The FBI issued an alert on April 4th that CEO Fraud (a form of Spear-phishing) is on the rise, and companies have already reported losses of 2.3 Billion dollars. Mattel made headlines for falling prey to CEO Fraud, when an employee sent a wire transfer of 2 million dollars to a bank in China.
Other forms of spear-phishing attacks are on the rise, spreading ransomware variants like cryptowall. Surveys have shown that 30% of employees will open these types of emails. The ransoms paid in 2015 have amounted to a 500 billion dollar industry for cyber criminals.
A recent report from Trend Micro revealed that 81% of data breaches originated from phishing attacks. Therefore, email security should be a top priority for companies to protect themselves from these threats.
Here are my top 10 tips you can do to protect your company from these threats.
- Have employees participate in Security Awareness Training
- Phish your employees and train the ones who click on the false links
- Maintain regular backups offline. This may be your last line of defense if an employee or server becomes infected with ransomware.
Note: Cloud based backups may be targeted, so traditional off-site rotation may need to be brought back for many companies who have switched to Disk to Disk only solutions. Consider WORM drives to write to, (write once, read many) so that the original backup cannot be overwritten by cryptolocker type variants.
- Keep systems patched regularly. This reduces the surface attack area for advanced persistent threats (APT) to spread into your network.
- Block Executables at Mail Filter. This can prevent some forms of ransomware from coming into your environment.
- Implement DMARC to prevent spear-phishing attacks that pose from trusted executives. My how-to guide for implementing DMARC is here.
- Implement Zero Day email security protection solutions like MSFT ATP
- Implement application white-listing Solutions like Carbon Black (formerly known as Bit9) or Cylance
- Hide file shares, ex: \\server\share$. This prevents ransomware from scanning and finding file servers on the network.
- Replace Mapped Network Drives with shortcuts on Desktop to shared drives. This too can prevent ransomware from spreading. Implement principle of least privilege so that ransomware is limited to what it can write to.
Cryptolocker Prevention Kit “The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment.”
Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw
You may have noticed that removing users from local administrator is not listed in the top 10. This is because CryptoLocker variants can execute without local admin privs.