained cybersecurity professionals and need is on the order of 4 million people worldwide, and yet not nearly enough students are in computer science and cybersecurity university programs around the world to bridge that gap. One solution, some say, is to look beyond the traditional computer science/cybersecurity academic pipeline for entry-level professionals. 

In fact, “About 58% of cybersecurity professionals come from fields outside technology,” says Wesley Simpson, COO of ISC(2). “Cast a big net. We need people from all different backgrounds and degrees.”

The big question is: Which degree programs are worthy of consideration?

For practical reasons, Simpson points to the liberal arts. The frequent stories of cybersecurity teams not getting management support for the tools and personnel they need comes down to not effectively telling the cybersecurity story, he says. That’s where liberal arts grads can help.

“The liberal arts people are better at telling the story, crafting the story, and talking to all the people they need to talk with to build the story,” Simpson says. “We need people from all over the spectrum to tell the story.”

Beyond the budget story, individuals from different academic and personal backgrounds can bring critical new perspectives to cybersecurity, which is “key to forming a concrete and inclusive analysis,” says Harrison Van Riper, strategy and research analyst at Digital Shadows. “Whether you’re conducting an investigation of a threat actor or performing incident response, it’s important to understand all of the different views and perspectives that may be impacted.” 

Dan Basile, executive director of the security operations center at Texas AM University, agrees. “We all need a greater diversity of thought and background, in addition to traditional diversity concerns, in order to attack the complex problems we face,” he explains. “All nontechnical majors have something that is of value to the cybersecurity field.” 

So with general agreement that a wider net is part of the solution, which nontechnical degrees should cybersecurity managers look to for their future staffing needs? We asked a number of cybersecurity professionals for their thoughts, and we received a variety of responses. The six degrees on this list were at the top of the collective heap.

We’re also curious: Is your academic background something other than computer science? Let us know where you came from — and what you think about the idea that cybersecurity teams should look beyond computer science and security programs for their future hires.

(Image: StockSnap via Pixabay)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/6-top-nontechnical-degrees-for-cybersecurity/d/d-id/1336419?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

An expansion of Google’s Android Security Rewards (ASR) program includes a new top prize of $1 million, a massive increase from the previous top prize of $200,000, Google reported today. Researchers could earn even more for exploits found in Android developer preview versions.

The ASR program launched in 2015 to reward researchers who find and report vulnerabilities in the Android ecosystem. Over four years, it has awarded more than $4 million for 1,800 reports. Payouts exceeded $1.5 million in the past year alone; the top reward in 2019 was $161,337.

Now, the program is expanding and increasing the earning potential for white-hat hackers. Google is promising a top prize of $1 million for a “full chain remote code execution exploit with persistence, which compromises the Titan M secure element on Pixel devices,” Jessica Lin of the Android Security Team explains in a blog post. Titan M stores credentials on Pixel phones.

While the $1 million prize is for the Titan exploit alone, Google is adding more categories of exploits to its awards program, including those involving data exfiltration and lock-screen bypass. Depending on the exploit category, a researcher could earn up to $500,000.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What’s in a WAF?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/google-increases-top-android-hacking-prize-to-$1m/d/d-id/1336431?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As 2019 draws to a close, we’ll see plenty of discussion of the year’s major security incidents, but few will focus on the foundational missteps that plague most organizations. These disruptions aren’t a mystery; in many cases, organizations still make the mistake of implementing new tool after new tool without understanding the nature of their hardware and software assets, where they sit, and what applications and systems are running on them. Throwing more tools at problems of visibility and control will leave any security and IT management strategy inherently flawed.

Let’s cut through the clutter. Here are what organizations can do now, and throughout the coming year, to ensure that strong security and IT operations fundamentals are locked in.

1. Address Gaps in Visibility
IT teams simply can’t protect what they can’t see. Good IT hygiene begins with an accurate, up-to-date, and contextual inventory of an organization’s endpoints, including servers, laptops, virtual machines, and cloud instances on the network. But that’s just the beginning, and a mass of tools — from asset discovery solutions and security information and event management systems to configuration management databases and beyond — still leads to visibility gaps.

The reason is that a collection of point tools doesn’t help organizations see the bigger picture — in other words, to have full visibility. Each product and tool has its own view of the IT environment. Individual tools may offer data that is relatively timely, contextual, or complete. But when IT teams look at this data in aggregate, visibility gaps begin to form.

Here’s an example. IT teams might have a tool that gets endpoint detection and response (EDR) telemetry up to the cloud every five minutes from all of their systems — but not their unmanaged hosts. They may get vulnerability scan results back once a week for peripheral component interconnect (PCI) systems, but only once a month for workstations. Their asset discovery solution might scan for unmanaged and managed assets, but only in the data center and only once a day. And if they need a new set of data that they didn’t anticipate and is outside the scope of their existing tooling’s hard-coded capabilities, there’s no easy way to get it. Consequently, stitching all this asynchronous data together to garner usable insights becomes so difficult as to be almost impossible.

If this lack of visibility isn’t rectified, IT teams will continue to suffer the consequences. They may continue to think they are more protected than they are, exposing themselves to vulnerabilities that should — and could — have been prevented.

One way for IT teams to address this lack of visibility is by using a unified endpoint management platform. [Editor’s note: The author’s company, Tanium, is one of a number of companies that provide such a service.] With a single source of endpoint data, those glaring visibility gaps start to close.

2. Declutter and Consolidate the IT Environment
Collections of point tools aren’t just a challenge for visibility; they’re also adding needless complexity. A Forrester survey found that, on average, organizations today use 20 or more tools from more than 10 different vendors to secure and operate their environments. And many large enterprises have 40 to 50 point solutions — a staggering number.

This cluttered environment makes it a big challenge to implement good IT hygiene habits, because each tool offers different data and different degrees of visibility. In addition, tools individually are expensive to learn, deploy, and upgrade. They often have short shelf lives because they were built for their time, usually for a specific use case, and not exactly future-proofed.

The good news is that it isn’t difficult to pare down the volume of tools. IT teams need to first identify the capabilities and deliverables their organizations need to implement, regardless of their technology and tools. Then they should go through each tool individually and catalog its capabilities. And finally, they should create a Venn diagram to see where overlap exists between these tools. Auditing your estate like this can be cumbersome, but the overlaps are the opportunities for consolidation so that IT teams can operate with fewer tools and more visibility moving forward.

3. Remove IT Operations and Security Team Silos
You can’t enforce IT hygiene and cybersecurity best practices if your teams aren’t working together. Existing point tools reinforce the silos we see crop up between IT operations and security teams instead of enabling the collaboration that isn’t just a nice-to-have, but crucial for better business outcomes. As organizations look to build and strengthen their security fundamentals, IT operations and security teams should unite around a common set of actionable data for true visibility and control over all of their computing devices. This will enable them to prevent, adapt, and respond in real time to any technical disruption or cyber threat.

Without security fundamentals firmly in place, IT teams will start the new year behind. Heading into 2020, they should be able to address visibility gaps, strategically reduce the amount of IT tools that are used, and bring together IT operations and security teams.

Make 2020 a fresh start. If teams can focus on nailing their basic security fundamentals, they will be well-positioned to succeed not just this coming year, but in the years to come.

Related Content:

• 13 Security Pros Share Their Most Valuable Experiences
• DevSecOps: The Answer to the Cloud Security Skills Gap
• BSIMM10 Shows Industry Vertical Maturity
• How Does Your Cyber Resilience Measure Up?

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “What’s in a WAF?“

Chris Hallenbeck is a security professional with years of experience as a technical lead and cybersecurity expert. In his current role as CISO for the Americas at Tanium, he focuses largely on helping Tanium’s customers ensure that the technology powering their business can … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/3-fundamentals-for-better-security-and-it-management-/a/d-id/1336389?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple