In this interview, Matt Cooke, cybersecurity strategist, EMEA at Proofpoint, discusses the cybersecurity challenges for retail organizations and the main areas CISOs need to focus on.
Generally, are retailers paying enough attention to security hygiene?
Our research has shown that the vast majority of retailers in the UK and Europe-wide simply aren’t doing enough to protect their customers from fraudulent and malicious emails – only 11% of UK retailers have implemented the recommended and strictest level of DMARC protection, which protects them from cybercriminals spoofing their identity and decreases the risk of email fraud for customers.
Despite this low and worrying statistic, it’s promising to see that a small majority of UK retailers have at least started their DMARC journey – with 53% publishing a DMARC record in general. When we look at the top European-wide online retailers, 60% of them have published a DMARC record.
If we compare this to the largest organisations in the world (the Global 2000), only 51% of these brands have published a DMARC record. This illustrates the retail industry is slightly ahead of the curve – therefore certainly is paying attention to security hygiene – but there’s still a long way to go.
Unfortunately, starting your DMARC journey isn’t quite enough – without having the ‘reject’ policy in place cyber criminals can still pretend to be you and trick your customers.
What areas should a CISO of a retail organization be particularly worried about?
Business Email Compromise (BEC) and Email Account Compromise Attacks (EAC), are on the rise, targeting organisations in all industries globally. Dubbed cyber-security’s priciest problem, social engineering driven cyber threats such as BEC and EAC are purpose-built to impersonate someone users trust and trick them into sending money or sensitive information.
These email-based threats are a growing problem. Recent Proofpoint research has shown that since March 2020, over 7,000 CEOs or other executives have been impersonated. Overall, more money is lost to this type of attack than any other cybercriminal activity. In fact, according to the FBI, these attacks have cost organisations worldwide more than $26 billion between June 2016 and July 2019.
The retail industry has a very complex supply chain. When targeting an organisation in this sector, cyber criminals don’t only see success from tricking consumers/customers, they can also target suppliers, with attacks such as BEC, impersonating a trusted person from within the business.
We have seen cases within the retail sector where cyber criminals are compromising suppliers’ email accounts in order to hijack seemingly legitimate conversations with someone within the retail business. The aim here is to trick the retailer into paying an outstanding invoice into the wrong account – the cybercriminals’ account, as opposed to the actual supplier.
In addition, due to the pandemic, global workforces have been thrusted into remote working – and those in the retail sector are not exempt. As physical stores have closed worldwide, customer service and interaction has shifted to digital communication more so than ever. Those employees that were used to talking directly to customers, are now using online platforms and have new cloud accounts – expanding the attack surface for cybercriminals.
The retail industry – along with all other industries – need to ensure employees are adequately trained around identifying the risks that might be delivered by these different communication channels and how to securely handle customer data.
Domain spoofing and phishing continue to rise, what’s the impact for retail organizations?
Threat actors are constantly tailoring their tactics, yet email remains the cybercriminals’ attack vector of choice, both at scale and in targeted attacks, simply because it works.
Cybercriminals use phishing because it’s easy, cheap and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. As seen in recent breaches, emails sent from official addresses that use the domains of known international companies, seem trustworthy both to the receiver and spam-filters, increasing the number of potential victims. However, this has a detrimental effect on both the brands’ finances and reputation.
Organisations have a duty to deploy authentication protocols, such as DMARC to protect employees, customers, and partners from cybercriminals looking to impersonate their trusted brand and damage their reputation.
Opportunistic cyber criminals will tailor their emails to adapt to whatever is topical or newsworthy at that moment in time. For example, Black Friday-themed phishing emails often take advantage of recipients’ desire to cash in on increasingly attractive deals, creating tempting clickbait for users.
These messages may use stolen branding and tantalising subject lines to convince users to click through, at which point they are often delivered to pages filled with advertising, potential phishing sites, malicious content, or offers for counterfeit goods. As with most things, if offers appear too good to be true or cannot be verified as legitimate email marketing from known brands, recipients should avoid following links.
Do you expect technologies like AI and ML to help retailers eliminate most security risks in the near future?
Today, AI is a vital line of defence against a wide range of threats, including people-centric attacks such as phishing. Every phishing email leaves behind it a trail of data. This data can be collected and analysed by machine learning algorithms to calculate the risk of potentially harmful emails by checking for known malicious hallmarks.
While AI and ML certainly help organisations to reduce risks, they are not going to eliminate security risks on their own. Organisations need to build the right technologies and plug the right gaps from a security perspective, using AI and ML as just part of this overall solution.
Organisations should not outsource their risk management entirely to an AI engine, because AI doesn’t know your business.
There is no doubt that artificial intelligence is now a hugely important line of cyber defence. But it cannot and should not replace all previous techniques. Instead, we must add it to an increasingly sophisticated toolkit, designed to protect against rapidly evolving threats.
Cybersecurity threats are growing every day, be they are aimed at consumers, businesses or governments. The pandemic has shown us just how critical cybersecurity is to the successful operation of our respective economies and our individual lifestyles.
The rapid digital transformation it has forced upon us has seen us rely almost totally on the internet, ecommerce and digital communications to do everything from shopping to working and learning. It has brought into stark focus the threats we all face and the importance of cybersecurity skills at every level of society.
European Cybersecurity Month is a timely reminder that we must not become complacent and must redouble our efforts to stay safe online and bolster the cybersecurity skills base in society. This is imperative not only to manage the challenges we face today, but to ensure we can rise to the next wave of unknown, sophisticated cybersecurity threats that await us tomorrow.
Developing cybersecurity education at all levels, encouraging more of our students to embrace STEM subjects at an early age, educating consumers and the elderly on how to spot and avoid scams are critical to managing the challenge we face. The urgency and need to build our professional cybersecurity workforce is paramount to a safe and secure cyber world.
With a global skills gap of over four million, the cybersecurity professional base must grow substantially now in the UK and across mainland Europe to meet the challenge facing organisations, at the same time as we lay the groundwork to welcome the next generation into cybersecurity careers. That means a stronger focus on adult education, professional workplace training and industry-recognised certification.
At this key moment in the evolution of digital business and the changes in the way society functions day-to-day, certification plays an essential role in providing trust and confidence on knowledge and skills. Employers, government, law enforcement – whatever the function, these organisations need assurance that cybersecurity professionals have the skills, expertise and situational fluency needed to deal with current and future needs.
Certifications provide cybersecurity professionals with this important verification and validation of their training and education, ensuring organisations can be confident that current and future employees holding a given certification have an assured and consistent skillset wherever in the world they are.
The digital skills focus of European Cybersecurity Month is a reminder that there is a myriad of evolving issues that cybersecurity professionals need to be proficient in including data protection, privacy and cyber hygiene to name just a few.
However, certifications are much more than a recognised and trusted mark of achievement. They are a gateway to ensuring continuous learning and development. Maintaining a cybersecurity certification, combined with professional membership is evidence that professionals are constantly improving and developing new skills to add value to the profession and taking ownership for their careers. This new knowledge and understanding can be shared throughout an organisation to support security best practice, as well as ensuring cyber safety in our homes and communities.
Ultimately, we must remember that cybersecurity skills, education and best practice is not just a European issue, and neither is it a political issue. Rather, it is a global challenge that impacts every corner of society. Cybersecurity mindfulness needs to be woven into the DNA of everything we do, and it starts with everything we learn.
Microsoft has released a new report outlining enterprise cyberattack trends in the past year (July 2019 – June 2020) and offering advice on how organizations can protect themselves.
Based on over 8 trillion daily security signals and observations from the company’s security and threat intelligence experts, the Microsoft Digital Defense Report 2020 draws a distinction between attacks mounted by cybercriminals and those by nation-state attackers.
The cybercrime threat
In the past year, cybercriminals:
- Were quick to exploit the fear and uncertainty associated with COVID-19 as a lure in phishing emails, and the popularity of some SaaS offerings and other services
- Exploited the lack of basic security hygiene and well-known vulnerabilities to gain access to enterprise systems and networks
- Exploited supply chain (in)security by hitting vulnerable third-party services, open source software and IoT devices and using them as a way into the target organization
More often than not, phishing emails impersonate a well-known service such as Office 365 (Microsoft), Zoom, Amazon or Apple, in an attempt to harvest login credentials.
“While credential phishing and BEC continue to be the dominant variations, we also see attacks on a user’s identity and credential being attempted via password reuse and password spray attacks using legacy email protocols such as IMAP and SMTP,” Microsoft noted.
The attackers’ reason for exploiting these legacy authentication protocols is simple: they don’t support multi-factor authentication (MFA). Microsoft advises on enabling MFA and disabling legacy authentication.
Cybercriminals are also:
- Increasingly use cloud services and compromised email and web hosting infrastructures to orchestrate phishing campaigns
- Rapidly changing campaigns (sending domains, email addresses, content templates, and URL domains)
- Constantly changing and evolving payload delivery mechanisms (poisoned search results, custom 404 pages hosting phishing payloads, etc.)
One of the biggest and most disruptive cybercrime threat in the past year was ransomware – particularly “human-operated” ransomware wielded by gangs that target ogranizations they believe will part with big sums if affected.
These gangs sweep the internet for easy entry points or use commodity malware to gain access to company networks and change ransomware payloads and attack tools depending on the “terrain” they landed in (and to avoid attribution).
“Ransomware criminals are intimately familiar with systems management concepts and the struggles IT departments face. Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes (such as patching) to harden their networks,” Microsoft explained.
“They’re aware of when there are business needs that will make businesses more willing to pay ransoms than take downtime, such as during billing cycles in the health, finance, and legal industries. Targeting networks where critical work was needed during the COVID-19 pandemic, and also specifically attacking remote access devices during a time when unprecedented numbers of people were working remotely, are examples of this level of knowledge.”
Some of them have even shortened their in-network dwell time before deploying the ransomware, going from initial entry to ransoming the entire network in less than 45 minutes.
Gerrit Lansing, Field CTO, Stealthbits, commented that the speed at which a targeted ransomware attack can happen is really determined by one thing: how quickly an adversary can compromise administrative privileges in Microsoft Active Directory.
“Going from initial infiltration to total ownership of Active Directory can be a matter of seconds. Once these privileges are compromised, an adversary’s ability to deploy ransomware to all machines joined to Active Directory is unfettered, which explains how an adversary can go from initial infiltration to total ransomware infection in such a short period of time,” he noted.
Finally, to counter the threat of supply chain insecurity, Microsoft advises companiessupply to:
- Vet their service providers thoroughly
- Use systems to automatically identify open source software components and vulnerabilities in them
- Map IoT assets, apply security policies to reduce the attack surface, and to use a different network for IoT devices and be familiar with all exposed interfaces
The company has been following and mapping the activities of a number of nation-state actors and has found that – based on the nation state notifications they deliver to their customers – the attackers’ primary targets are not in the critical infrastructure sectors.
Instead, the top targeted industry sectors are non-governmental organizations (advocacy groups, human rights organizations, nonprofit organizations, etc.) and professional services (consulting firms and contractors):
Microsoft found the most common attack techniques used by nation-state actors in the past year are reconnaissance, credential harvesting, malware, and VPN exploits. Web shell-based attacks are also on the rise.
The report delineates steps organizations can take to counter each of these threats as well as to improve their security and the security of their remote workforce.
“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace; that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling MFA. Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks,” the Microsoft Security Team concluded.
Entrust Datacard released the findings of its survey which highlights the critical need to address data security challenges for employees working from home as a result of the pandemic based on responses from 1,000 US full-time professionals.
As social distancing mandates took effect in March 2020, employers found themselves in a massive remote work experiment, testing their cybersecurity readiness. Home workplaces introduce new risks as many employees find themselves distracted and are using personal devices to connect to corporate resources.
Bad actors have taken advantage – there was a 350 percent increase in phishing attacks in March, according to Google data.
Home workplaces and password hygiene
When it comes to home workplaces, password hygiene is of the utmost importance. Despite this, the survey found that an astounding 42 percent of employees surveyed still physically write passwords down, 34 percent digitally capture them on their smartphones and 27 percent digitally capture them on their computers.
Additionally, nearly 20 percent of the employees are using the same password across multiple work systems, multiplying the risk of sensitive data if a password is compromised or stolen.
“While many employees are set up to work securely by their employers, they continue to seek simplicity, even if that means insecure password practices and higher risk. As organizations continue to support employees working from home, it’s clear that they need to ramp up cybersecurity training and technology,” said James LaPalme, Vice President & General Manager of Authentication Solutions at Entrust Datacard.
“Encryption combined with advanced authentication, including passwordless solutions that leverage smartphone biometrics, can deliver the frictionless experience employees seek and the confidence organizations require. These solutions will one day make World Password Day obsolete and I don’t think employees or employers will miss it.”
In addition to password practices, the survey revealed several insights into employee sentiment toward remote work and cybersecurity.
Nearly half of workers are receiving COVID-related phishing emails
Employees surveyed are well aware both of phishing scams in general (82 percent) and of phishing scams specifically related to COVID-19 (81 percent) – in fact, 45 percent say they have received a COVID-19-related email from an unknown sender.
Despite this high awareness, roughly one-quarter (24 percent) of employees say they’ve clicked on a link from an unknown sender before determining their legitimacy, while just 36 percent deleted the email and only 12 percent reported the email.
Workers not set up properly for good cyber-hygiene while remote
The majority of employees surveyed (63 percent) are connecting to their company’s VPN during this time, yet they are using unique passwords to access different company resources (64 percent), rather than a more secure solution like single sign on with multifactor authentication.
Anxiety and inadequate technology as key remote work challenges
Most employees (59 percent) surveyed find it more difficult to get their work done while working remotely during the pandemic. Of those who said it’s more difficult, 26 percent are finding it much more difficult.
External distractions, COVID-19 related anxiety and inadequate amenities (i.e. slow internet) are the top three-cited reasons for this heightened difficulty. Additionally, remote workers in education, government, healthcare and manufacturing cite the challenge of work duties that do not always translate to remote work.
Remote workers are sharing devices with family members
While working from home under stay-at-home orders, 36 percent of employees surveyed are using one or more personal devices to access company files — these create opportunities for employees to make use of shadow IT, creating risks (i.e., phishing, malware, DDoS).
Moreover, 29 percent of those using one or more personal devices to work share that device with other members of their household, creating further risk.
Consumers are skeptical their personal data is safe
Survey respondents feel less confident about their security when handling personal business. Sixty-eight percent of respondents are doing more personal business online during the pandemic, including shopping, banking and social media, and more than half (58 percent) are skeptical of the level of security provided by these online vendors and service providers.
Employees — particularly Gen Z — don’t expect a return to the office as usual
Social distancing mandates have forced employers to embrace remote work, and employees to rethink their expectations. Forty-four percent of all respondents expect to work from home either more frequently (33 percent) or permanently (11 percent).
These percentages are markedly higher among Gen Z (ages 18-23) employees, fully half of whom (50 percent) do not anticipate a return to work as usual.
Human beings are poor judges of risk. For example, we perceive the risk of air travel to be higher than it actually is after a fatal aviation-related accident happens.
We also tend to dismiss risks just because we don’t see a tangible negative impact right away. This is, for example, what prevents many from making dental hygiene a priority: we all know dental hygiene is critical to our health and a relatively easy “investment”, but when nothing bad happens immediately after skipping teeth brushing once, many stop being regular about it.
“It is hard or impossible to predict just how many times of skipping a good brushing it takes to get you in trouble with tooth pain, so we tend to take on more risk until we end up getting toothache and regret not investing enough on proactive maintenance,” Ehsan Foroughi, Vice President of Products at Security Compass, told Help Net Security.
“For security, in many cases it starts with skipping it and taking risky shortcuts when the product is not yet widely adopted or the company is small and young. But as it grows and the risk grows, we tend to overlook that until something bad ends up happening.”
Obstacles to surmount on the path to better security
Another thing that makes companies brush aside security is competition.
“Software is becoming the core of every industry’s competitive advantage and there is a lot of pressure from the market and competition to release new software or improvements to existing software faster and at a lower cost (so that a limited investment can yield more results),” he noted.
“Proper security hygiene, when done in the traditional way, gets in the way of agility and creates the dilemma: should we take on risk to move fast in the business, or should we slow down and do the right thing? Unfortunately, human nature pushes many to choose the fast and risky approach which leaves them with a ticking time-bomb of a security incident waiting to happen.”
Barriers to pragmatic security decisions
Other roadblocks to sensible security decision-making include:
- Engineers not being well versed in security understanding and practices, as well as having a hard time communicating complex issues to business stakeholders
- Executives and decision-makers at the business level lacking education and awareness around the topic, most specifically around the foundations of software security
- Security teams being perceived as the only owner of the organization’s security.
What can CISOs do to make things better?
Like quality, security should be everybody’s job and responsibility, not just the QA/security team’s.
One of CISOs’ goals should be to improve security culture across the organization, by raising awareness, educating, consulting, promoting and providing processes and tools.
“When it comes to education, many think of hard skills such as security testing and coding skills. However, educating staff on how security affects the bigger business, how it can reduce revenue if not done right, and how it can affect them directly, is critical,” Foroughi noted.
He also advises CISOs not to wait for disaster. “The worst time to fix things is when an audit fails. Also, it costs a lot more to wrestle with malware clean ups and deal with ransomware than to enforce policies to protect data – so shift left and invest in proactive measures.”
But, at the same time, they should take care not to go overboard: enforcing extreme policies without regards for the value of assets being protected or the impact to productivity and usability often results in people bypassing the policies, and that would be even more harmful.
Preparing for the future
Foroughi expects the compliance and technology landscapes to get more complex and demanding.
When it comes to introducing new technologies and the need for employees to have the skills to wrangle it, he advises organizations not to focus on a specific skill set when hiring, but to look for foundational understanding in individuals.
“If you have the right people on board and the culture enables them to take initiative, they will bring the latest technology into the organization and will have the capability to quickly learn and adapt to deal with new problems,” he explained.
The problem of balancing security vs. time to market will also get harder to address, he says.
First and foremost, CISOs should be pragmatic and focus on getting 80% secure and 80% fast instead of choosing one over another.
They should also know that they will have an easier time to get buy-in from the rest of the organization if they learn how decisions in CISO’s domain affects the larger business and how to present proposals for future investment using that perspective.
In general, CISOs have to educate executives on how security and risk management affects business goals and on the importance of finding the balance.
“Invest in automating the balanced approach to development and prioritize this investment,” he concluded. “When asking the developers to cooperate with you to roll out this automation, start by explaining why you are doing this – you will face much less resistance.”
In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to Jon Callas, a world-renowned cryptographer, software engineer, UX designer, and entrepreneur.
Before joining the ACLU as senior technology fellow, he was at Apple, where he helped design the encryption system to protect data stored on a Mac. Jon also worked on security, UX, and crypto for Kroll-O’Gara, Counterpane, and Entrust. He has launched or worked on the launches of many tools designed to encrypt and secure personal data, including PGP, Silent Circle, Blackphone, DKIM, ZRTP, Skein, and Threefish.
You’ve been in the cybersecurity industry for a long time, taking on a variety of roles. What advice would you give to those just entering this industry? What pitfalls can they expect?
There are things that have been true for technical people for decades and will continue to be true.
Expertise gets common, gets automated, and then the people push buttons on the automated tool think they are experts; they might be. About half the things you know will be obsolete after five years, so you’ll have to learn new things and maybe pivot your career.
The best thing to work on is always something that excites you. Everyone does a good job on what they like and bad on on things that bore us. When (not if) you need to make a change, it might take a couple of years. A once-in-a-lifetime opportunity will come to you every year or two. If you miss this one, there will be another. And yet, the right opportunity never comes at the perfect time.
Technology changes, people are the same. People will always be lazy. They’ll always forget things and lose things. Assume stupidity over malice. Build your systems so they take advantage of people’s flaws when you can, or at least won’t be destroyed when they don’t know and don’t care.
Year after year, data breach losses continue to rise. What is the cybersecurity industry doing wrong? There’s plenty of innovation, yet most organizations fail at basic security hygiene.
I think you’re hitting on the exact thing. It’s closely related to what we were talking about before — people are lazy, stupid, and don’t want to spend money. They will want to know why then need to buy a lock if no one has broken in.
A cybersecurity company will have a brilliant idea, and that brilliant idea will be a solution to some problem, and often prevention would have worked better. Meanwhile, it’s really hard to sell prevention both as a company and as a cybersecurity group. It’s hard to show metrics about what was prevented.
Thus we have a kind of evolutionary process here. The companies we see being successful are the ones selling things people want to buy. There are a lot of companies selling things people need but they don’t want to buy and those companies struggle.
That’s why what we see of the cybersecurity industry is not addressing these basic issues. And yet, the organizations that are failing are failing because they don’t want to do those basic things.
I snark that CISO stands for Chief Intrusion Scapegoat Officer. The CISO is the person that you fire because the bad thing they said was going to happen unless measures were improved really happened. It’s their fault that measures weren’t improved, right? I know security officers who have left their job because they weren’t being listened to and knew that the inevitable breach would be blamed on them.
What’s your take on the global privacy erosion brought on by large social networks?
I’m really glad to see policy reactions coming from that. I like GDPR. I like CCPA (the new California privacy act). No, they’re not perfect. As time goes on, likely we need to tweak or come up with interpretations of the gray areas in each, but they’re good. We need both policy and technology to protect us, along with privacy norms. We technical people tend to scoff, but norms work.
Today, most web sites are using TLS and that’s a norm; we expect that a site will use TLS and that expectation is a norm. The technical backing for that new norm is that we changed from presenting a lock for TLS, but for saying that the lack of it is not secure.
How do you expect encryption technologies to evolve in the next decade? What would you like to see implemented/created?
I expect that we’ll see a number things sorted out in choices for post-quantum public key crypto, but still talking about the eventuality of quantum computers. I expect we’ll still be waiting for homomorphic encryption to be efficient enough for the uses we’d like, as well as waiting for multiparty computation to speed up more. I expect we’re still going to have law enforcement wanting to get into encryption, as well.
In related fronts, I’m hoping we’ll have more verification like certificate and key transparency, formally verified implementations of important algorithms, and a number of interesting new protocols.
I think that the important thing for us all to remember is that encryption is a technology that implicitly rearranges power. It is implicitly political as well as personal. I think that this is why everyone finds it alluring.