Disobey 2019


The Nordic Security Event

11.– 12. 1. 2019 Kaapelitehdas, Helsinki

Disobey is a Nordic security event where like-minded individuals gather to share information and to train the skills our adversaries use against us.

SMEs might not have the resources or know-how to shield themselves against cyberattacks. But it is an important part of defense for any enterprise, as today you do not exist unless you have online presence. At least the company must have an email address, most probably an email address for each employee and perhaps some general-purpose addresses.

The weakest link in the information security chain is always the people. Usually the security level of systems and programs is good, at least when you remember to install all security updates. No system is invulnerable to attacks, but it takes a lot of time and effort to break in. It is much easier to try to get in by making the people do something they are not supposed to do. That does not mean that secure programs and systems are not important, but that it is always in the end a human error.

There are several methods the attackers use when trying to get access to sensitive data. The one thing in common to those is that they try to get you to react with your lizard brain rather than with your intelligence. People are still just animals and when faced with a quick decision they use the lizard brain if they do not take the time to pause and think about it. These frauds always try to make you do quick decisions and make you react with feeling rather than reason. Intelligent people sometimes think they are immune to this kind of attacks and that can backfire. Research shows that intelligent people might even be more vulnerable to this kind of attacks, especially men.

One method is posing as an authority. Anyone can introduce themselves as a police officer on the phone, but you have no way of really knowing if the person is who he says he is. The speaker was a former police officer and he said that most people would just tell him everything he wanted to know on the phone even though he could not show his badge to them. The attackers can also use different kinds of authority.

Another method is to make you think you got lucky and won or got something cheap. The advice is to pause for a moment to think on how lucky you usually are. Alarm bells should sound every time something is too good to be true, as it usually is. IPhones are not sold for 1 €, you cannot win in several lotteries every day, that prince in Nigeria will not give you money.  Some of those just take away your money; some sites contain malware that infects your computer.

You might get an email from your email provider saying that you must reset your password because of some suspicious activity. If you click the link in the email you are being told to click you will probably end up in a website that looks exactly like the website of your email provider. The only way to tell them apart is that the address in the address bar of the browser is slightly off. There will even be the green padlock you have been taught to look for in a secure site, as nowadays it is possible to get free certificates from Let’s Encrypt. The padlock only tells you if the site has a certificate, you must click on it to see who has issued it and to whom. This is beyond what can be expected of an average internet user.

The rule of thumb given that never click on email links is not a very good one, as several sites will send a confirmation link in an email that you have to click in order to be able to use the service. A better rule of thumb could be that never give any credentials on any website after clicking on an email link. Many enterprises use the Office 365 email system, which has been targeted with phishing emails that have been targeted at the members of the companies’ executive boards.

Social media is being used to look for possible targets.  Employees should be warned that not everything should be posted to social media. In the presentation there was an example of a tweet that said that all the employee’s coworkers are sick around a very busy time of the year and that the employee’s boss would be on sick leave this week and on holiday the next two. Even though no names were mentioned, it would not be too hard to figure out who the boss is. And if this person is the only one present on a busy week, it means that a bogus invoice could slip through unnoticed. Social media can be a source for a lot of information for the attacker. Even if the information is not in a one tweet like in the example above, it is not hard to piece valuable information together from different sources. People are sharing much more than they should on social media without even thinking twice.

What can be done? It is imperative that the employee that reports a suspicious email or other activity does not feel like he is just wasting the IT-department’s time. Gamification is an effective way to improve people’s ability to spot phishing emails and there are games like this commercially available from companies like HoxHunt. Seminars about cybersecurity can teach the basic skills on how to spot fraudulent emails and keep you and the company safe. Training people is important as the attacks are real and are not targeted just at larger companies. Many times, small and medium enterprises are better targets, as the security measures may not be as good as those of larger enterprises. The most fundamental rule is that you must always be suspicious. That one rule will get you quite far in the world of cybersecurity. The task is to convince the leaders of the company to acknowledge the threats and have them take steps to make the necessary changes.