If you’ve read or listened to reports about hacks – whether it’s a phishing attack, brute force attack, or malware – you’ve likely seen or heard the phrase “zero-day vulnerability”. But, what is it?

For hackers – who are always studying software – these are like unlocked doors. When they find one, they can use malware or hacking techniques to take advantage of it with a zero-day exploit.

Once the software developer knows about a zero-day vulnerability, they must develop an update  — known as a “patch” — to fix the problem. For example, Microsoft releases a list of patches once a week. They call it “Patch Tuesday”.  But, as we’ll see, patches often come too late. Why Are Zero-Day Vulnerabilities Such a Big Problem?  By definition, a zero-day vulnerability is a security flaw that the developer doesn’t know about. That means that, until a patch is distributed, everyone using the software is vulnerable.  Zero-day vulnerabilities pose a big problem because there is no obvious way to prevent them from being exploited. And, even once a zero-day vulnerability is reported to the developer, users could be waiting for weeks, months, or even years for a security fix. Meanwhile, hackers are crafting sophisticated attacks – again, known as zero-day exploits – to take advantage of the vulnerability. Zero-day exploits can circumvent anti-malware software that relies on lists of known security issues. Even though most modern anti-malware products use more sophisticated detection techniques, some zero-day exploits can get around these, too.  Three Examples of Zero-Day Vulnerabilities We’re going to look at some high-profile zero-day vulnerabilities that have caused serious trouble in the past — and see what you can learn from them.  Cybercriminals Unleash NSA Zero-Day Exploit EternalBlue was a powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011. EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol and allows attackers to run code on target computers. The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many users have failed to update their systems. Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, starting when hackers used it to spread the notorious WannaCry ransomware in 2016. In 2017, an attack known as “NotPetya” used EternalBlue to target Ukraine’s banks, public services, and power suppliers. The NotPetya attack is widely considered the most devastating cyberattack of all time, causing an estimated $10 billion in damage. The lesson from EternalBlue is clear — always keep your devices patched and up-to-date. Windows and Flash Zero-Day Vulnerabilities Expose DNC Data In 2016, the US Democratic National Convention (DNC) fell victim to a spear phishing campaign, carried out by a Russian hacking syndicate known as Strontium. Strontium’s spear phishing emails contained a zero-day exploit that targeted vulnerabilities in Microsoft Windows and Adobe Flash.  Google first revealed the vulnerabilities on October 31, 2016, when they were still being “actively exploited.”According to Microsoft, these security flaws allowed hackers to control a device’s browser, escape its security “sandbox,” and install a backdoor into the device. Strontium allegedly intended to use data stolen from Democratic Party officials to influence the 2016 US election campaign. You can read more  about the importance of information security in political campaigns on our blog. While the software vulnerabilities allowed Strontium to exfiltrate data from its targets, the exploit was made possible by spear phishing emails. It’s crucial to ensure that all your organization’s devices are protected by email security software that can detect advanced impersonation attacks. Windows Vulnerability Goes Unpatched for 20 Months On January 15, 2019, Google’s virus-hunting team, VirusTotal, announced its discovery of a zero-day vulnerability within Windows, later named CVE-2020-1464. The vulnerability allowed attackers to exploit how Windows authenticates file signatures. File signatures are created when a developer “code signs” a file, to prove a third party has not edited it. Using this vulnerability, attackers could sneak a malicious file past Windows’ security by appending it to a file that had been code-signed by a trusted developer such as Google or Microsoft. Despite reportedly being aware of the CVE-2020-1464 vulnerability, Microsoft did not release a patch for it until August 11, 2020 — nearly 20 months later. Throughout this period, Windows users were vulnerable to phishing attacks designed to spread vulnerability exploits. This is yet another reminder that it’s better to defend employees’ email accounts than to rely on patches and fixes. How to Defend Against Zero-Day Exploits Cybercriminals use different methods to exploit zero-day vulnerabilities, which means organizations need a comprehensive cybersecurity program to defend against these threats. Email security. Cybercriminals commonly use social engineering attacks, such as spear phishing, to get malware onto people’s devices. A crucial way to defend against zero-day exploits is to ensure your employees are protected from phishing.  Network security. Hackers can use “brute force attacks” to gain access to a network and exploit zero-day vulnerabilities. Implementing network security measures such as a firewall or virtual private network (VPN) can prevent this. Anti-malware software. Certain anti-malware software products notice unusual activity in files and processes and can detect some zero-day exploits before they are made public.  Security patches. You should always keep all devices patched and up-to-date. While developers can’t always patch vulnerabilities on time, out-of-date software enables many exploits. How Tessian Helps Defend Against Zero-Day Exploits Unlike spam filters and Secure Email Gateways (SEGs) which can stop bulk phishing attacks, Tessian Defender can detect and prevent the most advanced threats.  How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line, and body copy.  If anything seems “off”, it’ll be flagged – keeping zero-day exploits out.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, read our customer stories or speak to one of our experts and request a demo today.

As the year comes to a close (and, for many of us, 2020 is a year we want to close the book on…fast) it’s a good time to reflect back on the lessons learned and set a plan to improve in the future. Let’s look at cybersecurity specifically. What should we look out for in 2021 after all that has happened?  We answered the following two questions in our latest webinar, which you can view on-demand here. What do industry experts think the biggest learning of the year has been?  What do they think should be top-of-mind for security leaders next year?  Tessian’s VP of Information Security, Trevor Luker, led a fireside chat with two industry experts, Jesse Starks, CTO at Breckinridge Capital Advisors, and Lena Smart, CISO at MongoDB, to capture their thoughts on the matter. Curious on what insights they shared? Read our notes below for key takeaways and quotes from the panelists.  Or, if you want to learn more about our guest speakers and their companies, skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to your newsletter.  3 takeaways from 2020 1. Hackers take advantage of key calendar moments and times of general uncertainty. We saw this happen throughout 2020, with phishing scams around COVID-19, the 2020 census, stimulus checks, and even the US presidential election.  Next up: retail scams in time for the holidays.  2. Hope for the best, prepare for the worst. Both panelists pivoted quickly and easily during the transition from office to home because they already had well-thought-out contingency plans in place. When was the last time you updated your emergency action plan? To learn  more about Jesse and Lena’s contingency plans and what you should consider when making one, watch the full webinar. 

3. Hackers have power in numbers. Today, organizations are being hit by increasingly advanced threats. That’s because an entire industry has been created out of phishing and social engineering, and adversaries operate in groups. They’re experts at their craft. That means security leaders have to level-up their inbound protection.  3 insights for 2021 1. Every employee should be a security champion. Why? Because your cybersecurity is only as strong as your most vulnerable or at-risk employee. After all, it’s people who control your most sensitive systems and data. But, employees can actually be your biggest defense against threats. That’s why education, policies, and security tools are all important. 

2. Expect more data protection regulations in the future. The cost of a breach (including fines for non-compliance) is definitely a concern for security and business leaders. But it’s actually the lost customer trust and damaged reputation that’s top-of-mind. Our panelists tips? Put security controls in place to ensure compliance and make sure you have a process in place for reporting incidents if they do happen.  If you want to learn more about compliance standards like GDPR, CCPA, and HIPPA why good cybersecurity is good for business, download our CEO’s Guide to Data Protection and Compliance. 3. Email security is a long-game strategy. Email is open by default, which means it’s the attack vector of choice for hackers. Looking forward to 2021, security leaders have to have a plan for inbound, advanced impersonation attacks.  

Bonus Insight from Jesse: “You can use technology to close all your gaps, but once you have that, then how can people outside manipulate your organization? Your people – the highest success rate for an attacker. People are always joining organizations, changing teams, changing roles, and learning. The technology changes, but it’s often fixed. The Human Layer is always moving so it makes it very challenging to secure and that’s why it’s so important.” For more tips and personal anecdotes, watch the full video now.  About Jesse Jesse Starks, CISSP, is the Chief Technology Officer at Breckinridge Capital Advisors. Jesse is Breckinridge’s Chief Technology Officer, and is also a member of the firm’s Risk Committee, Information Security Committee, and Business Continuity Committee. In his role, Jesse directs the strategic integration of technology across the firm.  He has over 17 years of experience designing and managing large-scale distributed systems. About Lena Lena Smart is the Chief Information Security Officer at MongoDB. Lena joined MongoDB with more than 20 years of cybersecurity experience. Before joining, she led cybersecurity at large organizations like Tradeweb, New York Power Authority, and InfraGard. She is also a  founding partner of Cybersecurity at MIT Sloan – formerly the Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity – which helps security leaders in academia and the private sector collaborate and tackle the most challenging security issues. About Breckinridge Capital Advisors Breckinridge Capital Advisors is a Boston-based, independently owned investment advisor specializing in investment grade fixed income portfolio management. Working through a network of investment consultants and advisors, they serve a wide variety of clients ranging from high net worth individuals to large institutions. Breckinridge’s assets under management totaled more than #42 billion as of September 30, 2020 Reflecting their commitment to ESG and sustainability, Breckinridge is a Massachusetts Benefit Corporation and a certified B Corp. They believe these designations help them in their goals to create positive, long-term impact for their clients, employees and the communities in which they live, work and invest. About MongoDB MongoDB is the leading modern, general purpose database platform, designed to unleash the power of software and data for developers and the applications they build.  Headquartered in New York, MongoDB has more than 20,200 customers in over 100 countries. The MongoDB database platform has been downloaded over 125 million times and there have been more than one million MongoDB University registrations.

Think about all of your different online accounts.  Email, social media, banking, eCommerce platforms, news sites….And that’s just in your personal life. What about at work?  For all of these different accounts, you’ll have a username, a password, a pin, or some combination of the three. We call these credentials and they’re the type of data that’s most frequently compromised in phishing attacks.  In fact, businesses (and individuals!) lose millions every year to the direct and indirect costs of credential phishing attacks.

Keep reading to find out what credential phishing is, what a credential phishing email looks like, and how to avoid falling victim to a credential phishing attack. What is phishing? First things first. Before we can dive into credential phishing specifically, we have to explain what phishing is broadly.  Phishing is a type of social engineering attack where the attacker uses “impersonation” to trick the target into giving up information, transferring money, or downloading malware.  Phishing attacks can take many different forms, including: Spear phishing: A targeted phishing attack against a known individual. Whaling: A phishing attack targeting a c-level executive. Senior employees make good targets, as they have easier access to a larger amount of money. Smishing: A phishing attack conducted via text message. Vishing: A phishing attack conducted via voice (phone or VoIP). Any of these types of phishing could be used to gain access to credentials. Attackers also use these methods to target other types of information, like credit card details or social security numbers, and to steal money from the target (“wire transfer phishing”). If you want to learn more about phishing and other social engineering attacks, check out these articles: How to Identify and Prevent Phishing Attacks Phishing vs. Spear Phishing: Differences and Defense Strategies 6 Real-World Examples of Social Engineering Attacks How does credential phishing work? Credential phishing almost always starts with an email. In fact, 96% of phishing attacks do. So how can you spot one? Let’s take a look at the elements of a credential phishing email. Subject line The cybercriminal’s first challenge is to get their target to open the phishing email. This requires an intriguing and attention-grabbing subject line. Research reveals some of the most commonly-used words and phrases in the subject lines of phishing emails, including: Request Follow up Urgent/Important Are you available?/Are you at your desk? Payment Status Hello Purchase Invoice Due You’ll notice that some of these subject lines elicit feelings of urgency, while others aim for familiarity.  According to another report,  25% of phishing emails get read. Ask any marketer, this is a high “open rate”. So, while these tactics might seem crude…they work. Main body of email The main content of a credential phishing email is designed to do two jobs: evade spam filters and persuade the target to click a malicious link. With that in mind, there are some hallmarks of a persuasive phishing email: It is addressed to you by name. It appears to be from a trusted sender with whom you regularly communicate. It uses the supposed sender’s proper branding, email signature, and communication style. The goal – of course – is to make the target believe it’s real.  That’s why successful phishing operations are highly targeted and backed by meticulous research about the target. The days of “spray and pray” bulk phishing emails are long gone. Cybercriminals are using increasingly advanced tactics, such as open source intelligence (OSINT) and hijacking an ongoing email conversation. Malicious link Unlike other types of phishing attacks, a credential phishing attack will always contain a link to a fake login page. But, like the main body of the email, the URL should look legitimate. Again, the goal is to trick the target, not raise their suspicions.  How? Piggyback off another brand’s reputation.  Research suggests that 52% of malicious links contain a brand name. This is known as a “spoof” domain. For example, a spoof of the URL “https://www.tessian.com” might be “http://www.tessian.nh”  Other techniques used for disguising URLs include using a link-shortening service like Bitly or using a hyperlinked image (for example, a “log in” button) Clickthrough rates on credential phishing links are estimated to fall anywhere from 3.4% (Verizon) to 10% (Proofpoint). This represents a very high success rate: remember that just one person clicking that link can cost a company millions of dollars. Phishing website Once you’ve clicked on the link, you’re directed to the phishing website designed to steal your credentials. We call these malicious websites.  The landing page must be just as convincing as the email itself. That means a good phishing login page will be meticulously crafted, using authentic images and fonts to perfectly recreate a brand’s genuine site. Did you know: Cybercriminals are increasingly securing their sites using HTTPS or SSL certification. Research from APWG suggests that 78% of phishing sites use SSL certificates. This security makes the user feel more secure, but it doesn’t mean the site owner can’t steal their data.  As well as looking convincing, the phishing site must also evade security controls that filter out non-whitelisted sites based on keywords such as “enter password.” But hackers have found a shortcut. Instead of using text on their login pages, they use images. That way, rule-based security controls and spam filters can’t spot the fakes.

What happens to phished credentials? Cybercriminals steal credentials for a variety of reasons. Once your username and password have been phished, they might be: Used for Business Email Compromise (BEC) or Vendor Email Compromise (VEC) attacks. Used to log into your email account and steal personal or company data. Used for identity fraud. Used for conducting fraudulent transactions. Sold on the dark web: Research from Digital Shadows shows there are over 15 billion sets of credentials available to buy online. Credential phishing can be especially damaging for anyone who reuses passwords. Why? If one password is compromised, several accounts could be exposed.   Researchers at Virginia Tech observed attackers using phished PayPal, LinkedIn, and Microsoft credentials to log into email accounts — even though the email accounts were not the attackers’ primary targets. What you need to know about credential phishing Now you know how credential phishing works, let’s clear up some myths and misconceptions about this particularly dangerous form of cyberattack. Credential phishing is effective Because phishing is such a common and well-established type of cyberattack, you might think people have become wise to these scams. Surely phishing for people’s credentials is an outdated tactic? Unfortunately not. Phishing attacks are becoming more sophisticated — and because many people naturally tend to trust others — we’re still clicking those phishing links.  According to Verizon, phishing was the most common cause of data breaches in 2019, with 22% of 2019 data breaches involving phishing. Phishing was also the leading issue in complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2019, costing victims over $58 million in direct losses. Not all of these phishing attacks targeted credentials. Other types of phishing involve fake invoices or target credit card details. But credentials are the most common target, with over 60% of phishing attacks aiming to steal usernames and/or passwords. Looking for more phishing statistics? Check out this article: Must-Know Phishing Statistics: Updated 2020. 

Multifactor authentication won’t prevent credential phishing Multifactor authentication (MFA) is an essential extra layer of login security. But MFA isn’t a solution to credential phishing. This is a misconception that can leave people and organizations vulnerable. Here’s why.  Logging into an account protected by MFA requires you to enter your login credentials and take one or more additional steps to verify your identity — such as clicking on a link in an email, entering a verification code sent via SMS, or using an authenticator app.  Yes, this makes things a lot harder for hackers, who must steal a user’s account credentials and access the additional authenticator. But cracking MFA is far from impossible. Authentication tokens can be phished or hacked, just like usernames and passwords. That means MFA is an essential layer of protection that you should apply across all user accounts, but it’s not a failsafe against credential phishing. Credential phishing attacks increasingly target corporate email accounts Some organizations might focus their cybersecurity efforts on preventing attacks involving ransomware or wire transfer phishing, believing that consumers are more likely to be the target of credential phishing. Credential phishing attacks against consumers are very common, but research shows that credential phishing scammers now have their sights set on corporate targets. What makes corporate email accounts a particularly good target for credential phishing? Hackers can use one account as a foothold to conduct further phishing operations both within the organization and across their supply chain.  How to prevent credential phishing attacks Investment in cybersecurity is increasing year on year (up 44% in the UK since GDPR was rolled out) and preventing inbound attacks like credential phishing is a high priority for many companies.  Here are some solutions to consider.  Email security software You’ve seen the sophisticated techniques that cybercriminals use to fool their targets. Even the most tech-savvy of your team members can’t be expected to detect advanced credential phishing emails.  Instead of leaving people as the first and last line of defense against these targeted attacks, consider email security software like Tessian Defender that automatically protects your employees’ email accounts against credential phishing and other inbound threats.  Here’s how: Tessian scans your employees’ inboxes to learn their regular email style and map their trusted relationships. This way, it automatically knows when an employee receives correspondence from an unexpected sender. Tessian inspects inbound emails for signs that they might be phishing emails. Signs might include barely noticeable irregularities in the sender’s email address, potentially malicious links, or suspicious changes to the sender’s communication patterns. Tessian warns employees before they fall victim to a phishing attack and alerts security teams, who can quickly and easily investigate the attack and – to prevent future attacks – can add the sender’s domain to a denylist in a single click.  Security training Staff training in data protection and phishing awareness are both essential (and can even be a requirement under some privacy laws and regulatory standards). Why? Your staff should know what phishing emails and other cyberattacks look like and know what to do if they fall victim to one. But the average person isn’t a security expert. Like we said, even the most tech-savvy person can fall for sophisticated attacks. It’s no wonder, then, that most data breaches start with human error.  To learn more about the pros and cons of phishing awareness training, click here.  Password management In a world where passwords protect our most valuable and sensitive data, it’s incredible how many people still use the same password across multiple accounts. Re-using passwords increases your vulnerability across multiple accounts. Your organization should insist that employees use unique, complex passwords for each of their accounts. Employees should also be changing their passwords regularly. One way to ensure better password management is to use a password manager, ideally designed for enterprise, with centralized user account controls. You should also be implementing multi-factor authentication wherever possible. If you want to learn more about email security best practices, we recommend these articles: Email Security Best Practice 2020 Email Mistakes at Work and How to Fix Them The Psychology of Human Error How to Catch a Phish: a Closer Look at Email Impersonation Or, if you want to learn more about how Tessian helps enterprises around the world prevent credential phishing and other inbound and outbound threats, read our customer stories. 

What messaging channel has more users than Facebook and WeChat put together, has been around since 1971, and today is one of the biggest communications channels worldwide. You guessed it: email.  Today, there are around 3.9 billion email users around the world and, with steady annual growth of 3% expected, we should have 4.3 billion email users by 2022. But, email wasn’t designed to be secure which means that the data sent back and forth every day is at risk of being compromised.  The bottom line: It’s a serious security risk for businesses, which are now by-and-large bound to strict compliance standards. In fact, it’s the threat vector IT leaders are most concerned about protecting. Keep reading to find out what email security is, how data can be lost or breached on email, and what employees can do to prevent data loss on email.  If you’re looking for information about cybersecurity best practice while working remotely, check out our ultimate guide here.

But, why do organizations need to secure email? Because it’s “open” by nature. An unlocked door. That’s how it was designed! It actually started as an intra-organization chat tool.  

But an open network is an at-risk network. Anything can come in or go out.  Bad-intentioned hackers can send malicious attachments and malware-ridden into any organization, so long as they have the email address of just one employee.  Likewise, bad-intentioned employees can send sensitive data outside of an organization, simply by hitting “send”.  That’s why we have two categories of email security. Inbound email security: Inbound email security protects against threats like spam, phishing, spear phishing, and other advanced impersonation attacks.  Outbound email security: Outbound email security prevents data exfiltration and prevents accidental data loss via misdirected emails.  To really understand how email security works, you have to understand how email works, which we’ll cover next.  Not interested in the nitty gritty of email? Skip down the page to learn more about: The different types of email security solutions Best practice for email security How Tessian detects and prevents both inbound and outbound threats on email

Email 101: How does email work? Put simply, email operates by way of servers speaking with each other.  The framework that governs these communications is called Simple Mail Transfer Protocol (SMTP). SMTP is the protocol, which governs how servers send and receive packets of email data. The server sending an email will “push” the email to a receiving server. There are three key component parts of each email, all of which are to some extent based on traditional, physical mail. The envelope The envelope is the initial information pushed by the server sending an email to the receiving server. It simply indicates the email’s sender and recipient, as well as some validating commands exchanged between the sending and receiving servers. Email users can’t see the envelope, since it is part of the internal routing process for emails.  The header The email header, which is transmitted alongside the body of the email, contains metadata such as the time the email was sent, which servers sent and received the data, and so on. Email clients (such as Outlook, Gmail etc) hide header information from recipients. The body The body of an email is simply the content that a recipient sees and interacts with.  The envelope, the header and the body are all potential weak spots in organizations’ security perimeters. It is not difficult for an attacker in control of their own email server to spoof details of an email’s header, for instance, or to target an employee with a convincing impersonation of a trusted colleague or partner. (See other Tessian blogs for examples of display name and domain impersonation, which are regularly used to target enterprises and their employees in spear phishing campaigns.) So, what solutions exist to prevent inbound and outbound email threats?

Different types of email security solutions Secure Email Gateways Secure Email Gateways – also known as SEGs or Email Security Gateways – have been deployed by organizations for decades. SEGs offer an all-in-one solution that blocks spam, phishing, and some malware from reaching employees’ inboxes. They might use email encryption to make communications harder to intercept. As with DLP tools (see below), SEGs operate by way of extensive lists of rules that only defend against threats the system or organization has seen before.  SEGs use various methods to detect threats in emails. Generally, they inspect links and attachments, and apply rules to the email to raise suspicious characteristics (like if the email originates from a blacklisted IP address). Importantly, though, they can’t stop more advanced attacks like spear phishing. This is especially problematic because today, cybercriminals are using increasingly sophisticated social engineering tactics to bypass SEGs and trick end-users.  DLP Essentially, Data Loss Prevention (DLP) software ensures that organizations don’t leak sensitive data.  DLP software monitors different entry and exit points within a corporate network, such as user devices, email clients, servers and/or gateways within the network. Like SEGs, DLP tools are invariably rule-based, limiting the range of new and evolving threats DLP products can defend against. Interested in learning more? Check out these articles:  What is Data Loss Prevention? A Complete Overview of DLP on Email The State of Data Loss Prevention 2020 The Drawbacks of Traditional DLP on Email SPF / DKIM / DMARC SPF, DKIM and DMARC are email authentication records that, in short, help protect organizations against attackers spoofing their domains. Although they can help stop spoofing attempts, the effectiveness of these protocols is limited by their lack of adoption. The vast majority of organizations around the world have not yet implemented DMARC, which means attackers can easily target vulnerable companies and spoof their domains. (For more information, head to Tessian’s blog on DMARC.) Given the shortcomings of these traditional solutions, security leaders must educate their employees on best practice so that they’re well-equipped to defend against email attacks and prevent data loss (both accidental and malicious).

Best practices for email security

Here are a few key strategies virtually all organizations can employ to help them defend against cyber threats on email. Password protection Even when organizations and attackers are in a cybersecurity arms race, the basics of good security still apply. Email accounts need strong passwords: a good guideline is that if you can remember your password, it isn’t strong enough. If your organization uses a password management tool like Lastpass or 1Password, make sure all passwords are stored on that system. Top tip: You should also consider implementing 2Fa. Manage sensitive information carefully Organizations control all kinds of sensitive data, and the popularity (and necessity) of newly flexible working habits means that security leaders need to be especially vigilant as to how data moves inside and outside organizations’ networks. To control the flow of data, organizations implement policies and procedures, including access controls.  But, these controls and human policies can impede productivity. In fact, 51% say security tools and software impede their productivity. Another 54% of employees say they’ll find a workaround if security software or policies prevent them from doing their job. Leverage technology to train employees Training and awareness is regularly talked up among cybersecurity practitioners.  The problem is, taking employees away from their day-to-day duties and delivering context-free workshops on cybersecurity will rarely result in better vigilance and lasting threat protection. It’s important to invest in technology that can deliver in-situ, contextual training, allowing employees to learn from activity taking place in their own inboxes. You can read more about the Pros and Cons of Security Awareness Training here. While password protection, access controls, policies, and training can all help improve an organization’s email security, they alone aren’t enough. After all, to err is human! That’s why we can’t leave people as the last line of defense. And, since traditional email security solutions like SEGs and rule-based DLP can’t stop more advanced threats, security teams need to look at next-generation technology like Tessian. 

How does Tessian detect and prevent inbound and outbound threats on email? Tessian’s approach to email security is different. We call it Human Layer Security and, across three solutions, we prevent data exfiltration, accidental data loss, and spear phishing attacks. Powered by machine learning, Tessian maps employee email activity and builds unique security identities for every individual. Our algorithms can then predict when inbound and outbound email activity is normal or abnormal and detect potential security incidents before they become breaches. No rules required. We secure hundreds of thousands of employees at some of the world’s leading enterprises. But, don’t take our word for it. Take it from them! We have dozens of customer stories. Or, if you’re interested in learning more about how Tessian can help your organization level-up its email security, speak to one of our experts today.

The California Consumer Privacy Act (CCPA) is now in force, and those that fail to comply are open to civil penalties and private lawsuits.  But, many business, security, and compliance leaders are still scratching their heads, wondering how the CCPA will affect them, how to stay compliant, and what consequences they face in the event of a data breach. We’re here to help. We’ve answered some of the key questions businesses are asking about, from the scope of the CCPA to violations under this strict data privacy law.  Important Note: The California Privacy Rights Act (CPRA) – also known as Proposition 24 – passed on November 3, 2020. The CPRA amends the CCPA, taking away some of the ambiguity and pushing the state statute closer to the GDPR. The CPRA: Gives consumers the right to opt out of sharing their data. That means publishers will be required to display “prominently and conspicuously” on their homepages a “Do Not Sell or Share My Personal Information” link. Enforces a general purpose limitation on personal information use, limiting a business’s use and sharing of personal information to the purposes for which it was collected. Remember, consumers must be informed about how their data will be use before it is collected. Creates an agency to enforce compliance and dish out fines. The new regulatory body – California Privacy Protection Agency – has dedicated resources and the power to determine whether or not a violation was intentional or not. While – yes- the CCPA already contains similar notice requirements with respect to the purposes for which personal information will be processed, the CPRA offers California regulators additional enforcement options. What does this mean for you? Organizations must ensure compliance with the CPPA,  integrating the demands of the CPRA. The CPRA is set to take effect on January 1, 2023, but will apply to data collected from January 1, 2022.

Scope of the CCPA Who is covered by the CCPA? The CCPA covers several types of entities, primarily “businesses.” If your company qualifies as a business, it needs to comply with the CCPA. A business can be any legal entity that operates for profit in California and meets one or more of the CCPA’s three thresholds: It has annual gross revenues in excess of $25 million It annually buys, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers, households, or devices  It earns 50 percent or more of its annual revenues from selling consumers’ personal information Does the CCPA only apply to big businesses? At first glance, the thresholds above may appear to only apply to large corporations, social media companies, and “data brokers.”  But the truth is, many companies with targeted advertising campaigns may meet the requirements of threshold “B.” This is because using third-party cookies is likely to constitute “selling personal information. (More information below. Click here to jump ahead.)  Therefore, a company is likely to be covered by the CCPA if its website or mobile app: Uses third-party advertising or analytics cookies (or similar technologies), and Generates at least 50,000 unique hits originating in California per year.

Does the CCPA cover non-Californian companies? It doesn’t matter if your business is based in Los Angeles, London, or Lahore. The determining factors are whether you collect the personal information of California residents (“consumers”), and whether you meet one or more of the three thresholds above. Does your business collect the personal information of California residents? It does if they:  Visit your website (assuming you use web analytics or cookies to measure engagement or track visitors) Sign up to your newsletter Make an enquiry about your services That means that if you have a website that attracts visitors from around the world, chances are you’re obligated to satisfy the CCPA.  What is “Personal Information” under the CCPA? The CCPA defines “personal information” as: “…information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It’s worth mentioning that this is arguably the broadest definition of “personal information” under any privacy law in the world. Nonetheless, the CCPA provides examples of the types of data that might qualify as personal information.  While this list is not exhaustive, it includes: Name Email address IP address Cookie data Device ID Biometric data Geolocation data It’s very common for a business to collect these types of information every time a person visits its website or uses its app. And, it’s also impossible to do business with a consumer without collecting at least some of this information.  Think about it. When you buy something on an e-commerce website, what information do you provide? What is a “Service Provider” under the CCPA? A service provider is a legal entity that processes personal information on behalf of a business.  For example, a marketing company receives a list of email addresses from a business and sends out its newsletter. The marketing company doesn’t have a direct interest in the end result of this activity — it simply obeys the instructions of the business. A service provider must also operate under a contract with the business from whom it receives personal information. This contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose outside of the contract. In layman’s terms: Service providers are not directly liable for most CCPA obligations. But, if a service provider’s negligence or wrongdoing leads to a data breach, it can be sued by the client.  Service providers can also receive civil penalties (more on that here) in certain circumstances. Unfortunately, it’s not clear yet what these “certain circumstances” are. As and when we have more context, we’ll update this blog! Violating the CCPA What is the CCPA’s Private Right of Action? Under the CCPA’s private right of action, a consumer — or group of consumers — can bring a legal claim against a business that fails to secure certain types of their personal information and suffers a data breach. (You can read more about what types of PI in this blog.) But, what happens if a consumer does pursue this private right of action? It can lead to: Statutory damages — an amount of money paid to each consumer, determined by the court, depending on the seriousness of the breach (among other factors). Statutory damages fall between $100 and $750 per consumer, per incident. Actual damages —  an amount of money paid to each consumer, based on what they have actually lost as the result of a breach. In the event of large-scale data breaches involving millions of consumers, damages could add up to billions of dollars. We’ve yet to see any legal claims completed under the CCPA. However, what if the CCPA had been in force throughout Facebook’s “Cambridge Analytica” scandal? Privacy lawyer Nicholas Schmidt estimates that the damage could have been between $61.6 billion and $184.7 billion. What are the CCPA’s civil penalties? The California Attorney General can issue civil penalties to businesses or service providers that violate any part of the CCPA. The CCPA’s civil penalties can be for an amount of: Up to $7,500 per intentional violation, such as knowingly selling personal information where a consumer has opted out. Up to $2,500 per unintentional violation, such as failing to impose reasonable security measures leading to a data breach.  Note: This is why it’s so important organization’s have strong security policies, procedures, and solutions in place. Reducing risk by improving your security posture is key. Tessian helps prevent data exfiltration and accidental data loss. Our solutions also help security leaders proactively protect their systems and data through automated intelligence and robust investigation and remediation tools. Learn more. The California Attorney-General must give a business 30 days’ notice of its alleged CCPA violation. If the business can “cure” the violation within this period, it can escape a penalty. While it’s not clear how a business can “cure” a CCPA violation, examples may include imposing security measures to “stem” a data breach or successfully retrieving personal information that has been exfiltrated. Privacy regulators are increasingly imposing harsh penalties on big tech companies. The CCPA takes clear inspiration from the EU General Data Protection Regulation (GDPR), which has seen the following large fines: €50 million (Google, France) €27.8 million (TIM telecommunications company, Italy) €204.6 million (British Airways, UK — not yet enforced)

CCPA Data Security Requirements What counts as a data breach under the CCPA? The CCPA defines a data breach as: “…unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information” Here are the key elements of this definition: Unauthorized access Exfiltration Theft Disclosure A failure to “maintain reasonable security procedures and practices” Remember that a data breach can be intentional or unintentional and it can originate from a person inside or outside of your business. Read more about Insider Threats on our blog. According to the most recent California Data Breach Report, misdirected emails (emails sent to the wrong recipient) were the leading cause of data breaches. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js");

In the UK, misdirected emails were also the most common cause of data breach in quarter 4 of 2019-20, according to the UK Information Commissioner’s Office (ICO). As we’ve said, the CCPA requires a proactive approach to maintaining data security. Read about how Tessian can help CCPA compliance below or learn more about Tessian Guardian, which detects and prevents misdirected emails before they happen. What is “reasonable security” under the CCPA? The CCPA doesn’t define “reasonable security procedures and practices.”  However, in the most recent California Data Breach Report, the California Attorney-General clearly states that meeting the 20 Critical Security Controls from the Center for Internet Security (CIS) represents a minimum reasonable level of security.

The CIS Critical Security Controls include: Email and web browser protection Malware protection Application software security It’s worth noting that email is the threat vector most security leaders are worried about protecting. Find out why.  CCPA Consumer Rights What are the CCPA Consumer Rights? The CCPA’s consumer rights are: The right to know — consumers may request information about the types of information a business has collected, used, and shared about them over the past 12 months. They may also request copies of the specific pieces of information that the business holds about them. The right to delete — consumers may request that a business deletes the personal information it holds about them. The right to opt out — consumers may instruct a business not to sell their personal information The right to non-discrimination — businesses may not offer a lesser quality of goods or services or demand a higher price for goods or services if a consumer exercises their CCPA rights. The right to opt in (for minors) — businesses must obtain opt-in consent before selling the personal information of minors under the age of 16. They must obtain parental consent before selling the personal information of minors under the age of 13. In upholding these consumer rights, businesses have an obligation to provide individuals certain types of notice. More on that below.  What are the CCPA’s notice requirements? Under the CCPA, businesses must provide up to four types of notice to consumers: Privacy Policy — details which categories of personal information the business has collected, used, disclosed, and sold over the past 12 months. Every businesses must include a clear and prominent link to its Privacy Policy on its website and/or app. Notice at collection — provided at the point at which the business collects personal information from a consumer. This could appear, for example, as a disclaimer at the top of a sign-up form, informing consumers about what personal information the business is collecting and why. Notice of the right to opt-out — enables consumers to opt out of the sale of their personal information (where applicable). This must include a prominent link on a business’s homepage reading “Do Not Sell My Personal Information.” It might also take the form of a “cookie banner” enabling consumers to opt out of personalized advertising. Notice of financial incentives — informs consumers about any financial incentives offered for the processing of their personal information (where applicable). This can appear as a disclaimer when consumers are invited to sign up to certain types of “loyalty schemes.” What counts as “selling” Personal Information under the CCPA? The CCPA defines “selling” personal information as: “…selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” There is a lot of debate about what this means for businesses. Virtually any transfer of personal information that benefits your company could constitute a “sale.”  And, because of the very broad phrasing, this definition is likely to include the use of third-party cookies, which involve “transferring” “personal information” (such as IP addresses and device IDs) to “a third party” for “valuable consideration.” Don’t worry, there are several approaches to transferring Personal Information without “selling” it, including engaging a service provider when disclosing personal information for business purposes. How can Tessian help with CCPA compliance? While some parts of the CCPA are still open to debate, we know the following facts for certain: Data breaches will leave CCPA-covered businesses open to significant risks of private litigation and civil penalties. Failure to implement reasonable security procedures and practices will: Increase the likelihood of a data breach occurring, and Lead to more substantial fines and more serious legal claims. As one of the CIS Critical Security Controls, “email protection” is one of the minimum requirements for “reasonable security.” Tessian’s Human Layer Security solutions can fulfill a crucial element of your company’s duty to maintain reasonable security procedures and practices. Tessian Guardian — prevents your employees from emailing personal or sensitive company information to the wrong person. Tessian Enforcer — prevents the exfiltration of company data to unauthorized recipients. Tessian Defender — detects and prevents inbound “spear-phishing” attacks designed to trick your employees into divulging personal information. Learn more about Tessian’s solutions by booking a demo. 

At Tessian, we have many applications that interact with each other using REST APIs. We noticed in the logs that at random times, uncorrelated with traffic, and seemingly unrelated to any code we had actually written, we were getting a lot of HTTP 502 “Bad Gateway” errors. Now that the issue is fixed, I wanted to explain what this error means, how you get it and how to solve it. My hope is that if you’re having to solve this same issue, this article will explain why and what to do.  First, let’s talk about load balancing

In a development system, you usually run one instance of a server and you communicate directly with it. You send HTTP requests to it, it returns responses, everything is golden.  For a production system running at any non-trivial scale, this doesn’t work. Why? Because the amount of traffic going to the server is much greater, and you need it to not fall over even if there are tens of thousands of users.  Typically, servers have a maximum number of connections they can support. If it goes over this number, new people can’t connect, and you have to wait until a new connection is freed up. In the old days, the solution might have been to have a bigger machine, with more resources, and more available connections. Now we use a load balancer to manage connections from the client to multiple instances of the server. The load balancer sits in the middle and routes client requests to any available server that can handle them in a pool.  If one server goes down, traffic is automatically routed to one of the others in the pool. If a new server is added, traffic is automatically routed to that, too. This all happens to reduce load on the others.

What are 502 errors? On the web, there are a variety of HTTP status codes that are sent in response to requests to let the user know what happened. Some might be pretty familiar: 200 OK – Everything is fine. 301 Moved Permanently – I don’t have what you’re looking for, try here instead.  403 Forbidden – I understand what you’re looking for, but you’re not allowed here. 404 Not Found – I can’t find whatever you’re looking for. 503 Service Unavailable – I can’t handle the request right now, probably too busy. 4xx and 5xx both deal with errors.  4xx are for client errors, where the user has done something wrong. 5xx, on the other hand, are server errors, where something is wrong on the server and it’s not your fault.  All of these are specified by a standard called RFC7231. For 502 it says: The 502 (Bad Gateway) status code indicates that the server, while acting as a gateway or proxy, received an invalid response from an inbound server it accessed while attempting to fulfill the request. The load balancer sits in the middle, between the client and the actual service you want to talk to. Usually it acts as a dutiful messenger passing requests and responses back and forth. But, if the service returns an invalid or malformed response, instead of returning that nonsensical information to the client, it sends back a 502 error instead.  This lets the client know that the response the load balancer received was invalid.

The actual issue Adam Crowder has done a full analysis of this problem by tracking it all the way down to TCP packet capture to assess what’s going wrong. That’s a bit out of scope for this post, but here’s a brief summary of what’s happening: At Tessian, we have lots of interconnected services. Some of them have Application Load Balancers (ALBs) managing the connections to them.  In order to make an HTTP request, we must open a TCP socket from the client to the server. Opening a socket involves performing a three-way handshake with the server before either side can send any data.  Once we’ve finished sending data, the socket is closed with a 4 step process. These 3 and 4 step processes can be a large overhead when not much actual data is sent. Instead of opening and then closing one socket per HTTP request, we can keep a socket open for longer and reuse it for multiple HTTP requests. This is called HTTP Keep-Alive. Either the client or the server can then initiate a close of the socket with a FIN segment (either for fun or due to timeout).

The 502 Bad Gateway error is caused when the ALB sends a request to a service at the same time that the service closes the connection by sending the FIN segment to the ALB socket. The ALB socket receives FIN, acknowledges, and starts a new handshake procedure. Meanwhile, the socket on the service side has just received a data request referencing the previous (now closed) connection. Because it can’t handle it, it sends an RST segment back to the ALB, and then the ALB returns a 502 to the user. The diagram and table below show what happens between sockets of the ALB and the Server.

The fix … is fairly simple.  Just make sure that the service doesn’t send the FIN segment before the ALB sends a FIN segment to the service. In other words, make sure the service doesn’t close the HTTP Keep-Alive connection before the ALB.  The default timeout for the AWS Application Load Balancer is 60 seconds, so we changed the service timeouts to 65 seconds. Barring two hiccoughs shortly after deploying, this has totally fixed it. The actual configuration change I have included the configuration for common Python and Node server frameworks below. If you are using any of those, you can just copy and paste. If not, these should at least point you in the right direction.  uWSGI (Python) As a config file: # app.ini [uwsgi] ... harakiri = 65 add-header = Connection: Keep-Alive http-keepalive = 1 ... Or as command line arguments: --add-header "Connection: Keep-Alive" --http-keepalive --harakiri 65 Gunicorn (Python) As command line arguments: --keep-alive 65 Express (Node) In Express, specify the time in milliseconds on the server object. const express = require('express'); const app = express(); const server = app.listen(80); server.keepAliveTimeout = 65000

Looking for more tips from engineers and other cybersecurity news? Keep up with our blog and follow us on LinkedIn.

In case you missed it, Chris Kovel, Chief Technology Officer at PJT Partners, recently joined Robyn Savage, Customer Success Manager at Tessian, for a Q&A about what threats are top of mind and how Tessian helps PJT Partners keep data secure. While you can watch the full video on-demand, we’ve compiled our notes for a high-level overview of their 30-minute discussion. Want to learn more about Chris or PJT Partners? Skip down to the bottom of the page. And, if you want to be the first to know about future virtual events, subscribe to our newsletter.  4 things we learned from Chris  There are three “types” of threat actors. The outsider with intent, the insider with intent, and the well-intentioned employee. In terms of what keeps Chris up at night, it’s often the well-intentioned employee who sends misdirected emails.  While most of us have fired off an email to the wrong person, that doesn’t mean there aren’t serious consequences. There are. If data is leaked (especially in highly regulated industries like Financial Services, Healthcare, and Legal) organizations could face hefty fines for non-compliance, lose customer trust, and suffer a damaged reputation. But… 90% of emails don’t contain sensitive information. That’s why it’s so important that security and compliance leaders develop a process for classifying data as a part of their larger data loss prevention strategy.  PJT Partners uses Tessian for both inbound and outbound email security to detect and prevent misdirected emails, insider threats, and advanced impersonation attacks.  To find out a bit more about what’s top of mind for Chris and how Tessian fits into his overall security strategy, Robyn asked Chris several questions. We’ve summarized them below. Don’t forget, you can watch the full interview here. Q. Are there certain employees who you view as particularly risky or at-risk? “There are absolutely higher value targets that we have to pay more close attention to… But the controls we put in place are for the firm, right? They’re put in place to help everybody.  The leak can happen at any level. It could be a low-level junior banker, it can be someone in the technology department, it can be a partner of the firm.” Q. How has COVID affected your organization and your approach to cybersecurity? “Bankers and everyone else are using technology more than they’ve ever used it before. That means devices are a key for doing business now, whether it’s pulling up a quick video or sending documents. But email still actually accounts for the lion’s share of their communication. Fortunately, Tessian has some really great tools in place to protect users on devices in the same way they’re protected on desktop.” Want to learn more about how to keep your devices secure? Check out our Remote Worker’s Guide to BYOD Policies. Q. Shifting to inbound, what features make Tessian an especially appealing and effective solution at PJT? “Frankly, Tessian is extraordinarily clever in how it detects advanced impersonation. The amount of suspicious emails that Defender flags for us is quite staggering.” “You can spoof an email address in any way, shape, or form so having a product that basically says, “this one email doesn’t look like the others” or “this email likely isn’t actually coming from this person” is really helpful to the larger firm and individual users. In-the-moment warnings are helping our employees get better at actually recognizing which emails are legit and which aren’t and our administrators can help them work through it.”

For more insights and personal anecdotes, watch the full video now.  About Chris Chris Kovel is the Chief Technology officer at  PJT Partners. Prior to joining PJT Partners, Chris spent the previous 25 years at Morgan Stanley in the technology department. In Chris’ last role at Morgan Stanley, he was primarily focused on Artificial Intelligence, Analytics and Data for the Wealth Management division.  Over the course of the 25 years at Morgan Stanley, Chris developed significant technologies for Investment Banking, Capital Markets, Wealth Management, Research & Sales Distribution. Chris holds two patents for banking and trading technologies. Chris led the project and team that won the 2018 Banking Technology Award for Artificial Intelligence for the Next Best Action implementation. Prior to joining Morgan Stanley, Chris worked for Lotus Development Corporation. Chris received his BA from Skidmore College About PJT Partners PJT Partners is a premier global advisory-focused investment bank headquartered in New York City. Their team of senior professionals deliver a range of services to corporations, financial sponsors, institutional investors, alternative investment managers, and governments around the world. 

According to new research into the future of hybrid working, 85% of IT leaders believe their security teams will be under higher pressure, feel more stretched, and need extra resources in 2021.  Could automation shoulder some of the burden?  In case you missed it, Tessian hosted Karl Knowles, Head of Cyber at HFW, and Timor Ahmad, Head of Data Governance & Privacy at Lloyd’s, for a session that took a deep dive into how organizations can utilize automation to reduce risk on email. You can watch the full video on-demand, but we’ve summarized the highlights from the session along with some actionable advice you can use to give your security posture a boost.  1. Use this shift to remote working to create a more positive security culture  Can employees work remotely? Can they maintain the same quality of work?  These are both questions security and business leaders have asked for years but have been too hesitant to actually test. But now – as we’ve all been forced to make the transition from office to home – we’ve seen how people have adapted and we now have new ways of working. These changes naturally affect your organization’s culture.

So what does this mean for security leaders? It means you have the ability to mold and shape a more positive security culture. Take time to understand how your employees are working, what their new behaviors are, and how you can support them in a safe and compliant way.  Now is the time to integrate security awareness into the foundation of your organization and prioritize privacy for employees, clients, and customers wherever and however they work.  2. Be human-first in your approach to security  Working remotely, people may feel isolated, unmotivated, and unsupported. That’s why you have to prioritize employee wellbeing and help everyone adapt.  So, to help make security more human (and yes, fun) Karl and Timor suggested using cartoons, magazines, or digital games to help get employees involved and bring them along on your journey to security maturity.  But it’s not all about fun. It’s also about meaningful connections.  Security is a team sport and employees need to feel comfortable asking questions about security, sharing feedback about new solutions or policies, and reporting incidents and near-misses. You have to foster that environment. How?  Drop into team meetings on occasion, encourage people to open up to you, and always ask questions and provide ways for employees to give feedback.  Building this connective tissue with employees across the organization will help people feel more supported in their new way of working.  3. Share your security wins  According to Karl and Timor, it can be a challenge to help employees feel like they’re actually contributing to the success of the security program. But, they had a tip. Use data.  They explained how they use Tessian’s dashboard to display key charts and statistics around the organization’s security posture both at the board and employee level. The numbers include: How many phishing attacks are reaching employees How many of those were flagged to their security team  What the outcome would have been if the attack was successful.  Everyone contributes to a safe working environment, and these dashboards can help security leaders communicate that message with both technical and non-technical audiences.

4. Make your solutions work for you  Are you spending a lot of time configuring solutions and updating rules? Most security leaders are.  That’s because rules are static, meaning they don’t change over time. But – as we all know – over the last year, organizations have undergone a lot of change. People are working on different devices, in different locations, and are using different methods to share information. Hackers have changed their attack methods accordingly.   It’s unrealistic to expect security teams to be able to update rules at pace with all of the above. At Tessian, we think solutions should work for you.  How? Automation. Across three solutions, Tessian uses machine learning to understand employee behavior and communication patterns. And, it gets smarter over time. That means it can detect and prevent threats in real-time – without any manual investigation or rules – and keeps pace with the evolving threat landscape. 

5. Understand why your employees circumvent policies  According to Tessian research, over half of employees say they’ll find a workaround for security software or policies that make their job difficult or impossible to do. It’s essential, then, that security leaders understand why. The key is visibility into employee behavior.  Both customers explained how they use Tessian to get a more granular look at how employees handle data.   In one example, Karl looked at the data provided by Tessian Enforcer to understand why employees send emails to personal devices. In this case, Karl realized a key tool used by HFW was slowing employees down and making it hard to do their jobs on their work devices. That’s why people were sending work documents to their personal accounts  — so that they could work faster on their personal devices. With this understanding, HFW was able to create new policies that empowered people to work safely without security getting in the way.  6. Leverage in-the-moment warnings to reinforce existing policies  Whether it’s data exfiltration, misdirected emails, or spear phishing attacks, humans make mistakes. But, as Karl and Timor detailed, contextual, in-the-moment notifications can help raise awareness and train employees in real-time. According to Karl, data exfiltration has always been a problem in the Legal Industry. But HFW has revolutionized the way they tackle it by implementing real-time alerts that remind employees that sending data externally is a major security risk. Tessian Enforcer warnings look something like this:

Over time, these warnings have nudged employees towards safer behavior to help HFW downtrend risk and reduce the number of emails being sent externally.  Karl explained this in more detail by showing his Tessian dashboard. “In the graph, you can see exactly where we implemented the warning and our employees’ response to that new system. So we can see data exfiltration has decreased massively,” he said. 

Now that they’ve tackled this problem, their next focus is around bad leavers and how to reduce the risk of data exfiltration after someone exits the company. Here’s their plan: Once someone has handed in their notice, HR and compliance teams will monitor the employee’s behavior and see if it deviates from the norm. Are they sending more emails to personal accounts than usual? Do those emails contain sensitive information? Are they emailing new contacts? Tessian will instantly flag any anomalous behavior to help HFW stop the exfiltration attempts.  Want to learn more about how Tessian has helped HFW and Lloyds level-up their security without burdening security teams? Watch the full interview now.

October 2020 has been another remarkable month in cybersecurity. And, since COVID-19 sent the world indoors and made us ever-more reliant on the internet, the importance of information security and data protection has never been more apparent. October saw numerous high-profile data breaches, cyberattacks, and online scams — but also brought us one of the biggest GDPR fines yet, an innovative solution to deepfake technology, and even more jostling between the US government and Chinese big tech. Let’s take a look at the biggest cybersecurity headlines of October 2020. Paying Cyberattack Ransoms Could Breach International Sanctions Rules New guidance from the US Treasury has big implications for companies hit by ransomware attacks from certain countries. (Companies affected by ransomware find their files encrypted — replaced by useless strings of seemingly random characters — with cybercriminals promising to return the data if the company pays a ransom.) Paying up might be the least-worst option where a company’s critical data is at stake…ut according to an October 1 US Treasury advisory note, paying cyberattack ransoms could violate legal rules on international sanctions. Businesses suffering a ransomware attack by hackers from a sanctioned country — like Iran, China, or Russia (where many such attacks do originate) — now face the threat of huge fines and legal action if they choose to buy back their files.  The Treasury’s advice reiterates what cybersecurity leaders have been saying for many years: in cybersecurity, prevention is far better than cure. Amazon Prime Day Sees Huge Spike in Phishing Scams With millions of consumers confined to their homes, this year’s Amazon Prime Day was a chance for millions of shoppers to grab a bargain — and an unmissable opportunity for cybercriminals to steal their personal information. October 8 research from Bolster detected over 800 “spoof” Amazon webpages in September (up from 50 in January), as fraudsters ramped up their phishing efforts in anticipation of the two-day Amazon Prime Day event, hosted October 13-14. Some sites looked near-identical to Amazon’s genuine web properties, with perfectly duplicated branding and convincing domain names. Unwary shoppers were asked for details such as their CVV2 code and social security number. See what advice Tessian co-founder and CEO, Tim Sadler, offered consumers in Tech Radar. FBI Warns of Ransomware Attacks Targeting Healthcare Providers On October 29, the FBI and other agencies issued a warning regarding an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The threats include a new tool named anchor_dns, a backdoor that can reportedly “evade typical network defense products,” and the Ryuk Ransomware. Among other measures, the FBI is advising healthcare providers to create business continuity plans, patch networked systems, and implement multi-factor authentication in preparation for an attack. According to Associated Press, 59 US healthcare systems have been attacked via ransomware so far this year. Looking for more information on why the healthcare industry is especially vulnerable? We talk more about The State of Data Loss Prevention in Healthcare in this article. UK Public Body Unable to Provide Services Follow “Serious Cyberattack” On October 14, Hackney London Borough Council, a UK local government body, announced that it had fallen victim to a “serious cyberattack.”  In an update two days later, the council revealed the extent of the damage. Among other things, the council was unable to accept rent payments, process planning applications, or pay some social security benefits. The council said it was “working hard to restore services, protect data, and investigate the attack,” but that services could remain unavailable for “some time.” UK Data Regulator Issues $26 Million Fine to Airline UK airline British Airways received a £20 million ($26 million) fine on October 17 for “failing to protect the personal and financial details of more than 400,000 of its customers.” The fine relates to a cyberattack suffered by the company in 2018. The Information Commissioner’s Office — the UK’s data protection authority — found that the airline had failed to limit access to data, had not undertaken sufficiently rigorous testing, and should have implemented multi-factor authentication on its employee and third-party accounts. The British Airways fine amounts to the fourth-largest GDPR fine of all time — but the airline actually got off relatively lightly, considering that the fine was initially touted as £183 million ($238 million).  To learn more about compliance standards like the GDPR (including the largest breaches and fines to-date) check out The CEO’s Guide to Data Protection and Compliance. Adobe Launches Content Authenticity Initiative Tool to Fight Deepfakes As video and audio manipulation techniques become more accessible, cybersecurity and intelligence experts have been warning about a potential onslaught of deepfakes that could have an unprecedented impact on security, politics, and society. Not sure what a deepfake is? Read this article. Cybercriminals can use deepfake technology to create video or audio clips of high-profile and trusted individuals. Deepfakes have already been used in phishing attacks and could also be used for blackmail and disinformation campaigns. On October 20, Adobe’s Content Authenticity Initiative announced a new tool that will add “a secure layer of tamper-evident attribution data to photos, including the author’s name, location, and edit history” to help creatives authenticate their content. Once deepfakes are sufficiently convincing, there might be no way to distinguish them from genuine material. Adobe’s project marks a promising first step in this emerging security front. Hackers Discover 55 Vulnerabilities Across Apple’s Systems A group of hackers earned $300,000 via Apple’s bug bounty scheme after identifying 55 vulnerabilities across Apple’s infrastructure. The security issues included vulnerabilities that would have allowed an attacker to “(take) over a victim’s iCloud account,” “fully compromise an industrial control warehouse software used by Apple,” and “access management tools and sensitive resources.” The group said Apple had fully addressed the majority of vulnerabilities reported. Around 3 Million Credit Cards Compromised After Breach at US Restaurant Franchise On Oct 12, details of around 3 million credit cards were posted on the dark web following a huge data breach at US restaurant franchise Dickey’s Barbeque Pit. According to an investigation by Gemini Advisory, 156 of 469 Dickey’s outlets were involved in the breach, with the highest levels of exposure present in California. The details appear to have been stolen between July 2018 and August 2020. Given California’s strict data breach rules, including a private right of action under the California Consumer Privacy Act, Dickey’s could be liable for some eye-watering sums if the breach is found to have resulted from lax cybersecurity practices. Questions about the CCPA? We answer 13 of them in this article: CCPA FAQs: Your Guide to California’s New Privacy Law. Russia Planned to Launch 2020 Olympics Cyberattack The GRU, Russia’s military intelligence agency, “conducted cyber reconnaissance against officials and organizations” involved in the Tokyo 2020 Olympic and Paralympic Games, according to a UK government announcement on October 19. Russian cybercrime groups are alleged to have targeted “organizers, logistics services, and sponsors.” The Games were originally due to tale place this summer but were postponed due to COVID-19.  The UK government also revealed the full extent of Russia’s hacking campaign against the 2018 Winter Games, during which Russian hackers are alleged to have disguised themselves as Chinese and North Korean attackers to target the opening ceremony in Seoul, South Korea. ENISA 2020 Threat Landscape Report Shows Increase in Cyberattacks  The European Union Agency for Cybersecurity (ENISA) released its 2020 Threat Landscape Report on October 20, and cybersecurity leaders (unfortunately) won’t be surprised at its conclusion: cybercrime is on the increase. The report cites “a new norm,” triggered by the COVID-19 pandemic, in which the world is even more dependent on “a secure and reliable cyberspace.” ENISA found that the number of phishing victims “continues to grow,” that Business Email Compromise (BEC) resulted in “the loss of millions of euros,” and that state-sponsored actors are propagating “finely targeted and persistent attacks on high-value data.” If you’re a security leader looking for solutions to these problems, click here to learn more about how Tessian Defender detects advanced impersonation attacks that slip past SEGs, native features, and legacy tools. Researcher Breaches US President’s Twitter Account By Guessing Password Dutch “ethical hacker” Victor Gevers found himself in control of Donald Trump’s Twitter account on October 16 after guessing the US president’s password. Trump’s Twitter account has over 87 million followers and is frequently used to deliver messages of international importance. Gevers said he correctly guessed the password, “maga2020!”, after seven attempts. The incident reveals that the president was using a simple, easy-to-guess password, and that he had multi-factor authentication disabled. Rectifying either of these two basic security errors would have prevented unauthorized access to the account. Overruling of WeChat Ban Denied by California Judge Another month, another development in the long-running battle between the US government and Chinese tech firms. On October 23, California struck a blow to the Trump administration’s efforts to restrict WeChat — a Chinese app used for currency transfers, social networking, and instant messaging. In September, the US Department of Commerce ordered Apple and Google to stop distributing WeChat via their app stores, citing security issues. The order was blocked in California following a legal challenge by WeChat. The US Justice Department brought further evidence and asked the court to reverse its WeChat ruling. The court declined to change its decision, meaning that the Commerce Department’s banning order will remain unenforced in California — despite the federal government’s allegations regarding WeChat’s security issues.  Finnish Therapy Center Hacked, Exposing Patient Data One of the most shocking data breaches of 2020 was brought to light on October 24, when Finnish psychotherapy center Vastaamo revealed a hack that compromised hundreds of patient records. The highly sensitive nature of the breach means that it is being taken extremely seriously. Finland’s interior minister summoned a cabinet meeting to determine how best to respond to the breach, promising “speedy crisis help” to the affected individuals. The hackers are demanding a ransom in exchange for the return of the files, which were reportedly accessed between November 2018 and March 2019. The ransomware attack further suggests that businesses worldwide lack proper cybersecurity infrastructure — even when handling highly sensitive and valuable data. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.