Request a Demo of Tessian Today.
Automatically stop data breaches and security threats caused by employees on email. Powered by machine learning, Tessian detects anomalies in real-time, integrating seamlessly with your email environment within minutes and starting protection in a day. Provides you with unparalleled visibility into human security risks to remediate threats and ensure compliance.
Spear Phishing
What is a Malicious Payload and How is it Delivered?
12 January 2021
The term “payload” traditionally refers to the load carried by a vehicle — for example, the passengers in an aircraft or the cargo in a truck. But, in computing, “payload” refers to the content of a message.  When you send an email, you’re transmitting several pieces of data, including a header, some metadata, and the message itself. In this scenario, the message is the payload — it’s whatever content you want the recipient to receive. The term “malicious payload” comes into play when we talk about cybersecurity specifically.
We talk more about malicious websites in this article: How to Identify a Malicious Website. How is a malicious payload delivered? Malicious payloads first need to find their way onto a target’s device. How? There are a couple of methods hackers use to do this. Social engineering attacks DNS hijacking  The most common way to deliver a malicious payload is via social engineering attacks like phishing, spear phishing, CEO Fraud, and other types of advanced impersonation attacks.  If you’re not sure what social engineering is – or if you want real-world examples of attacks – you can check out this article: 6 Real-World Examples of Social Engineering Attacks. Here’s how a typical phishing attack typically starts… Suppose your office has ordered some printer ink. You get an email from someone claiming to be “FedEx” that says: “click here to track your order.” Since you are – in fact – expecting a delivery, you click the link. The link appears to lead to FedEx’s order-tracking page, but the page causes a file to download onto your computer. This file is the malicious payload.  While email is the most common delivery vector for malicious payloads, they can also appear via vishing (via phone or VoIP) and smishing (via SMS) attacks. Another way to deliver a malicious payload is via DNS hijacking. Here, the attacker forces the target’s browser to redirect to a website where it will download the payload in the form of a malware file. Types of malicious payloads Malicious payloads can take a number of forms. The examples below are all types of “malware” (malicious software). Virus: A type of malware that can replicate itself and insert its code into other programs. Ransomware: Encrypts data on the target computer, rendering it unusable, and then demands a ransom to restore access. Spyware: A program that tracks user activity on a device — including which websites the user visits, which applications they use, and which keys they press (and, therefore, the user’s passwords). Trojan: Any file which appears to be innocent but performs malicious actions when executed. Adware: Hijacks the target computer and displays annoying pop-up ads, affecting performance. But a payload doesn’t need to come in the form of a file. “Fileless malware” uses your computer’s memory and existing system tools to carry out malicious actions — without the need for you to download any files. Fileless malware is notoriously hard to detect. Malicious payload vs. zero payload Not all phishing attacks rely on a malicious payload. Some attacks simply persuade the victim to action a request. Keep reading for examples.  Suppose someone claiming to be a regular supplier sends you an email. The email claims that there’s been a problem with your recent payment. With a malicious payload attack, the email might contain an attachment disguised as your latest invoice.  With a zero payload attack, the email may encourage you to simply initiate a wire transfer or manually update account details to divert the payment from the genuine supplier to the hacker.   Zero payload attacks can be just as devastating as malicious payload attacks, and traditional antivirus and anti-phishing software struggles to detect them. Case study: KONNI Malware, August 2020 Let’s look at a real-world example of a malicious payload attack. This example demonstrates how easy it can be to fall victim to a malicious payload. On August 14, 2020, the United States Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that: “cyber actors using emails containing a Microsoft Word document with a malicious Visual Basic Application (VBA) macro code to deploy KONNI malware”  So, in this example, the malicious payload is a .doc file, delivered via a spear phishing email. The .doc file contains the “KONNI” malware. When the target opens the malicious payload, the KONNI malware is activated. It uses a “macro” (simple computer code used to automate tasks in Microsoft Office) to contact a server and download further files onto the target computer. The KONNI malware can perform different attacks, including: Logging the user’s keystrokes Taking screenshots Stealing credentials from web browsers Deleting files These actions would allow cybercriminals to steal crucial information — such as passwords and payment card details — and to cause critical damage to your device. How to stop malicious payloads You should take every reasonable step to ensure malicious payloads do not make their way onto your devices. Email security is a crucial means of achieving this. Why? Because email is the threat vector security and IT leaders are most concerned about. It’s also the most common medium for phishing attacks and a key entry-point for malicious payloads. If you want to learn more about preventing phishing, spear phishing, and other types of inbound attacks that carry malicious payloads, check out these resources: Must-Know Phishing Statistics: Updated 2021 How to Identify and Prevent Phishing Attacks What is Spear Phishing? How to Identify a Malicious Website What Does a Spear Phishing Email Look Like? And, if you want to stay-up-to-date with cybersecurity news, trends, and get the latest insights (and invites to events!) before anyone else, subscribe to our newsletter. 
Human Layer Security Spear Phishing DLP Data Exfiltration
Worst Email Mistakes at Work and How to Fix Them
By Maddie Rosenthal
05 January 2021
Everyone makes mistakes at work. It could be double-booking a meeting, attaching the wrong document to an email, or misinterpreting directions from your boss. While these snafus may cause red-faced embarrassment, they generally won’t have any long-term consequences. But, what about mistakes that compromise cybersecurity? This happens more often than you might think. In fact, nearly half of employees say they’ve done it, and employees under 40 are among the most likely. !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); In this article, we’ll focus on email mistakes. You’ll learn: The top five email mistakes that compromise cybersecurity How frequently these incidents happen What to do if you make a mistake on email
I sent an email to the wrong person At Tessian, we call this a misdirected email. If you’ve sent one, you’re not alone. 58% of people say they’ve done it and, according to Tessian platform data, at least 800 are fired off every year in organizations with over 1,000 people. It’s also the number one security incident reported to the Information Commissioner’s Office (ICO) under the GDPR. (More on the consequences related to data privacy below.) Why does it happen so often? Well, because it’s incredibly easy to do. It could be a simple typo (for example, sending an email to [email protected] instead of [email protected]) or it could be an incorrect suggestion from autocomplete.  What are the consequences of sending a misdirected email? While we’ve written about the consequences of sending an email to the wrong person in this article, here’s a high-level overview:  Embarrassment  Fines under compliance standards like GDPR and CCPA Lost customer trust and increased churn Job loss Revenue loss Damaged reputation
Real-world example of a misdirected email In 2019, the names of 47 claimants who were the victims of sexual abuse were leaked in an email from the program administrator after her email client auto-populated the wrong email address.  While the program administrator is maintaining that this doesn’t qualify as a data leak or breach, the recipient of the email – who worked in healthcare and understands data privacy requirements under HIPAA – continues to insist that the 47 individuals must be notified.  As of September 2020, they still haven’t been. I attached the wrong file to an email Employees can do more than just send an email to the wrong person. They can also send the wrong file(s) to the right person. We call this a misattached file and, like fat fingering an email, it’s easy to do. Two files could have similar names, you may not attach the latest version of a document, or you might click on the wrong file entirely.  What are the consequences of sending a misattached file? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. Of course, the consequences depend entirely on what information was contained in the attachment. If it’s a presentation containing financial projections for the wrong client or a spreadsheet containing the PII of customers, you have a problem.  Real-world example of sending the wrong attachment A customer relations advisor at Caesars Entertainment UK – a part of Caesars Entertainment – was sending emails to the casino’s VIPs. In the emails, the employee was meant to attach a customized invitation to an event. But, in one email, the employee accidentally attached the wrong document, which was a spreadsheet containing personal information related to some of their top 100 customers.   Luckily, they also spelled the email address incorrectly, so it was never actually sent.  Charles Rayer, Group IT Director, details the incident – and explains why this prompted him to invest in Tessian Guardian – in a Q&A.  You can watch the interview here. I accidentally hit “reply all” or cc’ed someone instead of bcc’ing them Like sending a misdirected email, accidentally hitting “reply all” or cc instead of bcc are both easy mistakes to make.  What are the consequences of hitting “reply all” or cc instead of bcc? As you may have guessed, the consequences are the same as the consequences of sending a misdirected email. And, importantly, the consequences depend entirely on what information was contained in, or attached to, the email. For example, if you drafted a snarky response to a company-wide email and intended to send it to a single co-worker but ended up firing it off everyone, you’ll be embarrassed and may worry about your professional credibility.  But, if you replace that snarky response with a spreadsheet containing medical information about employees, you’ll have to report the data loss incident which could have long-term consequences. Real-world example of hitting “reply all” In 2018, an employee at the Utah Department of Corrections accidentally sent out a calendar invite for her division’s annual potluck. Harmless, right? Wrong. Instead of sending the invite to 80 people, it went to 22,000; nearly every employee in Utah government. While there were no long-term consequences (i.e., it wasn’t considered a data loss incident or breach) it does go to show how easily data can travel and land in the wrong hands.  Real-world example of cc’ing someone instead of bcc’ing them On January 21, 2020, 450 customer email addresses were inadvertently exposed after they were copied, rather than blind copied, into an email. The email was sent by an employee at speaker-maker Sonos and, while it was an accident, under GDPR, the mistake is considered a potential breach.  I fell for a phishing scam According to Tessian research, 1 in 4 employees has clicked on a phishing email. But, the odds aren’t exactly in our favor. In 2019, 22% of breaches in 2019 involved phishing…and 96% of phishing attacks start on email. (You can find more Phishing Statistics here.) Like sending an email to the wrong person, it’s easy to do, especially when we’re distracted, stressed, or tired. But, it doesn’t just come down to psychology. Phishing scams are getting harder and harder to detect as hackers use increasingly sophisticated techniques to dupe us.  !function(e,t,s,i){var n="InfogramEmbeds",o=e.getElementsByTagName("script"),d=o[0],r=/^http:/.test(e.location)?"http:":"https:";if(/^\/{2}/.test(i)&&(i=r+i),window[n]&&window[n].initialized)window[n].process&&window[n].process();else if(!e.getElementById(s)){var a=e.createElement("script");a.async=1,a.id=s,a.src=i,d.parentNode.insertBefore(a,d)}}(document,0,"infogram-async","//e.infogram.com/js/dist/embed-loader-min.js"); What are the consequences of falling for a phishing scam? Given the top five “types” of data that are compromised in phishing attacks (see below), the consequences of a phishing attack are virtually limitless. Identify theft. Revenue loss. Customer churn. A wiped hardrive. But, the top five “types” of data that are compromised in a phishing attack are: Credentials (passwords, usernames, pin numbers) Personal data (name, address, email address) Internal data (sales projections, product roadmaps)  Medical (treatment information, insurance claims) Bank (account numbers, credit card information) Real-world example of a successful phishing attack In August 2020, The SANS institute – a global cybersecurity training and certifications organization – revealed that nearly 30,000 accounts of PII were compromised in a phishing attack that convinced an end-user to install a self-hiding and malicious Office 365 add-on. While no passwords or financial information were compromised and all the affected individuals have been notified, the breach goes to show that anyone – even cybersecurity experts – can fall for phishing scams. But, most phishing attacks have serious consequences. According to one report, 60% of organizations lose data. 50% have credentials or accounts compromised. Another 50% are infected with ransomware. 35% experience financial losses. I sent an unauthorized email As a part of a larger cybersecurity strategy, most organizations will have policies in place that outline what data can be moved outside the network and how it can be moved outside the network. Generally speaking, sending data to personal email accounts or third-parties is a big no-no. At Tessian, we call these emails “unauthorized” and they’re sent 38x more than IT leaders estimate. Tessian platform data shows that nearly 28,000 unauthorized emails are sent in organizations with 1,000 employees every year.  So, why do people send them? It could be well-intentioned. For example, sending a spreadsheet to your personal email address to work over the weekend. Or, it could be malicious. For example, sending trade secrets to a third-party in exchange for a job opportunity.  What are the consequences of sending an unauthorized email Whether well-intentioned or malicious, the consequences are the same: if the email contains data, it could be considered a data loss incident or even a breach. In that case, the consequences include: Lost data Lost intellectual property Revenue loss Losing customers and/or their trust Regulatory fines Damaged reputation No sensitive data involved? The consequences will depend on the organization and existing policies. But, you should (at the very least) expect a warning.  Real-world example of an unauthorized email In 2017, an employee at Boeing shared a spreadsheet with his wife in hopes that she could help solve formatting issues. While this sounds harmless, it wasn’t. The personal information of 36,000 employees was exposed, including employee ID data, places of birth, and accounting department codes. You can find more real-word examples of “Insider Threats” in this article: Insider Threats: Types And Real-World Examples How can I avoid making mistakes on email? The easiest answer is: be vigilant. Double-check who you’re sending emails to and what you’re sending. Make sure you understand your company’s policies when it comes to data. Be cautious when responding to requests for information or money.  But vigilance alone isn’t enough. To err is human and, as we said at the beginning of this article, everyone makes mistakes.  That’s why to prevent email mistakes, data loss, and successful targeted attacks, organizations need to implement email security solutions that prevent human error. That’s exactly what Tessian does. Powered by machine learning, our Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. That means it gets smarter over time to keep you protected, always.  Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Spear Phishing DLP
December Cybersecurity News Roundup
30 December 2020
December 2020 might have been the most significant month in cybersecurity history.  Private companies continued to be used as attack vectors in the ongoing international cyberwar. The plague of COVID-19-related phishing scams showed no signs of stopping. And yet another big tech company faced a fine following a data breach. This month, we’ve split our cybersecurity roundup into two parts. Part 1 deals with the SolarWinds hack and the subsequent fallout, affecting tens of thousands of companies worldwide. Part 2 looks at some of December’s other major cybersecurity headlines. Part 1: SolarWinds Hack The cybersecurity headlines this month have been dominated by the discovery that US software company SolarWinds had been hacked by state-sponsored Russian hackers.  The SolarWinds story will continue to develop throughout 2021. Part 1 of our December cybersecurity news roundup sets out the major developments so far, to help you understand how this major cybersecurity incident is unfolding. FireEye’s “red team” tools compromised in cyberattack December’s cybersecurity saga begins with an announcement from security firm FireEye, made via a December 8 blog post.  FireEye reported that a “highly sophisticated state-sponsored adversary” had stolen “red team” tools, used to mimic the sorts of attacks and exploits carried out by malicious actors. When such tools fall into the wrong hands, they can be used to carry out real-life attacks. FireEye sought to reassure its clients in a further blog post on the same day, noting that none of the compromised tools contained zero-day exploits. We explored the danger of zero-day vulnerabilities in our article: What is a Zero-Day Vulnerability? Blame for the attack fell on the Russian cybercrime group known as “Cozy Bear.” FireEye’s revelations were newsworthy in themselves, but the full implications of the company’s announcement remained unclear until a few days later. SolarWinds discloses “highly-sophisticated, targeted and manual” attack On December 13, Texas-based IT company SolarWinds said that some of the software it released between March and June had been subject to a “highly-sophisticated, targeted and manual supply chain attack by a nation state.” SolarWinds’ announcement was the first clear indication that one of the biggest cyberattacks of all time might be underway. But why was SolarWinds’ announcement so significant?  SolarWinds software is used by thousands of organizations —  including many US governments organizations. The company’s announcement revealed that many of SolarWinds’ clients had had malware embedded in their systems for up to nine months. US government reveals massive data breach The next chapter in 2020’s biggest cybersecurity story came on December 13, when Reuters reported that internal email traffic had been compromised at the US Treasury and Department of Commerce. Just like FireEye, who had reported its breach five days earlier, these US government departments used the IT-monitoring software platform Orion. Orion is created by — you guessed it — SolarWinds.  When the organizations updated their Orion software back in March, they unwittingly installed malware. The blame for the hack continued to fall on Russia, which denied involvement via a statement on Facebook. Emergency directive urges US agencies to disconnect Orion products Shortly after the SolarWinds hack was announced, the US Cybersecurity and Infrastructure Agency (CISA) issued Emergency Directive 21-01. The directive’s full name is “Mitigate SolarWinds Orion Code Compromise,” and it instructs federal agencies to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.” Agencies were also told to “block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.” The severity of CISA’s directive stood in stark contrast to SolarWinds’ reassuring press releases. SolarWinds attack thought to impact over 18,000 customers The full extent of the SolarWinds hack became clearer on December 14, when the company filed a report with the US Securities and Exchange Commission revealing that around 18,000 organizations may have installed the malicious Orion update. To put this in context, SolarWinds has roughly 300,000 customers in total. Around 33,000 of these use Orion, and more than half of these Orion users are believed to have been compromised by the hack. But these aren’t just any customers. According to SolarWinds’ website, Orion users include US public bodies such as the Department of Defense, Secret Service, and Airforce — not to mention private firms like Symantec, AT&T, and — crucially — Microsoft. CISA announces APT compromise of public institutions and infrastructure The SolarWinds saga continued on December 17, when US cybersecurity agency CISA announced an “advanced persistent threat compromise of government agencies, critical infrastructure, and private sector organizations.” CISA described the attacker as a “patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks” that, among other activities, was “targeting email accounts belonging to key personnel, including IT and incident response personnel.” Once a hacker gains control of a target email account, it can use it to carry out advanced phishing operations. Read our articles on Business Email Compromise (BEC) and Account Takeover (ATO) attacks to learn how to avoid falling victim to these sorts of scams. US National Nuclear Security Administration confirms breach One of the more shocking threads of the SolarWinds story was revealed by Politico on December 17, when the US National Nuclear Security Administration (NNSA) and Department of Energy (DoE) revealed they had been affected by the hack. For many, this took an already deeply concerning event into “borderline terrifying” territory, as the NNSA maintains the world’s most powerful stockpile of nuclear weapons. However, a DoE spokesperson said that only business networks had been affected. The revelations came shortly after reports that CISA had been “overwhelmed” by the attacks, owing in part to staff shortages. CISA director Chris Krebs was fired by President Trump last month after Krebs defended the integrity of the 2020 election. Microsoft customers in at least seven countries affected by cyberattack In a December 17 blog post, Microsoft President Brad Smith claimed that the SolarWinds attack had impacted more than 40 Microsoft customers located across seven countries.  While 80 percent of Microsoft’s affected customers were in the US, others were located in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UEA. Smith also said it was “certain” that more locations and victims would emerge. Smith’s blog post also called for “a more effective national and global strategy to protect against cyberattacks,” underpinned by better information sharing, stricter cybersecurity rules, and stronger accountability of nation-state cyber actors. NSA Cybersecurity Advisory warns of Microsoft exploits December 17 saw yet another newsworthy cybersecurity event when the US National Security Agency (NSA) issued a rare Cybersecurity Advisory, warning that “malicious cyber actors are abusing trust in federated authentication environments to access protected data.” The issue originated in Microsoft’s Active Directory Federation Services (ADFS) software, which provides single sign-on access across organizations, including via multi-factor authentication. The NSA’s Microsoft advisory followed a December 14 report by Volexity, revealing that an attacker had bypassed Duo’s multi-factor authentication service to gain access to a Microsoft Outlook Web App (OWA) inbox. These incidents serve as a stark reminder that while multi-factor authentication might be a crucial component of your cybersecurity ecosystem, you cannot rely on it to keep your email accounts safe. Part 2: Other Important Cybersecurity News While the SolarWinds hack generated the most headlines, December saw many other important, unrelated cybersecurity news stories. Part 2 of our December cybersecurity news roundup presents some of the month’s other big cybersecurity events. FBI warns of threats against ransomware victims The US Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) on December 10, advising businesses to take steps to improve cybersecurity safeguards against ransomware attacks.  Perhaps most interestingly, the PIN warns that cybercriminals have been following up ransomware attacks with phone calls attempting to “extort payments through intimidation” and “threatening to release exfiltrated data.” The FBI does not advocate paying a ransom after falling victim to a ransomware attack. It suggests taking steps to mitigate or prevent attacks, including creating secure backups, monitoring network traffic, and enabling multi-factor authentication. Since many ransomware attacks occur via email, it’s essential to protect your business using email security software. Read our article on How to Choose the Right Email Security Software for more information. Research reveals COVID-19 phishing remains a serious problem Research reported by Health IT Security on December 11 showed that cyberattackers continue to exploit the COVID-19 pandemic through phishing scams. The report cites research by KnowBe4, which reveals a new batch of spear phishing emails relating to vaccinations. Armorblox also reports emails impersonating the US Internal Revenue Service (IRS) and purporting to offer COVID-19 financial relief.  The majority of COVID-19 phishing attacks target credentials — a common strategy which we discuss in our article What is Credential Phishing? You can also check out four real-world examples of other COVID-19 phishing attacks in this article.  These phishing scams are a new variant on the COVID-19 phishing theme started hitting inboxes in March — and, like all social engineering attacks, they seek to exploit people’s trust in authority. Want to learn how to avoid falling victim to these sorts of scams? See our article: How to Identify and Prevent Phishing Attacks. Irish regulator fines Twitter over data breach Ireland’s data protection authority, the Data Protection Commission (DPC) , issued a €450,000 fine against Twitter on December 15 over the company’s handling of a 2018 data breach affecting Android users. Twitter’s violations of the EU’s General Data Protection Regulation (GDPR) included failing to notify the DPC about a data breach within the required 72 hour period, and failing to document the breach properly. While nearly half a million euro is a lot of money, it’s fairly small beer for a company as large as Twitter. The GDPR allows fines of up to 2% of global turnover for this type of violation, which could have led to a maximum fine of around €60 million in Twitter’s case. We outline the biggest GDPR fines of 2020 in this article.  But the DPC originally proposed an even smaller fine of €135,000 and €275,000. This proposal was seen as excessively lenient by other EU data protection authorities, who disputed it under the first ever use of the GDPR’s Article 65 procedure. Other DPAs, such as Germany’s BfDI, argued that a higher fine of up to €22 million would be more appropriate. These arguments were put forward in a binding decision of the European Data Protection Board (EDPB) which required the DPC to reconsider its proposed fine. The regulator’s response — raising the fine to just 0.1% of Twitter’s 2019 turnover — will lead many to suggest that the social media giant got off lightly. Contact details of 270,000 cryptocurrency users leaked On December 22, BleepingComputer reported that the contact details of over 270,000 users of cryptocurrency wallet Ledger were being offered for sale on the dark web, following a data breach that occurred in July. Two text files were reportedly for sale, one containing 1,075,382 people’s email addresses, and the other containing 272,853 people’s names, mailing addresses, and phone numbers. Although this type of personal data is not considered sensitive, it is highly valuable to hackers as it can be used to launch phishing attacks against the users. Earlier this month, Ledger users reported receiving phishing emails from an actor impersonating Ledger’s security team. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post.
Spear Phishing
What Is Account Takeover (ATO)?
21 December 2020
Today, security leaders aren’t just worried about securing their own networks, email environments, and users. They’re also concerned about how secure the email accounts of their partners, suppliers, vendors, and customers are. Why? Because more and more often, hackers are compromising impersonating these trusted contacts to gain access to an organization’s systems and data. This is called account takeover.  What is account takeover?
That means ATO involves two companies. A third-party (i.e. vendor, partner, or customer) The target company
How does ATO work? Imagine you work in an accounts department.  You get an email invoice from Syed at ComputerCo, a vendor that supplies your company with computer parts. Syed is polite and friendly (as always!) and tells you that ComputerCo’s account details have changed.  You’re a careful person, so you double-check the invoice with your IT team. They confirm that they made the order. You compare the invoice to ComputerCo’s previous invoices, and it looks identical. The new bank account is located in Boston, where ComputerCo is based.  Due diligence conducted, you go ahead and pay the invoice.  You just fell victim to ATO, and unwittingly paid money to cybercriminals.  In this case, because the attack was carried out via email, it can also be referred to as Vendor Email Compromise (VEC).  Think you would never fall for a scam like this? Remember, everything looks totally normal:  The attackers are using the vendor’s regular email address The invoice looks authentic There’s no perceptible difference in the vendor employee’s email signature or communication style Perhaps most importantly — the payment they are requesting is actually due  The only difference is that the vendor’s bank details have changed. So, how do hackers gain access to the networks of trusted third parties? Credential theft, which normally involves one of the following: A non-targeted phishing attack A targeted spear phishing email Brute force attack Password compromise  Leaked credentials We cover credential phishing in more detail in this article: What is Credential Phishing and How Does it Work? Why is ATO so effective? When it comes to solving the problem of ATO, organizations face several challenges.  To start – and as we saw in our example above – they’re incredibly difficult to detect and can evade detection entirely. Why? Because the emails originate from trusted sources and are 100% “real” in terms of sender credentials and metadata.  This means legacy email security tools, which rely on previously known attack signatures to stop threats, cannot detect them. As these emails originate from a legitimate, trusted email account, they will also pass email authentication (DMARC, DKIM and SPF).  The second challenge organizations face is that protecting their own email applications and users just isn’t enough. Security leaders have to address threats from their extended networks too.  The problem is, no organization can control the security of their extended network and they have no visibility of the breaches that happen across their trusted network. That’s why strong cybersecurity and having the right email security tool can actually be a competitive differentiator, help businesses win more clients and customers, and retain the ones they already have.   But, if strong email security helps build trust, a breach will certainly destroy it.  When asked what the number #1 consequence of a data breach is, 21% of IT leaders said lost customer trust.  Examples of ATO In an interview by NPR, one victim of ATO said he was emailing back-and-forth with a vendor about a $50,000 transfer. What he didn’t know was that the vendor’s email was compromised part-way through the conversation.  Take a look at this excerpt from the interview: “The cadence and the timing and the email was so normal that it wasn’t suspicious at all. It was just like we were continuing to have a conversation, but I just wasn’t having it with the person I thought I was.”  This small business owner only found out that he’d been scammed when the vendor told him he hadn’t received the transfer, by which time the $50,000 was long gone. But the stakes can be much higher than this.  For example, between 2013 and 2015, a team of cybercriminals scammed Facebook and Google out of around $121 million by impersonating a trusted vendor.  The scammers in the Facebook and Google attacks used spoof accounts, rather than compromising the vendor’s email account.  Nonetheless, this colossal social engineering attack shows that even the world’s largest companies can fail to spot fraudulent vendor emails.  You can read more about email spoofing here. How to prevent ATO Although ATO scams can be highly convincing and evade detection from legacy solutions,  there are steps your organization can take to protect itself from being targeted by ATO. Remember that it’s equally important for vendors and other third parties to reduce risks with email security solutions, policies, and procedures.  Email security  Ensuring that you have the right email security tool  is a crucial measure all companies should take against ATO and VEC. Tessian Defender, for example, is an email security solution that uses machine learning (ML) to protect accounts against inbound threats.  Here’s how: Tessian’s machine learning algorithms analyze your company’s email data, learns every employee’s normal communication patterns. and maps their trusted email relationships — both inside and outside your organization. Tessian inspects both the content and metadata of inbound emails for any suspicious or unusual signals pointing to a potential ATO threat. For example, payloads, anomalous geophysical locations, IP addresses, email clients, or sending patterns. Once it detects a threat, Tessian alerts employees that an email might be unsafe, explaining the threat in easy-to-understand language. ATO is rarely perceptible to humans. But Tessian’s Human Layer Security technology spots these irregularities automatically and instantly to keep your team, your resources, and your reputation safe. Payment validation You should implement internal procedures so employees can validate invoices and payment requests. For example, if a vendor asks you to make a payment to a new account, you may wish to insist upon telephone verification of this request. Again, these procedures are important, but they aren’t enough on their own. No security policy should rely on human intervention — even the smartest, most diligent employees can be tricked. If you’re looking for insights into how other security leaders are preventing ATO and other advanced impersonation attacks, check out Tessian’s recent webinar: Spear phishing evolution. How to stay ahead of hackers in 2021. You can also read our customer’s stories or book a demo to learn more about how Tessian Defender can help protect your organization’s reputation.
Spear Phishing
Spam vs. Phishing: The Difference Between Spam and Phishing
02 December 2020
While email does make it easier for all of us to communicate both in our work and personal lives, there are two major issues with email communication: spam and phishing.  That means the average person needs to know how to spot these illegitimate emails and businesses need to know not just how to protect their employees, but how to avoid inadvertently sending spam.  In this article, you’ll learn the difference between spam and phishing, how common they are, and how to avoid each of them.
What is spam? You may know spam as junk mail. But, what’s that? Unsolicited bulk email means that the recipient didn’t ask for it (unsolicited) and that many people were sent the email at once (bulk). These two elements are essential to the definition of “spam.”  Unsolicited emails can be legitimate, e.g., job inquiries, customer service inquiries, any first-contact correspondence. Bulk emails can be legitimate, e.g., newsletters, marketing to existing customers, transactional emails. But emails that are both unsolicited and bulk are almost always spam. As well as being sent via email, spam can also be sent via SMS or instant messaging. Unsolicited sales and marketing calls (also known as nuisance calls) can also be considered spam.
Spam is generally commercial (meaning from businesses) but it can also serve more nefarious purposes, such as fraud. However, when a spam email uses social engineering techniques to trick the recipient, we call it a “phishing” email. Not sure what social engineering is? Examples will help. We’ve rounded up 6 recent, real-world examples of social engineering attacks here.  What is phishing? Phishing is essentially a more targeted version of spam.  A hacker impersonates a trusted brand or person and sends a fraudulent message in an attempt to steal information or money, commit fraud, or install malware on a target’s device.  But, there are many types of phishing. Here are a few examples: Spear phishing: A phishing attack on a specific individual Whaling: A phishing attack targeting a company executive Business Email Compromise (BEC): A phishing attack originating from a hacked or spoofed corporate email account Vendor Email Compromise (VEC): A phishing attack targeting a business using one of its vendors’ email accounts It’s important to note that a phishing attack can be delivered via several different communications channels: Email: The big one — 96 percent of phishing attacks take place via email. When people say “phishing,” they’re generally referring to email-based social engineering attacks Smishing: Phishing via SMS Vishing: Voice-phishing, via phone or Voice over Internet Protocol (VoIP) software Phishing attacks can also have different aims, for example: Stealing credentials, e.g., social media, email, or internet banking login details Installing malware, e.g., keylogger software, ransomware, or viruses Stealing money, e.g., by sending fraudulent invoices (known as “wire transfer phishing”) Now, let’s take a closer look at spam and phishing.
How common is spam? According to 2019 research from PreciseSecurity:  Spam accounts for around 55 percent of global email activity. Around 295 billion spam emails are sent and received every day. China generates the most spam (20.43 percent), followed by the U.S. (13.37 percent) and then Russia (5.6 percent). However, bear in mind that — despite these statistics — people’s experience of using email is generally improving. This is because: Rates of spam are lower now than they have been previously — in 2014, data from M3AAWG estimated that spam accounted for 90 percent of email traffic. Email providers are getting better at detecting spam, which means that more spam is being blocked or sent to junk folders.  How common is phishing? Phishing is the most prevalent example of cybercrime. Let’s look at some of the best data we have covering the past few years: Verizon’s 2020 Data Breach Investigations Report cites phishing as the most common cause of data breaches in 2019 —  22% of all data breaches involved phishing.  The FBI’s Internet Crime Complaint Centre (IC3) 2020 Internet Crime Report cites phishing as the leading cause of cybercrime complaints. Phishing complaints more than doubled between 2019 and 2020. The U.K.’s National Cyber Security Centre (NCSC) Annual Review 2020 reported that 85% of U.K. businesses experienced one or more phishing attack in 2020 (up from 72% in 2017). For up-to-date data on phishing, see our Must-Know Phishing Statistics: Updated 2020. Risks associated with spam While – yes – there certainly are some risks associated with receiving spam, most email providers like Gmail and Outlook have gotten pretty good at filtering these emails out. Don’t believe us? Check your spam folder!  A bigger risk – specifically to businesses – is accidentally (or negligently) sending “spam” as part of a direct-marketing campaign. Businesses sending spam (including those who are perceived to be sending spam) run the following risks: They could alienate their customers — which, ultimately, could damage their reputation and lose them business. Their legitimate email correspondence could end up in people’s junk folders. They could be fined or prosecuted under the various national laws regulating spam. Consequences of phishing attacks Phishing is one of the most damaging forms of cybercrime. But, as we’ve discussed, there are a lot of different types of phishing.  Wire transfer phishing causes direct, quantifiable losses when businesses pay fake invoices sent to them by fraudsters. The FBI’s data shows that U.S. businesses lost $1.8 billion in 2020 to wire transfer phishing via email. Ransomware attacks are frequently delivered by email. Clicking the link in a phishing email can lead to your documents, databases, other files becoming encrypted. Emsisoft estimates that ransomware cost organizations $7.5 billion in 2019. But what about the impact caused to individual companies? A single phishing attack can be devastating for a business.  The biggest known phishing scam of all time targeted tech giants Facebook and Google. This example of wire transfer phishing cost the companies around $121 million over two years. But the indirect losses caused by phishing can be even greater. When Australian hedge fund Levitas Capital was defrauded for nearly $8.7 million in November 2020, the firm recovered 90% of the money. But the fund was forced to close after losing its biggest client as a result of the attack. Unfortunately, Levitas Capital isn’t the only organization to have lost customers after a breach. After a breach, companies see an average of 3.9% customer churn. It makes sense, then, that “losing a customer/their trust” is the biggest consequence of a data breach according to security leaders.  So, how can businesses reduce the risk of being successfully targeted by a phishing attack? How to avoid phishing attacks Staff training Much of the traditional guidance on phishing focuses on staff training — helping your employees to identify phishing emails and manually delete them. The classic “telltale” signs of a phishing email are often said to be:  Spelling mistakes  A sense of urgency An unprofessional tone This might have been good advice when phishing emails were sent out in “spray and pray” bulk attacks. But now, it’s unfair and unrealistic for organizations to expect their employees to be able to spot phishing attacks, especially those using advanced impersonations techniques. Today, effective phishing emails look like any other email. They don’t carry these “telltale signs.” They carry the branding and tone of voice you’re used to seeing from trusted senders. They can arrive from a colleague or friend’s email address. They might even look like part of an ongoing conversation (“email thread hijacking”). That means staff training — while important — must not be your primary defense against phishing. As the National Cyber Security Centre (NCSC) says:
Want to learn more about why phishing training alone just isn’t enough? Read our blog: Pros and Cons of Phishing Awareness Training. Email security software The only truly reliable way to root out phishing emails is by implementing an email security solution like Tessian Defender.  Here’s how Tessian protects your people and prevents inbound threats like phishing Tessian ingests historial email data from employees’ inboxes to learn what “normal” looks like and map their trusted relationships with other employees and third-parties outside the organization. This way, it automatically knows when an employee receives an email from an unexpected sender. Inbound emails are also analyzed in real-time for anomalies. Anomalies might include barely noticeable irregularities in the sender’s email address and IP address, potentially malicious links, or suspicious changes to the sender’s communication patterns. If an email is suspicious, Tessian alerts employees with contextual warnings that explain why the email has been flagged. Tessian also alerts security teams, who can quickly and easily investigate the attack and – to prevent future attacks – can add the sender’s domain to a denylist in a single click. : Importantly, solutions like Tessian Defender prevent the most advanced attacks. Specifically, those that slip past legacy solutions, Secure Email Gateways, and spam filters. 
Spear Phishing
What is a Zero-Day Vulnerability? 3 Real-World Examples
24 November 2020
If you’ve read or listened to reports about hacks – whether it’s a phishing attack, brute force attack, or malware – you’ve likely seen or heard the phrase “zero-day vulnerability”. But, what is it?
For hackers – who are always studying software – these are like unlocked doors. When they find one, they can use malware or hacking techniques to take advantage of it with a zero-day exploit.
Once the software developer knows about a zero-day vulnerability, they must develop an update  — known as a “patch” — to fix the problem. For example, Microsoft releases a list of patches once a week. They call it “Patch Tuesday”.  But, as we’ll see, patches often come too late. Why Are Zero-Day Vulnerabilities Such a Big Problem?  By definition, a zero-day vulnerability is a security flaw that the developer doesn’t know about. That means that, until a patch is distributed, everyone using the software is vulnerable.  Zero-day vulnerabilities pose a big problem because there is no obvious way to prevent them from being exploited. And, even once a zero-day vulnerability is reported to the developer, users could be waiting for weeks, months, or even years for a security fix. Meanwhile, hackers are crafting sophisticated attacks – again, known as zero-day exploits – to take advantage of the vulnerability. Zero-day exploits can circumvent anti-malware software that relies on lists of known security issues. Even though most modern anti-malware products use more sophisticated detection techniques, some zero-day exploits can get around these, too.  Three Examples of Zero-Day Vulnerabilities We’re going to look at some high-profile zero-day vulnerabilities that have caused serious trouble in the past — and see what you can learn from them.  Cybercriminals Unleash NSA Zero-Day Exploit EternalBlue was a powerful zero-day exploit developed by the US National Security Agency (NSA) sometime around 2011. EternalBlue exploits a vulnerability in Windows’ Server Message Block (SMB) protocol and allows attackers to run code on target computers. The NSA knew about this Windows vulnerability for around five years, and allegedly only warned Microsoft about the exploit once EternalBlue had fallen into the wrong hands. Microsoft released a patch for the vulnerability, but many users have failed to update their systems. Since escaping the NSA, the EternalBlue exploit has been used in many high-profile cyberattacks, starting when hackers used it to spread the notorious WannaCry ransomware in 2016. In 2017, an attack known as “NotPetya” used EternalBlue to target Ukraine’s banks, public services, and power suppliers. The NotPetya attack is widely considered the most devastating cyberattack of all time, causing an estimated $10 billion in damage. The lesson from EternalBlue is clear — always keep your devices patched and up-to-date. Windows and Flash Zero-Day Vulnerabilities Expose DNC Data In 2016, the US Democratic National Convention (DNC) fell victim to a spear phishing campaign, carried out by a Russian hacking syndicate known as Strontium. Strontium’s spear phishing emails contained a zero-day exploit that targeted vulnerabilities in Microsoft Windows and Adobe Flash.  Google first revealed the vulnerabilities on October 31, 2016, when they were still being “actively exploited.”According to Microsoft, these security flaws allowed hackers to control a device’s browser, escape its security “sandbox,” and install a backdoor into the device. Strontium allegedly intended to use data stolen from Democratic Party officials to influence the 2016 US election campaign. You can read more  about the importance of information security in political campaigns on our blog. While the software vulnerabilities allowed Strontium to exfiltrate data from its targets, the exploit was made possible by spear phishing emails. It’s crucial to ensure that all your organization’s devices are protected by email security software that can detect advanced impersonation attacks. Windows Vulnerability Goes Unpatched for 20 Months On January 15, 2019, Google’s virus-hunting team, VirusTotal, announced its discovery of a zero-day vulnerability within Windows, later named CVE-2020-1464. The vulnerability allowed attackers to exploit how Windows authenticates file signatures. File signatures are created when a developer “code signs” a file, to prove a third party has not edited it. Using this vulnerability, attackers could sneak a malicious file past Windows’ security by appending it to a file that had been code-signed by a trusted developer such as Google or Microsoft. Despite reportedly being aware of the CVE-2020-1464 vulnerability, Microsoft did not release a patch for it until August 11, 2020 — nearly 20 months later. Throughout this period, Windows users were vulnerable to phishing attacks designed to spread vulnerability exploits. This is yet another reminder that it’s better to defend employees’ email accounts than to rely on patches and fixes. How to Defend Against Zero-Day Exploits Cybercriminals use different methods to exploit zero-day vulnerabilities, which means organizations need a comprehensive cybersecurity program to defend against these threats. Email security. Cybercriminals commonly use social engineering attacks, such as spear phishing, to get malware onto people’s devices. A crucial way to defend against zero-day exploits is to ensure your employees are protected from phishing.  Network security. Hackers can use “brute force attacks” to gain access to a network and exploit zero-day vulnerabilities. Implementing network security measures such as a firewall or virtual private network (VPN) can prevent this. Anti-malware software. Certain anti-malware software products notice unusual activity in files and processes and can detect some zero-day exploits before they are made public.  Security patches. You should always keep all devices patched and up-to-date. While developers can’t always patch vulnerabilities on time, out-of-date software enables many exploits. How Tessian Helps Defend Against Zero-Day Exploits Unlike spam filters and Secure Email Gateways (SEGs) which can stop bulk phishing attacks, Tessian Defender can detect and prevent the most advanced threats.  How? Tessian’s machine learning algorithms learn from historical email data to understand specific user relationships and the context behind each email. When an email lands in your inbox, Tessian Defender automatically analyzes millions of data points, including the email address, Display Name, subject line, and body copy.  If anything seems “off”, it’ll be flagged – keeping zero-day exploits out.  To learn more about how tools like Tessian Defender can prevent spear phishing attacks, read our customer stories or speak to one of our experts and request a demo today.
Spear Phishing
What Is Credential Phishing and How Does it Work?
18 November 2020
Think about all of your different online accounts.  Email, social media, banking, eCommerce platforms, news sites….And that’s just in your personal life. What about at work?  For all of these different accounts, you’ll have a username, a password, a pin, or some combination of the three. We call these credentials and they’re the type of data that’s most frequently compromised in phishing attacks.  In fact, businesses (and individuals!) lose millions every year to the direct and indirect costs of credential phishing attacks.
Keep reading to find out what credential phishing is, what a credential phishing email looks like, and how to avoid falling victim to a credential phishing attack. What is phishing? First things first. Before we can dive into credential phishing specifically, we have to explain what phishing is broadly.  Phishing is a type of social engineering attack where the attacker uses “impersonation” to trick the target into giving up information, transferring money, or downloading malware.  Phishing attacks can take many different forms, including: Spear phishing: A targeted phishing attack against a known individual. Whaling: A phishing attack targeting a c-level executive. Senior employees make good targets, as they have easier access to a larger amount of money. Smishing: A phishing attack conducted via text message. Vishing: A phishing attack conducted via voice (phone or VoIP). Any of these types of phishing could be used to gain access to credentials. Attackers also use these methods to target other types of information, like credit card details or social security numbers, and to steal money from the target (“wire transfer phishing”). If you want to learn more about phishing and other social engineering attacks, check out these articles: How to Identify and Prevent Phishing Attacks Phishing vs. Spear Phishing: Differences and Defense Strategies 6 Real-World Examples of Social Engineering Attacks How does credential phishing work? Credential phishing almost always starts with an email. In fact, 96% of phishing attacks do. So how can you spot one? Let’s take a look at the elements of a credential phishing email. Subject line The cybercriminal’s first challenge is to get their target to open the phishing email. This requires an intriguing and attention-grabbing subject line. Research reveals some of the most commonly-used words and phrases in the subject lines of phishing emails, including: Request Follow up Urgent/Important Are you available?/Are you at your desk? Payment Status Hello Purchase Invoice Due You’ll notice that some of these subject lines elicit feelings of urgency, while others aim for familiarity.  According to another report,  25% of phishing emails get read. Ask any marketer, this is a high “open rate”. So, while these tactics might seem crude…they work. Main body of email The main content of a credential phishing email is designed to do two jobs: evade spam filters and persuade the target to click a malicious link. With that in mind, there are some hallmarks of a persuasive phishing email: It is addressed to you by name. It appears to be from a trusted sender with whom you regularly communicate. It uses the supposed sender’s proper branding, email signature, and communication style. The goal – of course – is to make the target believe it’s real.  That’s why successful phishing operations are highly targeted and backed by meticulous research about the target. The days of “spray and pray” bulk phishing emails are long gone. Cybercriminals are using increasingly advanced tactics, such as open source intelligence (OSINT) and hijacking an ongoing email conversation. Malicious link Unlike other types of phishing attacks, a credential phishing attack will always contain a link to a fake login page. But, like the main body of the email, the URL should look legitimate. Again, the goal is to trick the target, not raise their suspicions.  How? Piggyback off another brand’s reputation.  Research suggests that 52% of malicious links contain a brand name. This is known as a “spoof” domain. For example, a spoof of the URL “https://www.tessian.com” might be “http://www.tessian.nh”  Other techniques used for disguising URLs include using a link-shortening service like Bitly or using a hyperlinked image (for example, a “log in” button) Clickthrough rates on credential phishing links are estimated to fall anywhere from 3.4% (Verizon) to 10% (Proofpoint). This represents a very high success rate: remember that just one person clicking that link can cost a company millions of dollars. Phishing website Once you’ve clicked on the link, you’re directed to the phishing website designed to steal your credentials. We call these malicious websites.  The landing page must be just as convincing as the email itself. That means a good phishing login page will be meticulously crafted, using authentic images and fonts to perfectly recreate a brand’s genuine site. Did you know: Cybercriminals are increasingly securing their sites using HTTPS or SSL certification. Research from APWG suggests that 78% of phishing sites use SSL certificates. This security makes the user feel more secure, but it doesn’t mean the site owner can’t steal their data.  As well as looking convincing, the phishing site must also evade security controls that filter out non-whitelisted sites based on keywords such as “enter password.” But hackers have found a shortcut. Instead of using text on their login pages, they use images. That way, rule-based security controls and spam filters can’t spot the fakes.
What happens to phished credentials? Cybercriminals steal credentials for a variety of reasons. Once your username and password have been phished, they might be: Used for Business Email Compromise (BEC) or Vendor Email Compromise (VEC) attacks. Used to log into your email account and steal personal or company data. Used for identity fraud. Used for conducting fraudulent transactions. Sold on the dark web: Research from Digital Shadows shows there are over 15 billion sets of credentials available to buy online. Credential phishing can be especially damaging for anyone who reuses passwords. Why? If one password is compromised, several accounts could be exposed.   Researchers at Virginia Tech observed attackers using phished PayPal, LinkedIn, and Microsoft credentials to log into email accounts — even though the email accounts were not the attackers’ primary targets. What you need to know about credential phishing Now you know how credential phishing works, let’s clear up some myths and misconceptions about this particularly dangerous form of cyberattack. Credential phishing is effective Because phishing is such a common and well-established type of cyberattack, you might think people have become wise to these scams. Surely phishing for people’s credentials is an outdated tactic? Unfortunately not. Phishing attacks are becoming more sophisticated — and because many people naturally tend to trust others — we’re still clicking those phishing links.  According to Verizon, phishing was the most common cause of data breaches in 2019, with 22% of 2019 data breaches involving phishing. Phishing was also the leading issue in complaints to the FBI’s Internet Crime Complaint Centre (IC3) in 2020. Phishing incidents more than doubled compared to the previous year, and cost victims over $54 million in direct losses. Not all of these phishing attacks targeted credentials. Other types of phishing involve fake invoices or target credit card details. But credentials are the most common target, with over 60% of phishing attacks aiming to steal usernames and/or passwords. Looking for more phishing statistics? Check out this article: Must-Know Phishing Statistics: Updated 2020. 
Multifactor authentication won’t prevent credential phishing Multifactor authentication (MFA) is an essential extra layer of login security. But MFA isn’t a solution to credential phishing. This is a misconception that can leave people and organizations vulnerable. Here’s why.  Logging into an account protected by MFA requires you to enter your login credentials and take one or more additional steps to verify your identity — such as clicking on a link in an email, entering a verification code sent via SMS, or using an authenticator app.  Yes, this makes things a lot harder for hackers, who must steal a user’s account credentials and access the additional authenticator. But cracking MFA is far from impossible. Authentication tokens can be phished or hacked, just like usernames and passwords. That means MFA is an essential layer of protection that you should apply across all user accounts, but it’s not a failsafe against credential phishing. Credential phishing attacks increasingly target corporate email accounts Some organizations might focus their cybersecurity efforts on preventing attacks involving ransomware or wire transfer phishing, believing that consumers are more likely to be the target of credential phishing. Credential phishing attacks against consumers are very common, but research shows that credential phishing scammers now have their sights set on corporate targets. What makes corporate email accounts a particularly good target for credential phishing? Hackers can use one account as a foothold to conduct further phishing operations both within the organization and across their supply chain.  How to prevent credential phishing attacks Investment in cybersecurity is increasing year on year (up 44% in the UK since GDPR was rolled out) and preventing inbound attacks like credential phishing is a high priority for many companies.  Here are some solutions to consider.  Email security software You’ve seen the sophisticated techniques that cybercriminals use to fool their targets. Even the most tech-savvy of your team members can’t be expected to detect advanced credential phishing emails.  Instead of leaving people as the first and last line of defense against these targeted attacks, consider email security software like Tessian Defender that automatically protects your employees’ email accounts against credential phishing and other inbound threats.  Here’s how: Tessian scans your employees’ inboxes to learn their regular email style and map their trusted relationships. This way, it automatically knows when an employee receives correspondence from an unexpected sender. Tessian inspects inbound emails for signs that they might be phishing emails. Signs might include barely noticeable irregularities in the sender’s email address, potentially malicious links, or suspicious changes to the sender’s communication patterns. Tessian warns employees before they fall victim to a phishing attack and alerts security teams, who can quickly and easily investigate the attack and – to prevent future attacks – can add the sender’s domain to a denylist in a single click.  Security training Staff training in data protection and phishing awareness are both essential (and can even be a requirement under some privacy laws and regulatory standards). Why? Your staff should know what phishing emails and other cyberattacks look like and know what to do if they fall victim to one. But the average person isn’t a security expert. Like we said, even the most tech-savvy person can fall for sophisticated attacks. It’s no wonder, then, that most data breaches start with human error.  To learn more about the pros and cons of phishing awareness training, click here.  Password management In a world where passwords protect our most valuable and sensitive data, it’s incredible how many people still use the same password across multiple accounts. Re-using passwords increases your vulnerability across multiple accounts. Your organization should insist that employees use unique, complex passwords for each of their accounts. Employees should also be changing their passwords regularly. One way to ensure better password management is to use a password manager, ideally designed for enterprise, with centralized user account controls. You should also be implementing multi-factor authentication wherever possible. If you want to learn more about email security best practices, we recommend these articles: Email Security Best Practice 2020 Email Mistakes at Work and How to Fix Them The Psychology of Human Error How to Catch a Phish: a Closer Look at Email Impersonation Or, if you want to learn more about how Tessian helps enterprises around the world prevent credential phishing and other inbound and outbound threats, read our customer stories. 
Spear Phishing
How to Spot Retail Scams (2020)
By Laura Brooks
16 November 2020
Bargain hunters beware. The popular shopping period leading up to the holidays – along with mega online shopping days like Amazon Prime Day, Singles Day, Black Friday and Cyber Monday – are creating the optimal environment for hackers’ phishing attempts.  And with more people staying home and shopping online due to the COVID-19 pandemic, there are even more opportunities for cybercriminals this year. In fact, 51% of UK consumers and 47% of US consumers told us they have done more online shopping in 2020 than in 2019.  Why do hackers prey on targets during peak shopping times? Consumers expect to receive more marketing and advertising emails from retailers during this time, touting their deals, along with updates about their orders and notifications about deliveries. Inboxes are noisier-than-usual and this makes it easier for cybercriminals to ‘hide’ their malicious messages and prey on individuals who are not security savvy.  What’s more, attackers can leverage the ‘too-good-to-be-true’ deals people are expecting to receive, using them as lures to successfully deceive their victims. When the email looks like it has come from a legitimate brand and email address, people are more likely to click on malicious links that lead to fake websites or download harmful attachments.  Impersonating a trusted brand or organization is a tried and tested method that cybercriminals use to successfully hack humans. It’s so effective that 68% of IT decision makers at UK retailers and 53% at US retailers told us, in a report we published last year, that they were worried about their brand being impersonated during the holiday shopping season.  Despite these concerns, though, our researchers this year reveal that 75% of the top 100 retailers in the US are not using Domain-based Message Authentication, Reporting & Conformance (DMARC) records – meaning that an overwhelming number of retailers are potentially at risk of having their brand’s domain impersonated by scammers in phishing emails.  Only 16% of top 100 US retailers were found to have DMARC policies set at the strictest settings.  To learn more about phishing emails – including what they look like and how to prevent them – click here.
How do hackers impersonate brands and people? Without DMARC records in place, or without having DMARC policies set at the strictest settings, hackers can easily impersonate a company’s email domain in phishing campaigns, convincing consumers that they are opening an email from a legitimate sender.  From that phishing email, hackers could lure their targets to a fake website that has been set up to steal account credentials or personal and financial information.  Against the backdrop of holiday shopping deals, it wouldn’t seem out of the ordinary for someone to a ‘too good to be true’ deal that encourages them to click a link to ‘find out more’.  But it’s not just consumers that need to be wary.  Employees, customers, suppliers and vendors of these retailers also need to be aware of the threats that could be present in their inboxes during this time.  By spoofing the domain, a hacker could convincingly impersonate a senior executive asking an employee to share customer information or even pretend to be the CFO of an organization, requesting that the account details for invoicing be changed. Vendor impersonation (also called vendor email compromise)  is a persistent threat that many businesses are facing right now – one that has increased since the shift to remote working. In fact, Tessian research revealed that over a third (34%) of the phishing attacks organizations received between March – July 2020 purportedly came from an external supplier, while 26% supposedly came from a customer.  Hackers prey on the people-heavy nature of the retail industry. Using sophisticated social engineering techniques and clever impersonation tactics, they’re counting on people making a mistake and falling for their scams.  Looking for real-world examples of social engineering attacks? Read this article: 6 Examples of Social Engineering Attacks. How can you protect yourself from phishing scams? Retailers need to do everything they can to protect people from phishing scams.  Configuring email authentication records like DMARC and setting strict policies are both necessary first steps for preventing attackers from directly impersonating the business’s email domain. Education on the threats is incredibly important, too.  So if you suspect that you have received a phishing scam this shopping season, here’s what can do about it:   Always check the sender and verify that it’s a legitimate email address. Scammers will often take advantage of the fact that mobile email only shows a display name, as opposed to the full email address. This means that a bad actor could send a message from an unknown email address, but change the display name to “Amazon” to make it appear legitimate. Visit the retailer’s website and official social media channels to cross-check that the deal in question has been mentioned elsewhere. If you receive an email or text that has an associated action or a sense of urgency or deadline, it’s most likely a scam. Ask yourself, does this request make sense? Check for spelling or grammar mistakes. Legitimate messages from large companies will rarely have errors. Look for the padlock in the URL bar. The padlock symbol means the website you are visiting is secure. If the page you’ve been led to doesn’t have this, then it could be a scam. 
Human Layer Security Spear Phishing DLP Data Exfiltration
October Cybersecurity News Roundup
30 October 2020
October 2020 has been another remarkable month in cybersecurity. And, since COVID-19 sent the world indoors and made us ever-more reliant on the internet, the importance of information security and data protection has never been more apparent. October saw numerous high-profile data breaches, cyberattacks, and online scams — but also brought us one of the biggest GDPR fines yet, an innovative solution to deepfake technology, and even more jostling between the US government and Chinese big tech. Let’s take a look at the biggest cybersecurity headlines of October 2020. Paying Cyberattack Ransoms Could Breach International Sanctions Rules New guidance from the US Treasury has big implications for companies hit by ransomware attacks from certain countries. (Companies affected by ransomware find their files encrypted — replaced by useless strings of seemingly random characters — with cybercriminals promising to return the data if the company pays a ransom.) Paying up might be the least-worst option where a company’s critical data is at stake…ut according to an October 1 US Treasury advisory note, paying cyberattack ransoms could violate legal rules on international sanctions. Businesses suffering a ransomware attack by hackers from a sanctioned country — like Iran, China, or Russia (where many such attacks do originate) — now face the threat of huge fines and legal action if they choose to buy back their files.  The Treasury’s advice reiterates what cybersecurity leaders have been saying for many years: in cybersecurity, prevention is far better than cure. Amazon Prime Day Sees Huge Spike in Phishing Scams With millions of consumers confined to their homes, this year’s Amazon Prime Day was a chance for millions of shoppers to grab a bargain — and an unmissable opportunity for cybercriminals to steal their personal information. October 8 research from Bolster detected over 800 “spoof” Amazon webpages in September (up from 50 in January), as fraudsters ramped up their phishing efforts in anticipation of the two-day Amazon Prime Day event, hosted October 13-14. Some sites looked near-identical to Amazon’s genuine web properties, with perfectly duplicated branding and convincing domain names. Unwary shoppers were asked for details such as their CVV2 code and social security number. See what advice Tessian co-founder and CEO, Tim Sadler, offered consumers in Tech Radar. FBI Warns of Ransomware Attacks Targeting Healthcare Providers On October 29, the FBI and other agencies issued a warning regarding an “increased and imminent cybercrime threat to US hospitals and healthcare providers.” The threats include a new tool named anchor_dns, a backdoor that can reportedly “evade typical network defense products,” and the Ryuk Ransomware. Among other measures, the FBI is advising healthcare providers to create business continuity plans, patch networked systems, and implement multi-factor authentication in preparation for an attack. According to Associated Press, 59 US healthcare systems have been attacked via ransomware so far this year. Looking for more information on why the healthcare industry is especially vulnerable? We talk more about The State of Data Loss Prevention in Healthcare in this article. UK Public Body Unable to Provide Services Follow “Serious Cyberattack” On October 14, Hackney London Borough Council, a UK local government body, announced that it had fallen victim to a “serious cyberattack.”  In an update two days later, the council revealed the extent of the damage. Among other things, the council was unable to accept rent payments, process planning applications, or pay some social security benefits. The council said it was “working hard to restore services, protect data, and investigate the attack,” but that services could remain unavailable for “some time.” UK Data Regulator Issues $26 Million Fine to Airline UK airline British Airways received a £20 million ($26 million) fine on October 17 for “failing to protect the personal and financial details of more than 400,000 of its customers.” The fine relates to a cyberattack suffered by the company in 2018. The Information Commissioner’s Office — the UK’s data protection authority — found that the airline had failed to limit access to data, had not undertaken sufficiently rigorous testing, and should have implemented multi-factor authentication on its employee and third-party accounts. The British Airways fine amounts to the fourth-largest GDPR fine of all time — but the airline actually got off relatively lightly, considering that the fine was initially touted as £183 million ($238 million).  To learn more about compliance standards like the GDPR (including the largest breaches and fines to-date) check out The CEO’s Guide to Data Protection and Compliance. Adobe Launches Content Authenticity Initiative Tool to Fight Deepfakes As video and audio manipulation techniques become more accessible, cybersecurity and intelligence experts have been warning about a potential onslaught of deepfakes that could have an unprecedented impact on security, politics, and society. Not sure what a deepfake is? Read this article. Cybercriminals can use deepfake technology to create video or audio clips of high-profile and trusted individuals. Deepfakes have already been used in phishing attacks and could also be used for blackmail and disinformation campaigns. On October 20, Adobe’s Content Authenticity Initiative announced a new tool that will add “a secure layer of tamper-evident attribution data to photos, including the author’s name, location, and edit history” to help creatives authenticate their content. Once deepfakes are sufficiently convincing, there might be no way to distinguish them from genuine material. Adobe’s project marks a promising first step in this emerging security front. Hackers Discover 55 Vulnerabilities Across Apple’s Systems A group of hackers earned $300,000 via Apple’s bug bounty scheme after identifying 55 vulnerabilities across Apple’s infrastructure. The security issues included vulnerabilities that would have allowed an attacker to “(take) over a victim’s iCloud account,” “fully compromise an industrial control warehouse software used by Apple,” and “access management tools and sensitive resources.” The group said Apple had fully addressed the majority of vulnerabilities reported. Around 3 Million Credit Cards Compromised After Breach at US Restaurant Franchise On Oct 12, details of around 3 million credit cards were posted on the dark web following a huge data breach at US restaurant franchise Dickey’s Barbeque Pit. According to an investigation by Gemini Advisory, 156 of 469 Dickey’s outlets were involved in the breach, with the highest levels of exposure present in California. The details appear to have been stolen between July 2018 and August 2020. Given California’s strict data breach rules, including a private right of action under the California Consumer Privacy Act, Dickey’s could be liable for some eye-watering sums if the breach is found to have resulted from lax cybersecurity practices. Questions about the CCPA? We answer 13 of them in this article: CCPA FAQs: Your Guide to California’s New Privacy Law. Russia Planned to Launch 2020 Olympics Cyberattack The GRU, Russia’s military intelligence agency, “conducted cyber reconnaissance against officials and organizations” involved in the Tokyo 2020 Olympic and Paralympic Games, according to a UK government announcement on October 19. Russian cybercrime groups are alleged to have targeted “organizers, logistics services, and sponsors.” The Games were originally due to tale place this summer but were postponed due to COVID-19.  The UK government also revealed the full extent of Russia’s hacking campaign against the 2018 Winter Games, during which Russian hackers are alleged to have disguised themselves as Chinese and North Korean attackers to target the opening ceremony in Seoul, South Korea. ENISA 2020 Threat Landscape Report Shows Increase in Cyberattacks  The European Union Agency for Cybersecurity (ENISA) released its 2020 Threat Landscape Report on October 20, and cybersecurity leaders (unfortunately) won’t be surprised at its conclusion: cybercrime is on the increase. The report cites “a new norm,” triggered by the COVID-19 pandemic, in which the world is even more dependent on “a secure and reliable cyberspace.” ENISA found that the number of phishing victims “continues to grow,” that Business Email Compromise (BEC) resulted in “the loss of millions of euros,” and that state-sponsored actors are propagating “finely targeted and persistent attacks on high-value data.” If you’re a security leader looking for solutions to these problems, click here to learn more about how Tessian Defender detects advanced impersonation attacks that slip past SEGs, native features, and legacy tools. Researcher Breaches US President’s Twitter Account By Guessing Password Dutch “ethical hacker” Victor Gevers found himself in control of Donald Trump’s Twitter account on October 16 after guessing the US president’s password. Trump’s Twitter account has over 87 million followers and is frequently used to deliver messages of international importance. Gevers said he correctly guessed the password, “maga2020!”, after seven attempts. The incident reveals that the president was using a simple, easy-to-guess password, and that he had multi-factor authentication disabled. Rectifying either of these two basic security errors would have prevented unauthorized access to the account. Overruling of WeChat Ban Denied by California Judge Another month, another development in the long-running battle between the US government and Chinese tech firms. On October 23, California struck a blow to the Trump administration’s efforts to restrict WeChat — a Chinese app used for currency transfers, social networking, and instant messaging. In September, the US Department of Commerce ordered Apple and Google to stop distributing WeChat via their app stores, citing security issues. The order was blocked in California following a legal challenge by WeChat. The US Justice Department brought further evidence and asked the court to reverse its WeChat ruling. The court declined to change its decision, meaning that the Commerce Department’s banning order will remain unenforced in California — despite the federal government’s allegations regarding WeChat’s security issues.  Finnish Therapy Center Hacked, Exposing Patient Data One of the most shocking data breaches of 2020 was brought to light on October 24, when Finnish psychotherapy center Vastaamo revealed a hack that compromised hundreds of patient records. The highly sensitive nature of the breach means that it is being taken extremely seriously. Finland’s interior minister summoned a cabinet meeting to determine how best to respond to the breach, promising “speedy crisis help” to the affected individuals. The hackers are demanding a ransom in exchange for the return of the files, which were reportedly accessed between November 2018 and March 2019. The ransomware attack further suggests that businesses worldwide lack proper cybersecurity infrastructure — even when handling highly sensitive and valuable data. That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 
Human Layer Security Spear Phishing Customer Stories DLP Data Exfiltration
How Tessian Is Preventing Breaches and Influencing Safer Behavior in Healthcare
By Maddie Rosenthal
28 October 2020
Company: Cordaan Industry: Healthcare Seats: 6,300 Solutions: Guardian, Enforcer, Defender  About Cordaan Cordaan – one of the largest healthcare providers in Amsterdam – provides care to over 20,000 people from 120 locations across Amsterdam. They do this with the help of 6,000 employees and more than 2,500 volunteers. Cordaan also works in association with research institutes and social organizations.  To help protect the organization’s people, sensitive data, and networks, Cordaan has deployed Tessian Guardian, Enforcer, and Defender to protect over 6,300 employees on email.  Tessian solves three key problems for Cordaan, which we explore in detail in the video below. Keep reading for a summary of the discussion. Problem: Healthcare employees are especially vulnerable to inbound attacks  When it comes to inbound attacks like spear phishing and business email compromise, the healthcare industry is among the most targeted. It also has the highest costs associated with data breaches. Why? According to Cas de Bie, the Dutch healthcare provider’s Chief Information Officer, it’s not just because organizations operating in this industry handle highly sensitive data. It also has a lot to do with the very nature of the work: helping people. 
Combine this empathetic approach with the stress of a global pandemic, and you’re left with an incredibly vulnerable workforce. With Tessian, Cas is now confident Tessian will identify spear phishing emails before his employees respond to them and that employees’ workflow won’t be disrupted in the process.  When talking about inbound attacks, Cas said “It’s all about awareness. While people probably do know what they’re supposed to do when it comes to email security, it’s different in real life. It’s hard to decide in the moment. Of course, they don’t do it on purpose. They want to make the right decision. Tessian helps them do that.” Problem: Reactive and rule-based solutions weren’t preventing human error on email in the short or long-term To ensure GDPR-compliance, Cordaan prioritized investment in privacy and security solutions. But, according to Cas, “standard” email security, spam filtering solutions, and encryption alone just weren’t enough. They weren’t keeping malicious emails out of inboxes, and they weren’t preventing data loss from insiders. They also weren’t doing anything to improve employee security reflexes in the long-term. 
So, to level-up Cordaan’s email security, Cas was looking for a solution that was: Technologically advanced User-friendly Proactive With Tessian, he found all three. Powered by contextual machine learning and artificial intelligence, our solutions can detect and prevent threats and risky behavior before they become incidents or breaches. How? With the in-the-moment warnings – triggered by anomalous email activity – that look something like this.
These warnings help nudge well-intentioned employees towards safer behavior and ensure data stays within Cordaan’s perimeter. And, because Tessian works silently in the background and analyzes inbound and outbound emails in milliseconds, it’s invisible to employees until they see a warning.   This was incredibly important to Cas, who said that “The added value of Tessian is that it influences behavior. That really resonated with the board and helped me make a strong business case. While I can’t show how cybersecurity creates revenue, I can show – via a risk management calculation – the potential fines we could avoid because of our investment in Tessian”.  Problem: Cordaan’s security team had limited visibility into – and control over – data loss incidents on email  While Cordaan had invested in other email security solutions, Cas and his team still lacked visibility into the frequency of data loss incidents on email. But, after deploying Tessian for a Proof of Value, the scope of the problem became crystal clear.
The reality is that employees do actually send unauthorized and misdirected emails more frequently than expected. (We explore this in detail in our report, The State of Data Loss Prevention 2020.) But, the good news is that this behavior can be influenced and corrected—all without access restrictions that make it harder (or impossible) for employees to do their jobs.  Cas explained it well, saying that “Of course there are things that we have to police and prohibit. But, most of the time, people aren’t doing things maliciously. So it’s nice that – with Tessian – we can take a more nuanced approach. We can influence behavior and help our employees do the right thing.” Learn more about how Tessian prevents human error on email Powered by machine learning, Tessian’s Human Layer Security technology understands human behavior and relationships. Tessian Guardian automatically detects and prevents misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts Tessian Defender automatically detects and prevents spear phishing attacks Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of an organization’s email network. That means it gets smarter over time to keep you protected, wherever and however your work. Interested in learning more about how Tessian can help prevent email mistakes in your organization? You can read some of our customer stories here or book a demo.
Cordaan Case Study hbspt.cta.load(1670277, '61cef6a6-03b0-4491-a81d-6e751eb924e8', {"region":"na1"});
Human Layer Security Spear Phishing DLP Data Exfiltration
Tessian Included as a Cloud Email Security Supplement Solution in Gartner’s 2020 Market Guide for Email Security
By Maddie Rosenthal
27 October 2020
Gartner recently released its Market Guide for Email Security and Tessian is thrilled to have been included as a representative vendor for Cloud Email Security Supplement Solutions. So, what does that mean? According to the report, representative vendors offer “email security capabilities in ways that are unique, innovative, and/or demonstrate forward-looking product strategies.”  How has the threat landscape changed? According to Gartner’s guide, there are a number of factors related to the market’s direction that security leaders need to consider, including the ways in which hackers are targeting organizations and how (and where) we work. Keep reading to learn more. Email is the #1 threat vector
As noted in the report, “According to the 2020 Verizon Data Breach report, 22% of breaches involved social engineering, and 96% of those breaches came through email. In the same report, another 22% of breaches were a result of “human failure” errors, where sensitive data was accidentally sent to the wrong recipient.” “Business email compromise (BEC), the takeover or fraudulent use of a legitimate account to divert funds, continues to grow, and simple payroll diversion scams accounted for  $8 million in 2019.” The bottom line: Whether it’s protecting against inbound threats like ransomware attacks, business email compromise (BEC), or account takeover (ATO) or outbound threats like accidental and malicious data exfiltration, security leaders need to prioritize email security and reevaluate the effectiveness of current solutions. This is especially pertinent as many organizations have moved to the cloud.    Increased cloud office adoption According to Gartner, “Enterprise adoption of cloud office systems, for which cloud email is a key capability, is continuing to grow, with 71% of companies using cloud or hybrid cloud email.” We can expect these numbers to rise, especially given the sudden shift to remote working set-ups in response to COVID-19 and the steep and steady rise in the use of mobile devices for work. But, there’s a problem. Despite G Suite and O365’s basic security controls as well as anti-spam, anti-phishing, and anti-malware services; advanced attachment; and URL-based threat defenses, “email threats have become sophisticated to evade detection by common email security technologies, particularly those that rely only on standard antivirus and reputation.”
What capabilities set vendors apart?  So, what capabilities set vendors apart? In other words what capabilities should security leaders be looking for? Gartner recommends that security leaders “invest in anti-phishing technology that can accurately detect BEC and account takeover attacks. In particular, seek solutions that use AI to create a baseline for communication patterns and conversation style and detect anomalies in these patterns. For account take over attacks, seek solutions that use computer vision when reviewing suspect URLs. Adjacent technologies such as multifactor authentication are used to protect against account takeover attacks.”.   Gartner also says “the following capabilities can be used as primary differentiators and selection criteria for email”. These include the ability to: “Protect against attachment-based threats” “Protect against URL-based advanced threats”  “Protect Against Impersonation and Social Engineering Tactics Used in URL-Based, Attachment-Based and Payloadless Advanced Threats” And, to help security leaders narrow down their search, Gartner identified specific categories of vendors that provide some of the above email capabilities. Tessian is recognized as a representative vendor for CESSs.  Keep reading to learn more about our products and technology.  Why Tessian?  Tessian Human Layer Security offers both inbound and outbound protection on email and satisfies criteria outlined in the report, including display name spoof detection, lookalike domain detection, anomaly detection, data protection, post delivery protection, and offers these protection for both web and mobile devices. Here’s how. Powered by machine learning, our Human Layer Security platform understands normal email behavior by analyzing content, context, and communication patterns from historical email data to establish trusted relationship graphs. Tessian can then detect anomalies in real-time using those employee relationship graphs alongside deep content analysis, natural language processing, and behavioral analysis. Tessian Guardian automatically detects and prevents accidental data loss from misdirected emails Tessian Enforcer automatically detects and prevents data exfiltration attempts and ensures compliant email activity Tessian Defender automatically detects and prevents spear phishing, Business Email Compromise and other advanced targeted impersonation attacks. Tessian’s technology updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network without hands-on maintenance from security teams. That means it gets smarter over time to keep you protected, wherever and however you work, whether that’s a desktop computer in the office or a mobile device, tablet, or laptop at home. But Tessian doesn’t just detect and prevent threats.  When a security threat is triggered, contextual warnings provide employees with in-the-moment training on why an email was flagged unsafe (or an impersonation attempt)  or reinforce data security policies and procedures and improve their security reflexes. This nudges employees towards safer behavior in the long-term.  And, with Human Layer Security Intelligence, security and compliance leaders can get greater visibility into the threats prevented, track trends, and benchmark their organization’s security posture against others. This way, they can continuously reduce Human Layer risks over time. To learn more about how Tessian protects world-leading organizations across G Suite, O365, and Outlook, check out our customer stories or book a demo. 
Gartner, Market Guide for Email Security, September 2020 Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Human Layer Security Spear Phishing Tessian Culture
8 Book Recommendations for Security Professionals
By Maddie Rosenthal
22 October 2020
Most security professionals rely on recommendations from their peers when it comes to vendors, solutions, and strategies. So, why not books? We asked our own cybersecurity experts what they were reading and rounded-up eight books to add to your reading list. The Cuckoo’s Egg In 1986, Clifford Stoll – a systems administrator at the Lawrence Berkeley National Laboratory – wrote this book. Based on his field notes, this is arguably one of the first documented cases of a computer hack and the subsequent investigation, which eventually led to the arrest of Markus Hess.  It’s now considered an essential read for anyone interested in cybersecurity. CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers  While this book covers all the fundamentals of IT security governance and risk management, it also digs deeper into people. After all, being a CISO isn’t just about technology. The insights in the book come directly from CISOs. In total, 75 security leaders contributed to the book, which means there’s plenty of actionable advice you can apply to your strategies.  Looking for more insights from security leaders? Check out Tessian’s CISO Spotlight series.  Art of Deception Written by someone pretty well-known in the security field – Kevin Mitnick – Art of Deception offers readers an insider’s view on what it takes to hack a system (and therefore what you can do to protect yourself).  Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers  Politics play a big role in cybercrime.  This book is focused on Sandworm, the group of Russian hackers who, over the last decade, has targeted American utility companies, NATO, and electric grids in Eastern Europe and paralyzed some of the world’s largest businesses with malware. But the author, Wired senior writer Andy Greenberg, also provides plenty of background on both the technology and the relationships between various countries. Social Engineering: The Art of Human Hacking If you want a breakdown of every aspect of social engineering – from elicitation, protecting, influence, and manipulation – this one’s for you. Written by Christopher Hadnagy – the lead developer of the world’s first social engineering framework – this book is a sort of intro to hacking humans that could help you level-up your phishing awareness program and defenses.   We take a deep dive into the psychology of human error in this report, with insights from Stanford Psychology and Communications professor Jeff Hancock.  The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats In the same vein as Sandworm, this book explores cyberwar, nation-state hackers, and the future. While it doesn’t offer highly technical insights, there is plenty of practical advice on how organizations and individual people can avoid being hacked.  Cult of the Dead Cow Cult of the Dead Cow explores some of the world’s most infamous hacking groups – particularly the cDc – and explains how technology, data, and – well – the world has changed because of them.  CISM Certified Information Security Manager All-in-One Exam Guide Yes, this is an exam guide…and yes you should add it to your reading list. If nothing else, to have on-hand as a reference. Why? It covers everything. Security governance, risk management, security program development, and security incident management. Curious as to whether or not other security professionals have their CISM certification? We interviewed 12 women about their journeys in cybersecurity. Read their profiles here and the full report, Opportunity in Cybersecurity Report 2020.
Page
[if lte IE 8]
[if lte IE 8]