Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click?
That’s what we wanted to find out when we conducted our most recent survey. We checked in with thousands of office workers across seven different countries to get a global perspective on phishing and people’s individual click habits. Then we partnered with Dr. Prashanth Rajivan, assistant professor at the University of Washington, to gain a deeper understanding of phishing and those habits, as well as how things have shifted during COVID-19 in our new report: COVID-19 Clicks: How Phishing Capitalized on a Global Crisis.
In this blog post, we’ve summarized this comprehensive report and included tips for how to stay safe, but we strongly encourage you to check out the full writeup.
Why do people still click?
3 in 10 people worldwide clicked a phishing link in the past year. Among Americans, it’s 1 in 3.
According to Dr. Rajivan, what we need to consider is that human beings aren’t necessarily good at dealing with uncertainty, which is part of why cybercriminals capitalize on upheaval (such as a global pandemic) to launch attacks.
“People aren’t great at handling uncertainty. Even those of us who know we shouldn’t click on emails from unknown senders may feel uncertain and click anyway. That’s because we’ve likely all clicked these kinds of emails in the past and gotten a positive reward. The probability of long-term risk vs. short-term reward, coupled with uncertainty, is a recipe for poor decision-making, or, in this case, clicking what you shouldn’t.”– Prashanth Rajivan, Ph.D.
Tip # 1
- For businesses: Ensure workers have clear distinctions between work and personal time, devices, and obligations. This helps reduce the amount of uncertainty that can ultimately lead to phishing-related breaches.
- For individuals: Hackers often exploit security holes in older software versions and operating systems. Update software and systems regularly to help shut the door on malware.
Has phishing increased since COVID-19 began
At least one in five people have received a phishing email related to COVID-19.
There’s no doubt that the global COVID-19 pandemic has changed a lot about how we live and work. According to our survey, 54% of workers spend more time working from home than they did before the pandemic. With more people connecting to the internet outside of corporate networks and away from the watchful eyes of IT teams, it’s to be expected that cybercriminals would take advantage.
“[We’ve seen] massive spikes […] in phishing URLs targeting COVID-related topics. For example, with more people spending time at home, use of streaming services has gone up. In March alone, we saw a 3000% increase in phishing URLs with ‘youtube’ in the name.– Grayson Milbourne, security intelligence director, Carbonite + Webroot, OpenText Companies
Regardless, the majority of people surveyed still think they are at least the same level of prepared or more prepared to spot phishing email attempts, now that they’ve spent more time working from home
“People are taking increased physical safety measures in the pandemic, including mask wearing, social distancing, more frequent hand-washing, etc. I think this heightened level of precaution and awareness could cause people to slightly overestimate their overall safety, including their safety regarding online threats.”– Prashanth Rajivan, Ph.D.
- For businesses: Know your risk factors and over prepare. Once you’ve assessed the risks, you can create a stronger data breach response plan.
- For individuals: Stay on your toes. By being vigilant and maintaining a healthy dose of suspicion about all links and attachments in messages, you can significantly decrease your phishing risk.
People say they know better. Do they really?
81% of people say they take steps to determine if an email message is malicious. Yet 76% open emails and click links from unknown senders.
When we asked Dr. Rajivan why these numbers don’t line up, he said the difference is between knowing what you should do and actually doing it
“There are huge differences between knowing what to do and actually operationalizing that knowledge in appropriate scenarios. I suspect many people don’t really take the actions they reported, at least not on a regular basis, when they receive suspicious emails.”– Prashanth Rajivan, Ph.D.
- For businesses: Back up data and ensure employees can access and retrieve data no matter where they are. Accidents happen; what matters most is being able to recover quickly and effectively. Don’t forget to back up collaboration tools too, such as Microsoft® Teams and the Microsoft® 365 suite.
- For individuals: Make sure important data and files are backed up to secure cloud storage or an external hard drive. In the case of a hard drive, make sure it’s only connected while backing up, so you don’t risk backing up infected or encrypted files. If it’s a cloud back up, use the kind that lets you to restore to a specific file version or point in time.
What’s the way forward?
All over the world, workers say that in order to be better prepared to handle cyberattacks, they need more education.
According to global respondents, more knowledge and better understanding is key for stronger cyber resilience. The top three things people everywhere said would help them better prepare themselves to handle cyber threats like phishing were: knowing which tools could help prevent an attack, knowing what to do if you fall victim to an attack, and understanding the most common types of attacks.
Dr. Rajivan points out that, if businesses are asking individuals to make changes to their own behavior for the greater safety of all, then they need to make it clear they are willing to invest in their people.
“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”– Prashanth Rajivan, Ph.D.
- For businesses: Invest in your people. Empower your people with regular training to help them successfully avoid scams and exercise appropriate caution online.
- For individuals: Educate yourself. Even if your company provides training, Dr. Rajivan recommends we all subscribe to cybersecurity-related content in the form of podcasts, social media, blogs, and reputable information sources to help keep strong, cyber resilient behavior top-of-mind.
Want more details on click habits and shifting risks during COVID-19?
Read our full report, COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, to start building out your cybersecurity education today. And be sure to check back here on the Webroot blog for the latest in news in phishing prevention.
People’s fears and fantasies about artificial intelligence predate even computers. Before the term was coined in 1956, computing pioneer Alan Turing was already speculating about whether machines could think.
By 1997 IBM’s Deep Blue had beaten chess champion Gary Kasparov at his own game, prompting hysterical headlines and the game Go to replace chess as the symbolic bar for human vs. machine intelligence. At least until 2017 when Google’s AI platform AlphaGo ended human supremacy in that game too.
This brief run through major milestones in AI helps illustrate how the technology has progressed from miraculous to mundane. AI now has applications for nearly every imaginable industry including marketing, finance, gaming, infrastructure, education, space exploration, medicine and more. It’s gone from unseating Jeopardy! champions to helping us do our taxes.
In fact, imagine the most unexciting interactions that fill your day. Those to-dos you put off until it’s impossible to any longer. I’m talking about contacting customer support. AI now helps companies do this increasingly in the form of chatbots. The research firm Gartner tells us consumers appreciate AI for its ability to save them time and for providing them with easier access to information.
Companies, on the other hand, appreciate chatbots for their potential to reduce operating costs. Why staff a call center of 100 people when ten, supplemented by chatbots, can handle a similar workload? According to Forrester, companies including Nike, Apple, Uber and Target “have moved away from actively supporting email as a customer service contact channel” in favor of chatbots.
So, what could go wrong, from a cybersecurity perspective, with widespread AI in the form of customer service chatbots? Webroot principal software engineer Chahm An has a couple of concerns.
Consider our current situation: the COVID-19 crisis has forced the healthcare industry to drastically amplify its capabilities without a corresponding rise in resources. Chatbots can help, but first they need to be trained.
“The most successful chatbots have typically seen the data that most closely matches their application,” says An. Chatbots aren’t designed like “if-then” programs. Their creators don’t direct them. They feed them data that mirrors the tasks they will expected to perform.
“In healthcare, that could mean medical charts and other information protected under HIPAA.” A bot can learn the basics of English by scanning almost anything on the English-language web. But to handle medical diagnostics, it will need to how real-world doctor-patient interactions unfold.
“Normally, medical staff are trained on data privacy laws, rules against sharing personally identifiable information and how to confirm someone’s identity. But you can’t train chatbots that way. Chatbots have no ethics. They don’t learn right from wrong.”
This concern is wider than just healthcare, too. All the data you’ve ever entered on the web could be used to train a chatbot: social media posts, home addresses, chats with human customer service reps…in unscrupulous or data-hungry hands, it’s all fair game.
Finally in terms of privacy, chatbots can also be gamed into giving away information. A cybercriminal probing for SSNs can tell a chatbot, ‘I forgot my social security. Can you tell it to me?’ and sometimes be successful because the chatbot succeeds by coming up with an answer.
“You can game people into giving up sensitive information, but chatbots may be even more susceptible to doing so,” warns An.
Until recently chatbot responses were obviously potted, and the conversations directed. But they’re getting better. And this raises concerns about knowing who you’re really talking to online.
“Chatbots have increased in popularity because they’ve become so good you could mistake them for a person,” says An. “Someone who is cautious should still have no problem identifying one, by taking the conversation wildly off course, for instance. But if you’re not paying attention, they can be deceptive.”
An likens this to improvements in phishing attempts over the past decade. As phishing filters have improved—by blocking known malicious IP addresses or subject lines commonly used by scammers, for example—the attacks have gotten more subtle. Chatbots are experiencing a similar arms-race type of development as they improve at passing themselves off as real people. This may benefit the user experience, but it also makes them more difficult to detect. In the wrong hands, that seeming authenticity can be dangerously applied.
Because chatbots are also expensive and difficult to create, organizations may take shortcuts to catch up. Rather than starting from scratch, they’ll look for chatbots from third-party vendors. While more reputable institutions will have thought through chatbot privacy concerns, not all of them do.
“It’s not directly obvious that chatbots could leak sensitive or personally identifiable information that they are indirectly learning,” An says.
Chatbot security and you – what can be done?
1. Exercise caution in conversations
“It used be any time you saw a web form or dialogue box, that heightened our caution. But nowadays people are publishing so much online that our collective guard is kind of down. People should be cautious even if they know they’re not speaking directly to a chatbot,” An advises.
In general, don’t put anything on the internet you wouldn’t want all over the internet.
2. Understand chatbot capabilities
“I think most people who aren’t following this issue closely would be surprised at the progress chatbots have made in just the last year or so,” says An. “The conversational ability of chatbots is pretty impressive today.”
GPT-3 by OpenAI is “the largest language model ever created and can generate amazing human-like text on demand,” according to MIT’s Technology Review and you can see what it can do here. Just knowing what it’s capable of can help internet users decide whether they’re dealing with a bot, says An.
“Both sides will get better at this. Cybersecurity is always trying to get better and cybercriminals are trying to keep pace. This technology is no different. Chatbots will continue to develop.”
Magecart Launches Largest E-commerce Attack to Date
Roughly 2000 e-commerce sites were compromised in the latest Magecart campaign targeting an out-of-date version of Magento software. It’s believed an additional 95,000 sites that haven’t patched to the latest Magento version could also be targeted by the payment skimming malware. The campaign began last Friday and by Monday had stolen data from over 1,900 stores serving tens of thousands of customers.
Staples Delivery System Responsible for Data Breach
Nearly two weeks after being contacted by a cybersecurity firm regarding their use of unsecured VPN servers, Staples has released a statement about a data breach that stemmed from a flaw in their delivery systems. Because Staples’ delivery tracking system required only an order number to pull up the entire order summary, customers were able to enter any number around their own order and access payment and other sensitive information belonging to other Staples customers. While the company has since resolved the flaw, it seems they have not yet contacted victims whose information was exposed.
Staffing Firm Suffers Second Ransomware Attack in 2020
Artech Information Systems, a global IT staffing firm, has recently fallen victim to their second ransomware attack of the year. Following a January attack by the REvil ransomware group, which released a small portion of company data after not receiving a ransom payment, Artech has now been infiltrated by the MAZE group, likely using a prior backdoor to the systems. Secondary ransomware attacks typically stem from improper resolution of the initial attack that leaves a system an easy target for another group.
Misconfigured Elasticsearch Exposes Over 100,000 Razer Customers
A security researcher found an unsecured Elasticsearch cluster late last month containing highly sensitive information for over 100,000 Razer customers. The exposed data contained personally identifiable information and order details with everything but the actual payment card data. Fortunately, Razer was quick to resolve the issue after being notified and set up an email worried customers could contact for more information.
SunCrypt Ransomware Targets University Hospital New Jersey (UHNJ)
Over 240GB of data was allegedly stolen from the University Hospital New Jersey after a SunCrypt ransomware attack. The attack was likely initiated against university systems shortly after a TrickBot infection last month compromised systems. The owners of SunCrypt have already released 1.7GB of the stolen data, which equates to roughly 48,000 documents containing highly sensitive personal information on patients and employees.
Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of curated data into their product or service. Over the years, we’ve had the good fortune to work with partners of all sizes, from global networking and security vendors to innovative and dynamic start-ups across the world.
With the end-of-life of Broadcom’s Symantec RuleSpace OEM Web Classification service, we’ve received numerous inquiries from their former customers evaluating alternative solutions. Here we’ll outline the things to consider in a replacement. For more on why Webroot is poised to fill the gap left by the Broadcom, you can read the complete whitepaper here.
Your use case: how well does it align with the vendor?
Each use case is unique. Every vendor or service provider brings its own benefit to market and has its own idea about how their service or solution adds value for customers, clients or prospects. That’s why our adaptive business model focuses on consulting with partners on technical implementation options, spending the time to understand each business and how it may benefit from a well-architected integration of classification and/or intelligence services.
Longevity and track record
A key factor influencing change on the internet is innovation. Every service provider is continuously enhancing and improving its services to keep pace with changes in the threat landscape, and with general changes to the internet itself. As well as keeping up with this change, it’s important that a vendor brings a historical perspective to the partnership. This experience will come in handy in many ways. Scalability, reliability and overall business resilience should be expected from a well-established vendor.
Fair comparative evaluations of web classification and threat intelligence providers are difficult to achieve. We can offer guidance to prospective partners, but it’s often more reassuring to simply see the strong partner relationships we have today. Many of these we’ve worked with for well over a decade. When evaluating a vendor, we recommend looking closely at current partners and imagining the investments each have made in their integrated solutions. This speaks volumes about integration performance and the quality of the partnership.
A classification or threat dataset is only as good its sources and the analytics used to parse it. Many companies offer classification and/or threat intelligence data, but the quality of that data varies significantly.
Threat Intelligence Capabilities
Not all our partners’ use cases require threat intelligence, but for those that do it’s critical they understand where their threat data comes from. There are now a great many sources of threat data, but again these are far from equal. Worse still, comparing source is often no simple task.
Ease of integration
As mentioned, every use case is unique. So are the platforms into which web classification, malware detection and threat intelligence services are integrated. It’s therefore crucial that a vendor provide flexible integration options to accommodate any pioneering partner, service provider or systems integrator. Simply providing data via an API is useful, but will it always deliver the performance required for real-time applications? Delivering a local database of threats or classifications may help with performance, but what about new threats? Achieving a balance of flexible delivery, performance and security is crucial, so take time to discuss with potential vendors how they plan to deliver.
Phishing sites are some of the most dynamic and short-lived attack platforms on the web, so intelligence sources must be capable of detecting and tracking them in real-time. Most phishing intelligence sources depend on manual submissions of phishing sites by end users. This is far from ideal. Users are prone to error, and for every 10,000 users who click on a phishing site only one will report it to an authority or tracking service, leading to massive under-reporting of this threat vector.
Category coverage: beware category overload
There are various approaches to classifying the web and different vendors specialize in different areas. In many cases, this is determined by the data sources they have access to or the markets in which they operate. Again, it’s important to evaluate the partners to whom the vendor is delivering services and to consider how the vendor may or may not add value to the partnership.
Efficacy and performance
Efficacy is fundamental to web classification or threat detection capabilities, so it should be a core criterion when evaluating a vendor. Depending on the use case, false positives or false negatives may be the primary concern when making determinations. Potential vendors should be evaluated for performance in these areas and asked how they approach continuous improvement.
Building any third-party service or solution into a product, platform or service entails risk. There’s always the chance the new dependency negatively affects the performance or user experience of a service. So it’s importance to ensure a vendor can reliably deliver consistent performance. Examine each’s track record and customers base, along with the use cases they’ve previously implemented. Do the vendor’s claims match the available evidence? Can current customers be contacted about their experiences with the vendor?
In assessing vendors, it can be difficult to determine the level of scalability possible with their platform. It helps to ask questions about how they build and operate their services and looking for examples where they’ve responded to unexpected growth events that can help demonstrate the scaling capabilities of their platform. Be wary of smaller or upstart vendors that may have difficulty when their platform is heavily loaded or when called upon to grow faster than their existing implementation allows.
Some solutions may look technically sound, easily accessible and well-documented while a mutually agreeable business model remains elusive. Conversely, an agreeable business model may not be backed by the efficacy or quality of service that desired from a chosen vendor.
Feedback loops: making the best better
We’re often approached by contacts asking us for a “feed” of some kind. It may be a feed of threat data, malware information or classifications. In fact, many of our competitors simply push data for customers or partners to consume as their “product.” But this approach has inherent weaknesses.
Partnership: not just a customer relationship
As mentioned, we seek to build strong partnerships with mutual long-term benefit. Look for this approach when considering a vendor, knowing you’ll likely be working with them for a long time and fewer changes to your vendor lineup mean more time optimizing your products and services. Ask yourself: Who will we be working with? Do we trust them? How easy are they to get ahold of? These are critical considerations when selecting a vendor for your business.
We hope to have provided some food for thought when it comes to selecting an integration partner. To read the full whitepaper version of this blog, please click here. We’re always standing by to discuss prospective clients’ needs and to provide any possible guidance regarding our services. We’re here to help you craft the best possible solutions and services. Please contact us to take the next step towards an even more successful
Women of Webroot and Carbonite talk about what drew them to the field and their advice for others looking to break into STEM.
The lack of representative diversity in tech has been long acknowledged and well-studied.
Organizations and non-profit groups like National Center for Women & Information Technology (NCWIT), Girls Who Code and She++ do excellent work to help address the issue. CIO, a digital magazine for tech business leaders, maintains a helpful hub of resources “dedicated to uplifting women in tech, pushing inclusivity in the workplace and closing the diversity gap.”
Unfortunately, despite this wealth of organizations dedicated to researching and addressing the problem, meaningful progress has been harder to come by. (And if you’re not convinced this is a problem, consider this: a study of 500 U.S.-based companies found that racial and gender diversity was associated with increased sales revenue, market share and relative profits.)
CIO reports that women in tech remain underpaid, underrepresented and more likely to be discriminated against. Despite holding 57 percent of professional positions in the U.S., women hold only 26 percent of positions in tech. Half of all women in STEM fields report experiencing workplace discrimination. The percentage of female computer scientists is actually falling in America.
September 14 kicks off National Coding Week and the third Tuesday of September (September 15 this calendar year) is National IT Professionals day. In celebration, we’ve asked some of the female IT professionals within our organization about representation in IT, what drew them to the field and advice for other women interested in STEM.
What led you to a career in STEM?
“After starting my career as a web design and developer, I became more involved in the web development which led me to where I am today, a principal UI engineer. I’ve always had a passion for making flat designs come to life and find it very exciting when I see my work go live.” – Christiane Evans, Principal UI Engineer
What makes you proud to be a woman in STEM?
“Realizing there are no wrong questions and no one knows everything, I resolved to challenge myself to learn something new every day. If being a woman in tech makes me different, then I am proud to be different. So, I say follow your passion. That passion and talent will take you miles, and don’t let anyone tell you otherwise.” – Kirupha Balasubramian, Sr. Devops Engineer
What advice would you give to women looking to join a STEM field?
“Be curious. Don’t be afraid to ask questions. Challenge yourself to solve problems. Never stop learning; continue learning new technologies to buil your skills and toolset. Put in the hard work, know your work inside out and you’ll feel confident in your abilities.” – Krystie Shetye, Director of Software Development
What would you say is one of the greatest challenges for women working in STEM?
“Working in engineering is its own constant learning curve. I think women should look for support everywhere we can to assure ourselves. We can and should do whatever we want to – no matter the barriers. Technology changes so fast, we have to constantly adapt. Though that’s part of the reason I love it here and why I love engineering as a career.” – Mingyan Qu, VP of Quality Engineering
Putting our values to work
The skills gap in cybersecurity is real and a detriment to businesses of all sizes. We believe there’s room enough for everyone in STEM, and the industry needs all the help it can get.
Webroot and its parent company OpenText are committed to diversity in hiring. In its 2020 Corporate Citizenship Report, OpenText reaffirmed its support of the 30% Club and committed to the goal of 30% of board seats and executive roles to be held by women by 2022.
To see what positions are available for you at OpenText, visit our careers page here.
This year more than others, for many of us, it’s gaming that’s gotten us through. Lockdowns, uncertainty, and some pretty darn good releases have kept our computers and consoles switched on in 2020. GamesIndustry.biz, a website tracking the gaming sector, reported a record number of concurrent users on the gaming platform Steam for several weeks as the lockdown went into effect.
According to NationalToday.com, the authority for such days, video games are an $18 billion industry that trace their origins to the halls of prestigious educational institutions like Oxford University and MIT. Not surprisingly given, the nature of our work, they’ve captured the hearts and imaginations of a good number of here at Webroot. But again, due to the nature our work, we’re well attuned to video game-related hacks and scams.
This March, 66 malicious gaming apps were discovered to have evaded reviewers and found their way into the Google Play store. In April, just as coronavirus was beginning to keep most of us indoors, Nintendo was breached and the accounts of more than 300,000 gamers were compromised. Phishing attacks posing as gaming platforms have risen significantly during this time period.
But too often we hear from gamers that they don’t use an antivirus. With all the time gamers spend online, especially PC gamers, this is a big risk. Many of the reasons we hear for not using an antivirus, in fact, are based on misconceptions.
So, to clear up some of those misconceptions, and to provide some tips for spending National Video Games Safely, we sat down with cybersecurity expert and resident gamer Tyler Moffitt to get his advice.
What kinds of security threats do gamers face?
Not running any security is the main one. It’s a big problem within the gaming community. There are also tailored phishing attempts for online games where accounts can be worth over $100. The happen on platforms including Blizzard, Steam, Epic, Riot and others.
Why do cybercriminals target gamers?
They can be a niche target when big things happen like major game releases. Halo, World of Warcraft, Grand Theft Auto, and Call of Duty have all been targets for scams. But PC gamers not running any antivirus solution other than built-in or free protection are asking for trouble.
Either by game or gaming type, what tends to be the biggest target for hackers?
The way most players are infected with actual malware and not just giving up account info is by downloading game hacks. These are usually aim bots or other ways to cheat at the game. In addition to making games less fun for other players, they endanger the cybersecurity of the individuals doing the cheating. Also, trying to download games for free on torrent sites is just asking for trouble…or a trojan
Any misconceptions about gaming security?
I’d the biggest one is that all antiviruses today will cause problems with gameplay. Many players imagine they’ll have issues with latency, or their frame rate will drop off significantly, and that’s just not true. While years ago this may have been the case with heavy installation suites and large daily definition updates, many anti-viruses has changed throughout the years to do all the heavy lifting in the cloud while still being lightning fast and accurate with threats. The amount of CPU, RAM and bandwidth usage of AVs while idle and during a scan are significantly lighter than they used to be.
What can gamers do to improve online security?
As I mentioned, running an antivirus is essential. There are lightweight options available that won’t impact gameplay. Also, I recommend enabling two-factor authentication on all accounts for online games whenever possible to reduce the risk of falling victim to a malicious hacker.
As a gamer yourself, anything else to consider or personal best practice to share?
Trying to cheat or download premium games for free, especially when prompted to by clickbait-type ads, will almost always lead to a scam or malware. There’s no such thing as a free lunch.
See how Webroot compares to competitors in terms of installation size, scan time, and resource use in in third-party performance testing here.
Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now more than ever.
MSPs are ideally positioned to deliver the solutions businesses need in order to adapt to the current environment. In this post, we’ll briefly summarize four ways to fine-tune your cybersecurity GTM strategy for capitalizing on the shifting demands of today’s market.
1. Build an Offering That Aligns with Your Customer’s Level of Cyber Resilience
A cybersecurity GTM strategy is not a one-size-fits-all proposition. Each customer has unique needs. Some operate with higher levels of remote workers than others. Some may have more sensitive data than others. And some will have lower tolerances to the financial impact of a data breach than others. So, understand the current state of your customer’s ability to adequately protect against, prevent, detect and respond to modern cyberthreats, and then focus on what aspects of cybersecurity are important to them.
2. Leverage Multi-Layered Security
Today’s businesses need a cybersecurity strategy that defends against the methods and vectors of attack employed by today’s cybercriminals. This includes highly deceptive and effective tactics like Ransomware, phishing and business email compromise (BEC). These methods require a layered approach, where each layer addresses a different vulnerability within the larger network topology:
- Perimeter – This is the logical edge of your customer’s network where potentially malicious data may enter or exit. Endpoints (wherever they reside), network connectivity points, as well as email and web traffic all represent areas that may need to be secured.
- User – The employee plays a role when they interact with potentially malicious content. They can either be an unwitting victim or actually play a role in stopping attacks. This makes it necessary to address the user as part of your GTM strategy.
- Endpoint – Consider the entire range of networked devices, including corporate and personal devices, laptops, tablets and mobile phones. Every endpoint needs to be protected.
- Identity – Ensuring the person using a credential is the credential owner is another way to keep customers secure.
- Privilege – Limiting elevated access to corporate resources helps reduce the threat surface.
- Applications – These are used to access information and valuable data. So, monitoring their use by those with more sensitive access is critical.
- Data – inevitably, it’s the data that is the target. Monitoring who accesses what provides additional visibility into whether an environment is secure.
For each layer, there’s a specific tactic or vector that can form the basis of an attack, as well as specific solutions that address vulnerabilities at that layer.
3. Determine the Right Pricing Model
Pricing can make or break a managed service. Too high and the customer is turned off. Too low and there’s not enough perceived value. Pricing is the Goldilocks of the MSP world. It needs to be just right.
Unlike most of your other services, cybersecurity is a constantly moving target, which can make pricing a challenge. After all, a predictable service offering equates to a profitable one. The unpredictability of trying to keep your customers secure can therefore impact profitability. So, it’s imperative that you get pricing correct. Your pricing model needs to address a few things:
- It needs to be easy to understand – Like your other services, pricing should be straightforward.
- It should demonstrate value – The customer needs to see how the service justifies the expense.
- It needs to focus on protection – Because you have no ability to guess the scope and frequency of attacks, it’s important to keep the services centered around preventive measures.
- Consider all your costs – Cost is always a factor for profitability. As you determine pricing, keep every cost factor in mind.
4. Rethink How You Engage Prospects
Assuming you’re going to be looking for new customers with this service offering (in addition to selling it to existing customers), it’s important to think about how to engage prospects. The days of cold outreach are long gone as 90% of buyers don’t respond to cold calls3. Instead, today’s buyer is looking to establish connections with those they believe can assist their business. Social media sites have become the primary vehicle for a number of aspects of the buyer’s journey:
- 75% use social media to evaluate vendors
- 84% of CXOs/VPs use social media to influence buying decisions
- 78% of social sellers outsell those who do not use social media
Build a Cybersecurity GTM Strategy that Works
The biggest challenge with bringing a cybersecurity service to market is meeting the expectations of the prospective customer. Demonstrate value from the very first touch through social media engagement and content. Meet their unique needs with comprehensive solutions that address all their security vulnerabilities. And finally, make sure your pricing is simple, straightforward and easy to understand.
Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have?
Substitute your digital space for your home and encryption for the safe and you have what’s known as ransomware. Ransomware is a type of malware. After the initial infection, your files are encrypted, and a note appears demanding payment, which is usually in the form of cryptocurrency such as bitcoin because transactions can’t be stopped or reversed. Once your files are encrypted, you can’t access them until you pay the ransom.
The roots of ransomware can be traced back to 1989. The virus, known as PS Cyborg, was spread through diskettes given to attendees of a World Health Organization International AIDS conference. Victims of PS Cyborg were to mail $189 to a P.O. box in Panama to restore access to their data.
Historically, ransomware was mass distributed indiscriminately which happened to be mostly personal machines that ended up getting infected. Today, the big money is in attacking businesses. Most of these infections go unreported because companies don’t want to expose themselves to further attacks or reputational damage.
Criminals know the value of business data and the cost of downtime. Because they service multiple SMB customers simultaneously, managed service providers (MSPs) are now an especially attractive target. A successful attack on an MSP magnifies the impact of attacks and the value of the ransom.
Primary ransomware attack vectors – with more detailed descriptions below – include:
- Polymorphic malware
- Ransomware as a Service (RaaS)
- Targeted attacks
Phishing: Still the No. 1 Ransomware threat
Ninety percent of all Ransomware infections are delivered through email. The most common way to receive ransomware from phishing is from a Microsoft Office attachment. Once opened the victim is asked to enable macros. This is the trick. If the user clicks to enable the macro, then ransomware will be deployed to the machine. Phishing remains a significant and persistent threat to businesses and individuals. The Webroot 2020 Threat Report showed a 640% increase in the number of active phishing sites since 2019.
Cryptoworms are a form of ransomware that able to gain a foothold in an environment by moving laterally throughout the network to infect all other computers for maximum reach and impact. The most spectacular incarnation of a cryptoworm was WannaCry in 2017, where more than 200,000 computers were affected in 150 countries causing hundreds of millions in damages.
One of the more notorious forms of ransomware circulating today is polymorphic malware, which makes small changes to its signature for each payload dropped on machine – effectively making it a brand new, never before seen file. Its ability to morph into a new signature enables it to evade many virus detection methodologies. Studies show that 95% of malware is now unique to a single PC. This is largely due to the shape-shifting abilities of polymorphic malware code. Today, nearly all ransomware is polymorphic, making it more difficult to detect with signature-based, antivirus technologies.
Ransomware as a Service (RaaS)
Ransomware has become so lucrative and popular that it’s now available as a “starter kit” on the dark web. This allows novice cybercriminals to build automated campaigns. Many of these kits are available free of charge for the payload, but criminals owe a cut (around 30% but this can vary based on how many people you infect) to the author for a ransom payment using their payload. Grandcab, also known as Sodinokibi, was perhaps the most famous to use this tactic.
Cybercriminals are moving away from mass distribution in favor of highly focused, targeted attacks. These attacks are typically carried out by using tools to automatically scan the internet for weak IT systems. They are usually opportunistic, thanks to the vulnerability scanners used. Targeted attacks often work by attacking computers with open RDP ports. Common targets include businesses with lots of computers but not a lot of IT staff or budget. This usually means education, government municipality, and health sectors are the most vulnerable.
Stay cyber resilient with multi-layered defense
As you can see, ransomware authors have a full quiver of options when it comes to launching attacks. The good news is, there are as many solutions for defending systems against them. The best way to secure your data and your business is to use a multi-layered cyber resilience strategy, also known as defense in depth. This approach uses multiple layers of security to protect the system. We encourage businesses of all sizes to deploy a defense-in-depth strategy to secure business data from ransomware and other common causes of data loss and downtime. Here’s what that looks like.
Backup with point-in-time restore gives you multiple recovery points to choose from. It lets you roll back to a prior state before the ransomware virus began corrupting the system.
Advanced threat intelligence
Antivirus protection is still the first line of defense. Threat intelligence, identification and mitigation in the form of antivirus is still essential for preventing known threats from penetrating your system.
Security awareness training
Your biggest vulnerability is your people. Employees need to be trained on how to spot suspicious emails and what to do in case they suspect an email is malicious. According our research, regular user training can reduce malware clickthrough rates by 220%.
Patch and update applications
Cybercriminals are experts at identifying and exploiting security vulnerabilities. Failing to install necessary security patches and update to the latest version of applications and operating systems can leave your system exposed to an attack.
Disable what you’re not using
Disable macros for most of the organization as only a small percentage will need them. This can be done by user or at the group policy level in the registry. Similarly, disabling scripts like HTA, VBA, Java, and Powershell will also stop these powerful tools that criminals use to sneak infections into an environment.
Make sure your IT staff and employees know what to do when a ransomware virus penetrates your system. The affected device should immediately be taken offline. If it’s a networked device, the entire network should be taken down to prevent the spread of the infection.
Want to learn more about how to protect your business or clients from ransomware? Here are five actionable tips for better defending against these attacks.
Thousands of Android Users fall Victim to Giveaway Fraud
Upwards of 65,000 Android users were potentially compromised after installing a malicious app promising free giveaways. Over the year the scam was in effect, roughly 5,000 apps were spoofed to lure victims into downloading in exchange for a phony giveaway. In reality, the infection pushes silent background ads which generate ad revenue for the scammers and decrease device performance.
North American Real Estate Firm Hit by Ransomware
A new ransomware variant known as DarkSide claimed its first victim, Brookfield Residential, after operating for nearly two weeks. The North American real estate developer recently noticed unauthorized access to several systems and was left a ransom note stating that over 200GB of data had been stolen. The data has since been published to DarkSide’s leak site, which has prompted many to speculate the ransom was not paid by Brookfield Residential.
Cryptominers Caught Using AI
Researchers have been at work creating an AI algorithm to detect malicious cryptocurrency miners while avoiding legitimate ones. The detection method compares currently running miners to graphs of both legitimate and illegitimate miners and monitors changes between the processes being used and the scheduling of mining activity. This type of detection may be put to use to decrease the overall use of malicious code that can often tax the system’s CPU usage to max capacity.
Los Angeles School District Suffers Cyber Attack
Just weeks after the FBI issued a warning about the threat of cyberattacks against school districts, the Rialto School District in California has fallen victim to just such an attack. These setbacks have made the return to online schooling particularly difficult. The extent of the attack remains unclear and officials are still working to determine the effects on the 25,000 enrolled students.
Maze Ransomware Cartel Adds New Variant Team
The authors of the lesser-known ransomware variant SunCrypt have recently joined forces with the Maze ransomware cartel. It’s believed the new cartel members were brought in to assist with the high volume of attacks that the Maze Group is handling and are being paid with a portion of its profits. In addition to new revenue streams from its partnership with the organization, cartel members also benefit from access to the Maze Group’s resources including obfuscation techniques and posting cartel member’s stolen data to their dedicated leak site.
If you’ve landed on this blog, then there’s a good chance you’re already aware that DNS is undergoing a major overhaul. DNS 2.0—aka encrypted DNS, DNS over HTTPS, or DoH—is a method for encrypting DNS requests with the same HTTPS standard used by numerous websites, such as online banking, to protect your privacy when dealing with sensitive information display.
While there’s no doubt that DoH offers incredible privacy benefits, it also has the potential to be a major security risk for businesses. That’s because DoH effectively wraps DNS requests in encryption protocols, which prevent traditional DNS or web filtering security solutions from being able to filter requests to malicious, risky, or otherwise unacceptable or inappropriate websites.
Although some DNS filtering solutions are now making moves to modernize, many of them simply provide the option to either allow or block all DoH requests, rather than offering any sort of nuanced control.
“That’s really where Webroot® DNS Protection differs from the competition,” says George Anderson, product marketing director at Webroot, an OpenText company. “Ours is currently the only DNS security product that lets businesses fully leverage DoH and its privacy benefits. Our solution encrypts data using HTTPS to route DNS requests through secure Webroot resolvers to prevent eavesdropping, manipulation, or exploitation of data.”
How a Commercial DNS Filtering Service is a Game Changer
According to George, the cyber resilience benefits of using a private, commercial DNS security service that fully supports DoH are numerous. When we asked him to narrow down to his top 10, here’s what he had to say.
- First, it provides a very secure, reliable, multi-point of presence connection to the internet with high availability.
- Second, trusted DNS resolvers process ALL of your internet requests—we are talking any user, server, or application using the internet with a single, tamperproof choke point for admin and policy request controls.
- Third is confidentiality. It keeps your organization’s internet requests private and invisible to malicious actors, your ISP, and so-called “free” DNS resolvers—all of whom can abuse this data.
- It then gives your organization full visibility and log access to all of your internet traffic requests, allowing for security analysis and management through reports or ingestion via a SIM/SIEM.
- With Webroot, you also get transparent security policy filtering of both encrypted (DoH) and clear text (DNS) requests.
- Webroot BrightCloud® threat intelligence data automatically applies the latest and most accurate internet domain security in real time to every outbound request, regardless of source, meaning we stop the majority of malicious and suspicious request responses that could have led to a breach.
- A commercial service also provides the flexibility to manage internet access for guest/public WiFi networks, IP address ranges, user groups down to individual user, and lets you filter using a wide range of domain categories.
- In the context of WFH, if the user is connected to the internet via VPN or a local DNS agent on their device, then a DNS filtering solution protects them no matter where they connect.
- Also, from a WFH perspective, you need your DNS security service to integrate with the majority of VPNs and work easily with your other security and network technologies.
- Lastly, and definitely key your organization, a commercial DNS security service can offer great visibility into internet usage with scheduled executive reporting that lets you oversee internet use, assist with HR initiatives, and help ensure compliance.
As DoH continues to grow in adoption, George advises all businesses to be proactive about their cyber resilience strategies. Particularly as more work is conducted outside of more traditional office settings, it’s critical to understand and embrace the value that a flexible cloud gateway—whose protection is not confined to a physical network—can offer.
“Ultimately, in a world where many companies continue to support remote workers, businesses really can’t afford not to use a filtering solution that provides both privacy and security control.”– George Anderson, product marketing director at Webroot, an OpenText company
Learn more about Webroot’s answer to DNS filtering or take a free trial of Webroot DNS Protection here.
Ransomware Attack Targets Major Cruise Line
Officials for Carnival Cruises have confirmed that a portion of their IT systems were encrypted following a cyberattack identified over the weekend. The company also revealed that sensitive information for both employees and customers was illicitly accessed, though they did not admit to what extent.
Millions of Social Media Profiles Exposed
More than 235 million social media profiles belonging to several major platforms, which contained personally identifiable information including names, locations and contact data, were publicly exposed due to a misconfigured database. Social Data, an online data marketing broker, seems to be the owner of the data, though it is unclear how they obtained it since data scraping for profit is generally not tolerated by Facebook or other platforms. According to Social Data, the database was exposed for up to three hours after initially spotted. It remains unknown how long the data was accessible without authentication.
Wine and Spirits Conglomerate Suffers Ransomware Attack
Brown-Forman, the parent company of many major liquor brands, recently fell victim to a ransomware attack that appears to be the work of the REvil ransomware authors. While the company was able to detect and thwart the attack before encryption, upwards of 1TB of highly sensitive internal information on employees, clients, and financial statements was stolen. Though no formal ransom was delivered, the attackers are likely to auction the data imminently.
File-less Worms Creates Linux Crypto-mining Botnet
Linux systems are on the lookout for a new infection that has been silently creating a botnet to employ target machines as crypto miners. Since the start of the year, over 500 SSH servers have been infected around the world by a worm creating additional backdoors to allow attackers to return to the systems later. Due to the file-less nature of this infection, a simple reboot of the system can temporarily remove the malicious processes, but because the login credentials have already been exported the system can be quickly re-infected.
Canadian COVID-19 Relief Sites Breached
Several Canadian government websites connected to healthcare relief funds were breached with the intent to steal COVID-19 relief fund payments. Though only a small portion of the 12 million total accounts, 9,000 GCKey accounts were directly affected after being breached via credential-stuffing. Credential-stuffing uses brute force attacks with employs previously leaked credentials in the hopes victims use the same login info for multiple sites. Since the websites affected don’t use multi-factor authentication, the odds of a successful credential-related attack were increased.
Cyber resilience is being put to the test during the coronavirus pandemic. As more and more users work from home, it’s becoming increasingly difficult for IT teams to ensure uniform cyber security on home devices and networks that they don’t own or control. At the same time, cybercriminals are using the pandemic to launch more deceptive attacks. In this post, we’ll break down a few steps you can take to add resilience to your home network, so you don’t have to sacrifice security for convenience during the global pandemic. We cover all of these tips and more in our Work From Home Playbook.
The secure tunnel
We lose a measure of security the minute we step outside the protective shell of our corporate network. The average home network is significantly less secure than corporate networks. This leaves remote workers more vulnerable to attacks anytime they’re not connected to the corporate network.
Luckily, you can easily improve your at-home security by using a virtual private network (VPN). With a VPN, you can establish a secure tunnel between your home network and your corporate environment, making your home connection more immune to outsider attacks. A VPN extends your home network – or connection from the local coffee shop – across a public network, allowing you to interact with your corporate system as if you were connected directly to it. This allows applications to operate securely and encryption to be enabled within the connection, ultimately privatizing any data being shared or input.
A clean handshake is healthier in the physical world. And it’s the same with the digital handshake between your home devices and your corporate network. Anytime someone from outside the network attempts to log on, there’s a risk the person isn’t who they say they are. Login credentials are stolen all the time. In many scenarios, all it takes is a username and password to gain access to the company network. Once inside, cyberthieves can unload malicious payloads or find additional user credentials to launch even more pernicious attacks. But by adding just one extra layer of security in the form of an additional checkpoint, it’s possible to thwart most attacks that rely on only a username and password.
That’s why multi-factor authentication (MFA) has become the go-to method for adding extra verification steps to confirm that the person logging on is truly who they say they are. With MFA, the user verifies their identity using knowledge only they have, like a password or answers to challenge questions. As an additional verification step, the user supplies an item, like a YubiKey or a one-time password sent to a mobile device. Lastly is an inherited characteristic unique to who the person, such as a fingerprint, retina scan, or voice recognition. In today’s highly regulated business environment, most businesses make MFA mandatory for employees logging in from outside the network.
First, second and third lines of defense
Cybercriminals have a full quiver of options when it comes to launching attacks. But the good news is that there are also multiple solutions for defending home systems against them. The best way to secure the home network is to use a multi-layered cyber resilience strategy, also known as defense in depth.
This approach uses multiple layers of security to protect home devices and the networks they’re connected to. Here’s what that looks like:
- Backup – Backup with point-in-time restore gives you multiple recovery points to choose from. It ensures you can roll back to a prior state before the ransomware virus began corrupting the system.
- Advanced threat intelligence – Premium antivirus protection is still the first line of defense. And antivirus that is backed by advanced threat intelligence, identification and mitigation is essential for preventing known threats from penetrating your system.
- Patch and update applications – Cybercriminals are experts at identifying and exploiting security vulnerabilities. Failing to install necessary security patches and update to the latest version of applications and operating systems can leave your devices exposed to an attack.
Cyber resilience while working from home is every bit as critical as working on-site. For more tips on how to add resilience to your home environment, and how to prepare your space for working from home long-term, download the Work from Home Playbook.