Posted: 5 Min ReadExpert Perspectives

On the Front Lines of Incident Response, It’s a Little Like “Groundhog Day”

Many of the same e-mail-related mistakes continue to crop up. Here are some common-sense measures to escape this endless loop

If you want a sense of what it’s like to work in incident response nowadays, watch Groundhog Day, the classic comedy film where Bill Murray plays a weatherman who finds himself reliving the same day in an endless loop.

The folks working the security barricades know the feeling. No matter how much we preach the gospel of best practices, employee lapses still repeat with predictable regularity - leading to costly cyber mistakes that make it all too easy for attackers to steal company data. This is particularly true when it comes to e-mail compromises and phishing outbreaks.

At first blush, all this might sound like bad news, what with incident response teams forced to put out the same fires over and over again. Just as frustrating is the fact that most of the resulting breaches are easily-avoidable.

However, the encouraging news is that this fate isn’t etched in stone. In fact, organizations can dramatically reduce their security risk by adopting common-sense measures. I’ll get to that shortly but let’s first look at some of the common problem areas.

Cloud E-Mail Accounts: Easy Access is often Easy Prey

Email vulnerability has always presented an assortment of challenges, but it’s especially acute nowadays with so many organizations migrating data to cloud-based applications. All it takes is a mistake by one user to put the entirety of a company’s data in jeopardy.

At the same time, attackers are getting increasingly savvy and they’re sending out phishing emails designed to look as if they come from inside the organization. The emails often prompt users to change their passwords or enter their passwords into a new web window. Once they’ve captured the user’s credentials, phishers basically have complete access to that user’s e-mail account (and in the absence of good network security practices, potentially access to roam leisurely throughout the network!)  Most users likely won’t fall prey to a phishing scam like this, but even with a good training program in place, a significant enough percentage will that it’s a pretty serious security concern.

A further observation about the structural shift now underway: As enterprises transition from the on-prem to the cloud world, the best practices that they deployed to protect data when it was stored within the four walls no longer suffice. Putting up a static firewall and adding anti-virus software to the network isn’t simply isn’t enough in a new world where data is in transit and accessible from any number of endpoints.

Also, there’s lingering confusion about the role that cloud suppliers play in protecting customer information. In general, the underlying systems run by the likes of a Microsoft or Amazon are quite secure. Still, customers will need to take the lead responsibility to ensure that access to their data stored on those systems is secure. That involves more work to make sure that employees use effective passwords with good length and complexity, change those passwords frequently, and don’t reuse the same passwords for other online accounts (a very common way in which corporate credentials are harvested by bad guys.)  Companies also need to ensure there are adequate additional authentication methods to keep interlopers out.

Locking it down – Two-Factor/Multi-Factor Authentication

One easy way to add an extra layer of protection for remote access is to deploy two-factor authentication (2FA), also known as multi-factor authentication (MFA). All you need is some other factor in conjunction with your username and password - it might be in the form of a hard token, authentication app, or a text message sent to a phone. Just as long as there’s another solid form of authentication as part of the credentialing process. The great benefit of having a good 2FA/MFA solution in place is that compromise of users’ usernames and passwords is a relatively trivial inconvenience from a practical standpoint, as those credentials are of little or no use to an attacker without access to the additional necessary factor(s). 

Now, 2FA isn’t a 100% guarantee. Nobody can promise that attackers still won’t find ways to work around 2FA, but it makes the probability of getting accounts compromised much lower. 2FA is also a relatively unobtrusive measure that won’t get in the way of users doing their work. It’s simply one additional step that takes all of a few extra seconds.   

In practice, however, we still find resistance in certain sectors where some view 2FA as a needless burden. Given the myriad of threats that now target corporate email systems, don’t assume that your email system is secure, or that it isn’t of considerable value to an attacker.  Regardless of an organization’s policies to the contrary, many employees still store sensitive information in email. That’s just human nature. Also, in addition to the attacker gaining access to all of that user’s e-mail correspondence, they can imitate that person to send e-mails that compromise additional user’s accounts, gain additional sensitive data, and in some cases, steal money by ordering payments or funds transfers (aka – Business Email Compromise).  So, even if an outsider only gains access to an individual email account, the organization can find itself put at significant risk.

Given the myriad of threats that now target corporate email systems, don’t assume that your email system is secure, or that it isn’t of considerable value to an attacker.

Additionally, a compromised e-mail account is often used by attackers to send out (frequently legitimate looking) phishing e-mails to other users within the same organization, and sometimes to customers and partners.  This, in turn, can result in a string of additional compromises, and spread of a phishing campaign to other organizations.  Once a compromise happens - and with many organizations, it’s only a matter of when, not if - you're going to wind up playing “whack-a-mole” indefinitely until you get 2FA and other security measures in place. Until then, you're going to keep doing password and account resets and responding to additional compromised accounts, wasting valuable time that could be better invested in other pursuits.

I know some of you are likely reading this thinking, “We know this already… there’s nothing really new here.” That’s precisely my point. As long as 2FA/MFA has been available, and as often as I’ve heard it suggested – and suggested it myself - as a best practice, I’m amazed that we still run into this as often as we do in the wild. But it remains a significant problem, and phishing outbreaks and compromises are something we still respond to on a regular basis.

If your organization is like most, you allow some form of remote access for your employees to access e-mail and other data in order to do their work from home or on-the-go. If you don’t have and enforce common sense password policies and a 2FA/MFA scheme in place to access that data, you’re putting your organization at risk, and will almost certainly be dealing with successful phishing outbreaks at some point.

By following these fairly simple security measures, you can significantly increase your organizational security, focus on other more pressing security issues, and save playing whack-a-mole for the arcade.

You might also enjoy
Expert Perspectives6 Min Read

7 Items You Must Add to Any Incident Response Plan

How to create one today

About the Author

Shawn Dorsey

Director, Americas Incident Response, Symantec Cyber Security Services

Shawn Dorsey runs the Incident Response service for the Americas. In this role, he and his team of investigators help customers prepare for, respond to, contain, and investigate cyber threats.