Cybersecurity Insights: Moriah Hara

July 18, 2019 posted by

when VMware approached me they mentioned the theme of today was intrinsic security and I absolutely fell in love with the term but the first thing that came to my mind were how do I get intrinsic security into the brainwaves of employees of organizations in our country because that is the layer that I am most concerned about so over about 70% of the breaches that I've experienced as a system for the last five years the ones that had the most impact from a financial perspective was as a result of penetrating people we we know that because people are wired to trust and that's really what the attackers know and what they take advantage of 91% of attacks like the ones on the Democratic National Committee the one at Yahoo were all started with a phishing email so why are people wired to trust well in order to develop friendships meet new colleagues in the workplace handover our children to daycare centers or to schools we have to trust we do it every day as well there's actually some research that says that feel-good hormones called oxytocin gets released when you trust and build new relationships if you look at this slide this is someone that has a blindfold on about to jump out of an airplane and many people who are dedicated to the mission if someone who they think is their boss ask them to jump out of a plane they would so I have some very real examples that I've seen and many of my colleagues have seen it it hits all of us sometimes at the same time where we see junior both junior folks and very senior folks get affected at the same at the same layer so we had one that had a traveling CEO send her an email saying listen I'm in an airport I just changed banks I really need you to change my bank account she responded of course company cop policy means that you have to sign in to our portal and do it on your own she sent that back with the CEO doubled down the imposter CEO doubled down and said no really this has to be done this afternoon and please CC your manager so she did it she didn't want to get fired I think I'm sure this happens in real life by real CEOs that need their things like this these requests ad hoc happen and she did it the other situation which was a little more impactful was something called a woman or a man in the middle browser attack where one of our CFOs all they did was click on a link one of the many phishing emails that you get through his link they clicked it they didn't enter their credentials he thought that was all there was to it but it did download an invisible malware a banking Trojan called an e motet so when he went to the URL e type in the URL of his legitimate banking site the malware basically gave him a prompt that that the MAL were created on his machine when he put in his username password as one-time text token the hacker then captured that and logged in and moved the money the the other one which is probably the most sophisticated where we had a hacker actually sitting inside an email account of a payroll clerk and the attacker was washing for about a month about how the analyst was processing payment what sort of invoice was coming across the desk and they finally the hacker finally found a one eight hundred thousand dollar payment that had to go out to a vendor she then decided this was the one so she created a false second line approval email that was sent to the back office processing say please reroute the payment to this bank account number so this goes to process a lot of companies are now revamping not relying on email because fundamentally email is not a secure medium to process money in these mount's so the payment that was over a million dollars actually did get did go outbound and was not able to recover be recovered alright so people process technology we've all heard about it at the beginning of our career it really does come true to life as you move through your career and you see how the combination of the three is the most effective way to mitigate most security solutions the first one is understanding the user groups are most affected LinkedIn is where attackers are going they're looking for people with payroll HR or finance as I mentioned I've seen CEOs and CFOs making millions of dollars clicking as often as very junior folks so my recommendation is getting everyone in the finance team to everyone in the HR teams as well as the administrative assistants of your business management that often have access full access to your CEO or CFO s email box and have in-person training most web-based training when I tell when I ask folks to be transparent they usually try to click through it so the any anti-phishing security training you're doing people are really want to do something else they click through it I recommend going there in person answering their questions authentically it'll also also show them how important it is to you also do giving one-hour training once a year is just not the way we as ceases are seeing it to be effective people learn much better with rapid short bursts of training using gamification and interactive techniques we're also inserting warning messages both either in the header and/or the body of an email so the first time you receive an email from an external Center for the first time it's gonna be a warning in red saying are you sure you know this person act with caution we also are recommending adding phishing buttons report me buttons and you're in your taskbar it makes it easier for users just to click a button it gets routed to the right teams that can analyze whether those are bad males lastly technology so implementing Best of Breed email security gateways creating VIP lists of those that are most targeted and creating enhanced monitoring ultimately two-factor authentication for any type of web-based mail personal or corporate as well as to factor for privileged accounts is absolutely essential I will also say in terms of getting or hacking into the brains of the employees in your organization use them use them to figure out what resonates with them and in fact one of the portfolio companies that I that I worked with was a marketing advertising company and they knew their culture they were creatives they were very very skeptical so they really used that mindset to turn around the topic and it worked very effectively so you know we talked about reducing the attack surface we talked about building insecurity the CEO of VMware at the recent RSA conference talked about how 80% of security products today an 80 percent of capital that's going into new security startups are on the reactive front we need to shift that to the proactive front and making sure that Security's intrinsic both in your infrastructure and your applications as discussed earlier as well as inside your people are absolutely essential to the success of your security story you

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *