Spear Phishing
Coronavirus and Cybersecurity: How to Stay Safe From Phishing Attacks
Tuesday, March 17th, 2020
Hackers love emergencies and times of general uncertainty. Why? Because people are scared, distracted, potentially desperate, and are therefore vulnerable—making them ideal targets. As COVID-19 continues to spread and global concern about the pandemic rises, bad actors will be impersonating trusted institutions like healthcare organizations, insurance companies, banks, and airlines in order to steal money, harvest credentials, or install malware on your computer…and that’s just on the consumer side.  When it comes to business, trusted individuals and brands will be impersonated. For example, hackers will impersonate out-of-office CxOs and popular web conferencing applications, especially as organizations encourage and rely on remote-working. Internally at Tessian, we’ve shared tips with our employees on how to spot this type of scam and what to do in case you’re targeted. We think it’s important to spread the message and raise awareness with everyone.  Consumers: What Should You Look For? Hackers will be impersonating trusted brands. Carefully inspect all emails, but be especially wary of those coming from healthcare organizations, insurance companies, banks, and airlines, especially those that ask you to “Confirm you are safe”, “Confirm you haven’t traveled to recently affected COVID-19 countries”, or anything similar.  Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors or branding inconsistencies either in the logo, email template, or a landing page.  Employees: What Should You Look For? Hackers will be impersonating people within your organization and third-parties like suppliers or vendors. You should be cautious when responding to any internal email that mentions the sender being out-of-office and any third-party email that comes from a source you don’t recognize or that requires urgent action. Look beyond the Display Name and examine the full email address of every sender. While hackers can directly spoof an email address, they’ll often change, remove, or add one letter to the genuine email address, making the difference difficult to spot. The goal of a phishing attack is to steal money, harvest credentials, or install malware. That means hackers will motivate you to act, either by encouraging you to download an attachment, follow a link, transfer money, or respond with personal details. These are all red flags.   While hackers can certainly craft perfectly believable correspondence, phishing emails may contain spelling errors, language or requests that are out-of-character, and branding inconsistencies. These red flags are all a bit easier to spot when you have a bit more context. Below are just a few examples of phishing emails that you may see over the next few weeks. The Fraudulent Third-Party
What’s wrong with this email? The sender’s email address contains irregular characters and doesn’t match the Display Name. Organizations should send internal communications to let their employees know they’ve implemented new tools or platforms. You shouldn’t be hearing about it from the third-party first. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The Out-Of-Office Boss
What’s wrong with this email? The sender’s email address is from a freemail domain (@yahoo.com) and not from within the organization. The attacker is giving the email a sense of urgency. That attacker is using remote-working as a ploy to encourage the target to do something unusual. The attacker is impersonating a person in power; this is a common tactic in social engineering schemes. The Concerned Counterparty
What’s wrong with this email? The toplevel domain (.net) is unusual and inconsistent with previous emails from this supplier. The attacker is using fear and urgency to motivate the target to act. Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. The “Helpful” Government Organization
What’s wrong with this email? All valid email correspondence from WHO will come from @who.int, not any other variation. The attacker is using the fear of COVID-19 to motivate the target to download the malicious attachment. Like many other organizations, WHO has stipulated they will never send unsolicited emails containing attachments. The Proactive Health Insurance Provider
What’s wrong with this SMS? The attacker is using fear to motivate the target to act. Because no health insurance provider is mentioned by name, you can assume this text has been sent to a large pool of targets. Legitimate organizations will never ask you to update your payment details via text. The text message contains a shortened link; the target can’t see the URL of the website they’re being led to. Of course, knowing what these opportunistic phishing emails look like is just the first step. Actually knowing what to do if you’re targetted is what’s really important. What to Do If You’re Targeted  If anything seems unusual, do not follow or click links or download attachments. Instead, visit the brand’s website via Google or your preferred search engine, find a support number, and ask them to confirm whether the communication is valid. If the email appears to come from someone you know and trust, like a colleague, reach out to the individual directly by phone, Slack, or a separate email thread. Rest assured, it’s better to confirm and proceed confidently than the alternative.  If you’re an employee who’s been targeted, contact your line manager and/or IT team. We’ve all heard the phrase “prevention is better than cure” and phishing attacks are no exception. While knowing what to do if and when you’re targetted is incredibly valuable, it’s also important that both individuals and organizations know how to avoid being impersonated in the first place.  How to Avoid Being Impersonated For those of you who are working remotely or are otherwise Out of Office, don’t include any personally identifiable information (PII) in your automated emails or on social media. For example, don’t provide your personal mobile number or email address. Don’t tell people to email a colleague in your absence; this information helps bad actors map connections and relationships within an organization, which can be used to make future phishing emails seem more convincing. Hackers can use this to their advantage to target your colleagues. Organizations should implement SPF, DKIM, and DMARC to help prevent hackers from directly spoofing their domain.   Both brands and senior leadership should advise customers and employees what they will and will not ask for via email, phone, or text. People will then have a better sense of what requests are out of the ordinary and therefore suspicious.  As we continue sharing best practice tips with our employees to keep them secure while working remotely, we’ll share them with you, too. Check back on our blog for the latest updates.
Customer Stories, Human Layer Security
Cybersecurity Awareness Should Be People-Centric, Too
Friday, March 13th, 2020
The first speaker at Tessian Human Layer Security Summit on March 5 was Mark Lodgson, Head of Cyber Assurance and Oversight at Prudential.  He started his presentation by citing three fundamental flaws in cybersecurity awareness training: It’s boring It’s often irrelevant  It’s expensive 
So, should we do away with it entirely? Not quite. Cybersecurity training is a necessary evil Cybersecurity professionals who implement training programs and employees who take part in these training programs can no doubt attest that the three flaws Mark mentioned are an unfortunate reality.  But, what’s the solution? Training is, after all, a necessity. Without it, employees would rely entirely on often small and overworked IT and cybersecurity teams to prevent incidents and mitigate the consequences afterward.  That’s not just a tall order; it’s completely unfeasible, especially when human error is the most prevalent cause of data breaches. That means every individual must be held accountable.  By educating employees about data privacy laws, password best practices, and how to spot phishing scams, cybersecurity becomes the collective responsibility of the organization, not just those who have a relevant title. With that said, Mark isn’t suggesting that organizations do away with cybersecurity awareness training. Instead, he’s saying that in order for it to be effective, it needs to be aligned to the individual business.  To do that, you have to get to know the business, the people in it, and their attitudes towards security. And, according to Mark, the best indicator of future behavior is confidence. The cybersecurity culture survey
Influenced by the work of Phillip Tetlock, Mark created a survey with predictive power. But, unlike your average survey that simply gauges knowledge, this survey gauges confidence.  Importantly, the survey focused on five key competencies: Business focus Cyber risk assessment Policy and best practice Cybersecurity advocacy Personal practice The thought process is simple: a survey respondent who answers a question incorrectly with 100% confidence is just as likely to make a mistake as a survey respondent who answers a question correctly with less than 100% confidence. Both responses signal the potential for equally risky behaviors. Beyond that, though, the responses – either correct or incorrect – represent an area that requires targeted training and intervention. How can you apply this to your cybersecurity strategy? While Mark shared the results of the survey he conducted (which you can see by watching the full presentation on our YouTube channel) his findings won’t help cybersecurity professionals fine-tune their own training. The key here is that awareness training needs to be customized.  Without gauging not just the knowledge but the confidence of your employees, you’re essentially blind to the cybersecurity risks within your organization. And, of course, your efforts run the risk of being deemed “boring”, “irrelevant”, and “expensive” with no tangible upside. For more insights garnered from Tessian Human Layer Security Summit, click here.  #HumanLayerSecuritySummit20  
Human Layer Security
How to Create an Enduring and Flexible Cybersecurity Strategy
Wednesday, March 11th, 2020
At Tessian Human Layer Security Summit on March 5, four of Tessian’s customers engaged in an in-depth panel discussion about cybersecurity trends for 2020, the importance of creating a positive security culture in an organization, and the impact of human error.  All of the panelists, including Timor Ahmad from Lloyds of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance offered incredible and diverse insights and, in pulling these insights together, we’ve created a mini-guide for other cybersecurity professionals. Here are five things to consider when creating and implementing a cybersecurity strategy according to Tessian’s customers.
Cybersecurity strategies must constantly evolve While cybersecurity strategies are long-term and take time to both implement and iterate, they must also be mutable. Why? Because in addition to the ever-evolving threat landscape,  there are plenty of other internal and external factors to consider. For example, privacy laws, regulations, compliance standards, company size, board members, budgets, and individual employees all affect an organizations’ security posture and should, therefore, influence strategies. Even a global health crisis like Coronavirus, which Mark Parr from HFW referenced, is something that impacts security strategies, especially with more and more organizations implementing remote working policies due of the outbreak. While, yes, It’s a minefield, organizations have to consider and reconsider these moving parts and, in doing so, constantly evaluate and re-evaluate their strategies and frameworks to keep data, networks, devices, and people secure.  Privacy laws and regulations are top-of-mind With the two-year anniversary of GDPR just around the corner, other nations and even individual states in America are adopting their own data privacy laws. These, of course, are in addition to those already enforced by government agencies like the FCC and the ICO.
The growing number of regulations are especially pertinent for organizations that handle customer or client data. And, while the fines for a breach are hefty under these new compliance standards, organizations have a lot to gain by keeping internal and external data secure. Being transparent and secure about data protection bolsters credibility and trust. Security can (and should) fuel overall business objectives As data becomes more and more of an asset to protect, cybersecurity is becoming a less siloed department and more integrated into overall business functions. Again, this is especially the case for organizations that handle customer or client data. In fact, strong cybersecurity actually enables businesses and has become a unique selling point in and of itself.
For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge.  Engaging with employees about security is tough, but not impossible As the Human Element continues to be one of the biggest risk factors in data breaches, it’s absolutely essential that those in cybersecurity leadership positions make a pointed effort to engage with their employees to communicate risks and responsibilities.
Of course, anyone in a cybersecurity leadership position knows this is no easy task.  According to our panelists, though, the key is to find new ways to tell the same story. Some use gamification and positive reinforcement while others rely on more interactive content like videos and podcasts.  Whatever the method or medium, the most important thing is that risks and responsibility – which the entire organization bears the burden of – are translated so that everyone across departments and levels of seniority can understand. Accountability is required company-wide As we’ve said, cybersecurity is no longer siloed. That means that accountability is required company-wide in order to make policies, procedures, and tech solutions effective. But, according to our panelists, employees and even board members are becoming less passive in their roles as they relate to cybersecurity.  This is a big relief for IT and security teams, especially when the threat of human error is one of the biggest challenges we’re up against.  Learn more Keen to watch the full Human Layer Security Summit and see what our other guest speakers – including a hacker – had to say? Watch the video on our YouTube channel. You can also read key takeaways from the day here. #HumanLayerSecuritySummit20
Introducing Tessian’s Opportunity in Cybersecurity Report 2020
Wednesday, March 11th, 2020
Despite higher-than-average salaries, the opportunity to solve real-world problems, and unlimited growth potential, there’s a skills shortage in cybersecurity. In fact, the cybersecurity workforce needs to grow by 145% to meet the current global demand.  That’s over four million unfilled jobs. But, there isn’t just a skills gap. There’s also a gender gap, with women making up less than a quarter of the workforce. The question is: Why? To find out, Tessian: Worked with the Centre for Economics and Business Research to analyze the economic impact if the number of women working in the industry equaled the number of men Surveyed hundreds of female cybersecurity professionals in the US and the UK with Opinion Matters Interviewed over a dozen practitioners from some of the world’s biggest and most innovative organizations – including Google, KPMG, and IBM –  about their own experiences. To download the full report, click here.
An economic boost worth billions Today, the cybersecurity industry contributes $107.7 billion in the US and £28.7 billion in the UK, and that’s in spite of four million job vacancies. So, what would happen if we minimized both the skills gap and the gender gap, and the number of women working in cybersecurity rose to equal that of men? Our research reveals that we’d see an economic boost of $30.4 billion in the US and of £12.6 billion the UK, bringing the total contribution of the cybersecurity industry up to $150.8 billion and £45.7 billion in each respective country.   But, without a clear understanding of the challenges women currently working in the industry faced at the start of their career, organizations and governments will continue to struggle with recruitment.  And the challenges aren’t necessarily what you’d expect… Cybersecurity has an image problem While it’s easy to cite the gender gap as a barrier to entry – especially with 66% of women in cybersecurity agreeing there is a gender bias problem in the industry – it actually isn’t one of the biggest challenges women currently working in the industry have faced.
Instead, women cite a lack of awareness or knowledge of the industry and a lack of clear career development paths as the biggest challenges, meaning a general demystification of the industry is required to encourage new entrants. What’s more, 51% of women believe more accurate perceptions of the industry in the media would encourage more women to explore cybersecurity roles. This came first, beating out a more gender-balanced workforce, equal pay, and cybersecurity-specific school curriculums. So, what is the industry actually like? Read the full report to find out the top 5 skills needed for a range of cybersecurity roles, including CISO, network engineer, data scientist, and risk & compliance. You can also read the profiles of each of our contributors which prove there is no “stereotypical” cybersecurity professional.  The industry is future-proof Demystifying the industry truly is essential, especially because the industry is one of the most important today, with over half of those surveyed saying that they joined for exactly that reason. But, it’s not just the opinion of cybersecurity professionals.  In fact, the global cybersecurity market is booming, having grown 30x in the last 13 years. That’s because cybersecurity professionals are solving real-world problems and are making a positive impact doing so. After all, data has become valuable currency and ransomware attacks, phishing scams, and network breaches are costing businesses and governments billions every year.
Perhaps that’s why the vast majority of women surveyed feel so stable in their jobs; 93% saying they feel secure or very secure working in this industry. Unfortunately, though, without encouraging more people to join the industry, professionals will struggle to keep pace with the ever-evolving threat landscape.  The cybersecurity industry – like all other industries – requires diversity to thrive. And we don’t just mean gender diversity. The field is wide open for a range of educational and professional backgrounds, from psychology majors to business analysts and just about everything in between. Read the full report to learn more, including: How opinions of the industry differ based on age, company size, and region The economic impact the industry would have if the number of women working in cybersecurity equaled the number of men and the wage gap was eliminated The five most important developments in the cybersecurity industry today Resources – including cybersecurity groups, female empowerment groups, and industry-specific certifications to help you make a start in the field Challenge perceptions, make an impact.  #TheFutureIsCyber
Opportunity in Cybersecurity: Q&A With Shamla Naidoo From IBM
By Maddie Rosenthal
Tuesday, March 10th, 2020
Shamla Naidoo – who has 37 years of industry experience in technology and security – is currently leading C-Suite strategy and integrating security with digital transformation at IBM, where she previously served as the Global Chief Information Officer. Having held Senior Officer roles at Starwood Hotels and Resorts, WellPoint, and Northern Trust, she’s a true veteran in the industry and has used her professional and personal experiences to help mentor and motivate teams and individuals across departments within all the organizations she’s served.  Earlier in her technology career, she earned degrees in Information Systems and Economics (her fail-safe!) and, afterwards, went on to receive her Juris Doctor degree.
Q. Describe your role as a CISO in 300 characters or less. A CISO’s job is to protect an organization’s brand and reputation by managing cybersecurity threats. Protecting a corporation’s digital footprint supports business growth enables the acceleration of innovation. Q. How did you get started in cybersecurity? This is my 38th year working in technology and initially, security wasn’t a separate function, role or organization; it was completely integrated. As a developer, my job was to write code that worked and that included working in a secure way.  As a network engineer, I built networks, in a secure way. I never envisioned security would become a free-standing profession. But, after almost 20 years of integrating security into my technology roles, I realized Security was becoming important and that I was actually knowledgeable on the subject. Not because I had a security title at that stage, but simply because I had done it before. Q. What does this integration of tech and security roles mean for the cybersecurity industry? There’s now an entire ecosystem for security and because of that, you can participate without having technical skills or a hardcore technical background. You can now become a security expert without ever having written a line of code in your life; you can become a security expert without ever having built any kind of technology solution. It’s really expanded the opportunities for career paths in security. Q. Do you think people are aware that technical skills aren’t necessarily required to succeed in cybersecurity? There’s still a lot of mystery surrounding what exactly a profession in cybersecurity entails. The information isn’t that forthcoming. It’s not clear or simple to understand. This requires us to demystify the opportunities and talk about them not just in business terms, but in relatable terms.  Perhaps we’re just missing the mark on how to market jobs in this industry… Q. Do you think that the industry has an image problem? To many people, cybersecurity equates to – and is limited to – someone in a hoodie bent over a keyboard in a dark room. That’s not the case at all. If we don’t expand beyond that, we’ll lose out on even more people in the industry. Q. How did your role as a CISO enable you to champion the industry and the people in it? I believe leaders take ordinary people and enable them to do extraordinary things. I have been able to do that; I’ve been able to mentor and coach people to be better versions of themselves, better professionals, better employees, more productive, more engaged, better community leaders…  My goal is to help people connect hard work and aspiration.  Sure, you could go out and read a book on cybersecurity, but if you don’t understand the vocabulary or the required outcomes, and you don’t understand what impact these types of roles can have, you miss the plot. If you can contextualize it, it becomes real quickly.  When I coach people, I ask them to pick a person who they aspire to be. I ask them to tell me their name. You learn best by observation! If you can pick a person and you can visualize the role you want, it’s more attainable. If it’s a role that you want to have rather than a person you want to be like, then find the role you want, seek out the person doing that role, and try to understand what led them to that position. What do they know? How did they prepare? What do they deliver?  How are they recognized for it? That research will help you to create a roadmap of how to get there. This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from KPMG, Nielsen, Funding Circle and more. #TheFutureIsCyber
Safely migrating millions of API requests
By Andy Smith
Tuesday, March 10th, 2020
In December we successfully flipped around half a billion monthly API requests from our Ruby on Rails application to some new Python 3 applications. Now that the dust has settled, and we’re comfortable that all has gone well, I wanted to write up the details of the project, give a bit of a history of Engineering at Tessian, and share some lessons learned in the hope that others may benefit from mistakes we’ve made. In the beginning, there was Rails Long before Tessian became what it is today, most of our code base for our backend infrastructure was written in Ruby on Rails. This was the right choice of technology at the time; it allowed us to produce a reliable product while iterating quickly. But as we grew it became apparent that being able to share production code with our data science team (who predominantly work in Python) would allow us to move much more quickly. That was when we decided to build out some core backend functionality using Python 3. This would allow our backend code to lean heavily on various open source tooling for data science and machine learning. That decision was made 3 years ago and today, in hindsight, it still looks like the right call. However, and you may be ahead of me already here, deciding to start using Python did not magically get rid of all the Ruby code we had already written. That was the situation one of our Engineering teams found themselves pondering in August last year.  Deciding to migrate At Tessian our teams have themes to help define their place in the world. Themes are mini mission statements that ladder up to Tessian’s greater mission to secure the human layer. One team’s theme is “Tessian’s stellar security reputation aids growth”. Since the team’s inception, they had been focusing on building security features in our Python code, where a lot of backend development and data processing takes place. While debating the most important thing to work on next, we decided to dig in to some data. This showed that 500,000 API requests an hour were being handled by our Ruby on Rails application server. Looking at that number, coupled with the fact that we had grown the Engineering team 100% in the past year and hired 0 Ruby developers, it quickly became apparent that this part of our code base needed some attention. The following factors ultimately contributed to our decision: The proportion of Ruby experts in the company was depleting. Improvements to code linting, security frameworks were getting added to Python and not Ruby. Our Ruby app had not kept up with improvements we had made to monitoring and alerting. Ruby was the original code base and contained some of the oldest and least well understood code in the company. There were some tickets in our backlog around poor performance of some of the Ruby endpoints, meaning future development of them was likely. So the decision was made: we would port the existing Ruby APIs to our Python code base, allowing them to make use of our latest frameworks and practices. Path to migration Given the high volume of traffic and the importance of the APIs we wanted to ensure that we kept risk to a minimum when porting them. With this code came other challenges such as poorly defined interfaces and many different client versions.  After a few whiteboard sessions, we settled on a phased approach that went as follows. Phase 0 – Existing setup The original setup – clients talking to our Ruby application.
Phase 1 – Transparent proxying First we built a new Python application to transparently proxy traffic to our Ruby application. We slotted this in to the API flow. Because it just proxied traffic, this was a relatively safe operation.
Phase 2 – Response generation and comparison The next step (and we did this for each API that we migrated) was to implement the API and use live production data to compare “what we would have sent”, being generated by the Python App, (new_response) with “what we should have and did send” (old_response). By comparing the responses, we could catch errors in the implementation based on live production data and fix them. Note that this was not perfect; most of our APIs mutated state in a database in a way that was not idempotent. This meant that we never wanted both Ruby and Python to affect the database – it was either one or the other.
Phase 3 – Switchover Once we had confidence that the response being returned was correct, it was time to stop using Ruby to affect the database and start using Python. Note that because we did not want conflicts between Ruby and Python both altering database state, as we switched over, we stopped calling Ruby. As mentioned above, this had not been tested on production, so still had with it some risk. So we did this in a staged approach, first routing 10% of traffic, then 50% then 100%. Focusing first on our internal dog food tenancy.
And that was it! Once we had done this for all APIs the amount of Ruby code in production was drastically reduced. Retrospective At Tessian we believe that we will build the best teams and product by being open about when things go wrong; we also believe in creating a blameless culture. We suffered one incident as a result of this migration. This had a very limited impact on customers. It caused a minor degradation to our web UI only – not our predictions. We were able to retroactively fix the symptoms, but this was something that we took seriously. The issue was that one of our new Python APIs did not update a database column that the Ruby APIs previously did. In hindsight we think that our comparison framework gave us a false sense of security in the code porting. Our key takeaway was that next time we will have to be more conscious of what it would catch (us breaking our APIs) and what it would not (incorrect database updates).  If we were to do it again, we would do it mostly the same way, but with more thorough code review on these components. All in all we consider the project to be a success and believe that it will aid Tessian’s stellar security reputation thanks to the amazing hard work of the all engineers who worked on this project!
Human Layer Security, Spear Phishing
Hacker’s Advice: 7 Tips for Avoiding Phishing Scams
Monday, March 9th, 2020
The final speaker at Tessian’s first Human Layer Security Summit was Glyn Wintle, the CTO and co-founder of Tradecraft (formerly DXW Cyber), a security consulting agency that uses social engineering tactics, technical work, open intelligence sources, and attacks on physical locations to breach clients’ systems. In other words, he’s an ethical hacker, although he prefers “friendly hacker”.  During his presentation, he explained how hackers combine psychology and technical know-how to create highly targeted and highly effective phishing attacks on people. Based on his insights, we’ve put together 7 tips to help you avoid social engineering schemes like phishing attacks.
1. Don’t Underestimate Hackers or Overestimate Your Ability to Spot a Phish Glyn started his presentation with one clear and concise statement: Breaking in is easier than defending. And, he’s right.  Attacks like phishing emails rely on power in numbers, meaning that only one person has to follow a link, click an attachment, share personal information, or make a bank transfer for the hacker to be successful.  Interestingly, though, employees tend to be incredibly confident in their ability to spot phishing emails; only 3% of people think it’s difficult to spot a phish. The general consensus, especially amongst employees at organizations where security awareness training is required, is that “only idiots fall for scams”.  While that may be the case with the more blatantly obvious scams – for example, an email coming from a Nigerian Prince claiming they’d like to share their fortune with you if you share your bank account details – hackers have an arsenal of techniques to dupe even the most discerning eye. This is especially the case in spear phishing attacks where hackers might spend days or even weeks researching their target to craft a perfectly believable email. With social platforms like LinkedIn, they can easily uncover not just a company’s organizational structure, but more timely information about individuals like when they’re attending a conference. This is powerful ammunition for a spear phishing attack. 2. Look Out for Both Emotive and Enterprising Scams People tend to be familiar with phishing and spear phishing attacks that rely on an emotional response – fear, urgency, stress – often triggered by an email that appears to be sent from a person in power. They work, really well. But enterprising scams are just as powerful.
Glyn cited an example in which a company made a public announcement that it recently received VC funding. Based on the press release, a savvy hacker contacted the Venture Capital firm impersonating the company. The hacker was able to create a convincing email relationship with the Venture Capital firm and this trust enabled the hacker to successfully get the VC to transfer the funds into their account.  People sometimes mistakenly think the solution to this is to hide all information. But often there’s a reason why information was and is made public. Making sure people know what information is public or not can help. 3. Relying on hyper vigilance isn’t enough People – especially in work environments – tend to move and work quickly. Because of that, and despite training, they might not think twice about irregularities in email addresses, URLs, or landing pages in pursuit of being productive. What’s more, expecting people to double check every thing will not work. They will not get any work done. Management must understand that people make mistakes; expecting them to be hyper vigilant at all times cannot be the solution. There are technical measures that can be used to warn someone that something abnormal is happening. Showing users who do have the privileges to do harmful things what real targeted phishing emails look like can help. But you must also find ways to make their lives easier. Telling them “this is really hard” then saying “best of luck”, is not setting them up for success. 4. Don’t take the “secret” bait If nothing else, hackers are inventive. Glyn cited one example where, instead of emailing a target pretending to be someone else, they’ll simply CC individuals into a conversation that genuinely has nothing to do with them. The email message will allude to a secret or piece of sensitive information; potentially with a malicious link to the alleged source or malicious attachment. It seems rudimentary but it works.  More often than not, the target will follow the link or attachment, thinking they’re gaining access to something highly confidential. In reality, they will have installed malware on their computer. 5. Beware of Urgent Requests and Reasonable Requests While a lot of hackers will use urgency to incite action, that’s not the only tactic they employ. In fact, a tried-and-tested technique according to Glyn is to request an action within two working days.  “If you’re impersonating a company and targeting employees, and you say something must be actioned within two working days, you will get much higher hit rates.”
6. Take Extra Caution on Your Mobile While mobile phones have no doubt made it easier for us to stay connected, they’ve also made it even easier for hackers to pull off successful phishing attacks given the smaller screens and differences in functionality, especially after hours. “I love mobiles. But if you’re targeting someone on mobile, the rules change. You probably want to do it on a Friday night, when alcohol might be involved, especially because the smaller web browser makes it hard to see who the sender is or tell what exactly the URL is.” But, it’s not smaller browsers that make mobiles risky. Smishing and vishing are also on the rise, meaning email isn’t the only threat vector to be weary of. 7. Implement a Security Solution While there are certainly steps individuals can take to prevent themselves from falling victim to a phishing scam, if organizations really want to protect their people, they have to implement security solutions.
#HumanLayerSecuritySummit20
Opportunity in Cybersecurity: Q&A With Hayley Bly From Nielsen
By Maddie Rosenthal
Monday, March 9th, 2020
Hayley Bly is a Cybersecurity Architect at Nielsen, where she’s worked since graduating from the University of Miami with a Bachelor’s Degree in Computer Science almost four years ago. Since starting her career, she’s championed the industry by going back to her alma mater for recruiting events to raise awareness about cybersecurity and has participated in events in collaboration with Women in Technology International (WITI). She’s also found time to further her education and is currently working towards her Master’s of Science in Cybersecurity.
Q. Describe your role as a Cybersecurity Architect in 300 characters or less I build tools that our incident response team uses. This could be implementing a vendor tool or building something from scratch. We do both, and this includes designing how the tools are made, implemented and deployed throughout the larger company.   Q. Since your educational background seems so focused, have you always been motivated to pursue a career in cybersecurity? My parents both worked in banking software so I’ve always been around it. They both really pushed me to explore a career in the field but – you know how it is – I fought it. I never wanted to pursue it just because they told me to do so; I wanted to decide my own path. That’s why I actually applied to college as Pre-med. But, my senior year of high school, there were no other electives to pick so I chose the computer programming class and, of course, fell in love with it. Once I was accepted into the Pre-med program at the University of Miami, I threw them for a loop and asked if I could change my focus to Computer Science and never looked back.  Q. How did you transition from more general Computer Science to cybersecurity specifically? I thought I was going to be a software developer up until I started at Nielsen straight out of college. Since then, I’ve really found my home in cybersecurity.  The team I work with and my managers are absolutely incredible. They have had something to do with every single career decision I’ve made thus far, because the work others do really inspires me. Especially when I first started, their work opened my eyes to how much I didn’t know and what really goes on behind the scenes in a company.   When you’re working in cybersecurity, you’re not just writing code all day. You’re actually dealing with real-world problems and it’s up to you to prevent, detect, and respond to incidents by finding or creating solutions. Q. What do you think would inspire more young women to enter into the field? I think just bringing more awareness to the fact that you can really create your own success. I was let in the door without any real cybersecurity skills or experience and was given the opportunity to prove myself, and I have. It’s a jump-in-and-figure-it-out-as-you-go type of field and people shouldn’t be afraid to do that. Cybersecurity isn’t about who you are or what degree you have. It’s about what you can do, what problems you can solve, and how well you can work with other people to get the job done. You don’t have to play politics because your work speaks for itself. I love that. Q. Do you have any recommendations for resources or groups that might be a good first-step for anyone interested? Meetup.com is a great way to connect with local people who are interested in the same things you are and, speaking specifically about cybersecurity events, people can pique their interest and learn, but in no-pressure situations. And that’s really important. I think sometimes when you’re first starting out at something it’s easy to feel self-conscious or nervous about really getting involved, and these events can give newcomers a chance to try something they haven’t before without any fear of being wrong or feeling out of place.  This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Opportunity in Cybersecurity: Q&A With Hillary Benson From StackRox
By Maddie Rosenthal
Sunday, March 8th, 2020
Hillary Benson is the Director, Product at StackRox and has an incredible background in government and military intelligence. She holds two degrees, including a Bachelor’s Degree in Management Science with a focus in Finance from Massachusetts Institute of Technology and a Master’s Degree in Security Studies with a focus in Terrorism and Substate Violence from the Georgetown University Walsh School of Foreign Service. Additionally, she is a Master’s candidate in Computer Science at The Johns Hopkins University. But, her experience isn’t limited to her education. She started her cybersecurity career at the National Security Agency, where she spent almost six years as an intelligence analyst, technical collector, and product leader. She moved into the private sector as a red team operator and has shifted gears in the last three years to focus on building product at a leading container security company called StackRox.
Q. Describe your role as a Director, Product in 300 characters or less My job is to distill business opportunity into a technical vision and development roadmap for our flagship security product, the StackRox Kubernetes Security Platform. We’re building a product that enables security practitioners to rethink their approach to security by leveraging container technology. Q. Your background – both educational and professional – seems very focused. Have you always aspired to have a career in this industry? From a very young age I had an interest in technology, security, the military and intelligence. I can certainly tie all the threads from those interests to where I’ve ended up, but I wouldn’t have been able to predict that my path would look the way it does.  I generally attribute that to the fact that the most interesting opportunities are usually the most difficult to predict, and I am constantly searching for the next interesting problem to solve. My approach to life can lead me down very unexpected rabbit holes. Q. What professional experiences have guided your career path the most? Certainly NSA had a huge impact on my career direction. I landed there by luck, really, after shotgunning online job applications. I applied on the right day, they picked up my resume, and before I had even graduated I was in the clearance process.  I joined as an Intelligence Analyst and participated in a program that allowed me to rotate through a number of offices within NSA to get experience in different disciplines. I gravitated toward technical analysis and collection. That track led me to Tailored Access Operations and stoked my interest in offensive security. The rest is history. Looking back on my career up to this point, many of the contributions I’m most proud of took place during my time with NSA. At certain times, I had an extreme sort of impact that you can’t replicate in the commercial world. From a business perspective, though, I’ve learned more in the last two years than I ever hoped for and am extremely proud of the product that my team has built at StackRox. Q. Since you’ve sampled a lot of different disciplines within cybersecurity, do you think people tend to have a narrow view of the industry and the jobs available in it? People hear “cybersecurity” and think of hackers in hoodies. That’s a bit of a caricature, maybe with some legitimacy to it—and that was even part of my own experience—but that’s not all there is.  A lot of what you do as a security professional involves bridging gaps between security teams and the development and operations teams. So much of the job is convincing people that the security risks you find are worth fixing. You can’t do that if you only have technical skills; you have to be able to talk to people and to influence them. Q. Do you need certifications or a degree to get those skills? Actually, of all the things to get into without formal education or training, there seem to be a lot of people who either cross-train from other fields or enter security without any formal education. Which is pretty awesome, I think. It’s not uncommon to hear someone say something like “Oh, I studied psychology, then took a year off and painted, and now I’m a penetration tester”.  There are many people in security who gained the knowledge and landed a job without a formal degree. A lot of the folks I’ve worked with were independent and curious problem-solvers—I think not in small part because a lot of them fought their way into their role by proving their competence in the field. You don’t necessarily have to take the traditional route and get a four-year degree. If that works for you, great. But if you’re looking to switch careers or you’re confident in your specific passion for the security industry, there are other ways to get the requisite technical skills.  The OSCP is a great training ground for aspiring penetration testers who want to nail down the basics. Joining a bug bounty platform like HackerOne or Bugcrowd is an excellent way to get hands-on experience with finding bugs in the real world. And almost nothing beats learning to code—what better way to understand how security issues materialize when building software but to try to build it for yourself? This profile is a part of the larger Opportunity in Cybersecurity Report 2020. Click here to download the report and click here to read more profiles of women in cybersecurity, including professionals from IBM, Funding Circle, KPMG and more. #TheFutureIsCyber
Human Layer Security
Insights from Tessian Human Layer Security Summit | London 2020
Thursday, March 5th, 2020
On March 5, 2020, Tessian hosted the world’s first Human Layer Security Summit where we brought together speakers from Prudential, Lloyd’s of London, Herbert Smith Freehills, Clifford Chance, HFW and Tradecraft to talk about security culture, the Human Element, and the evolving threat landscape. We had hundreds of people join us in-person in London and from around the world via livestream. In case you missed it, you can watch a recording of the event here:  While the focus of the Summit centered around Human Layer Security and why we need to protect people (not just networks and devices), the speakers and panelists offered a diverse range of insights into the challenges cybersecurity professionals are up against and, importantly, how they try to solve them.
It takes a village to secure an organization’s data, devices, and networks Accountability is required company-wide in order to make policies, procedures, and tech solutions effective. That’s why those in cybersecurity leadership positions are laser-focused on finding new ways to engage with employees through gamification, interactive content, podcasts, and more.
According to Timor Ahmad from Lloyd’s of London, Jamie Travis from Herbert Smith Freehills, Mark Parr from HFW, and Emily Fisher from Clifford Chance, employees are, fortunately, becoming less passive in their roles as they relate to cybersecurity.  As the Human Element continues to be one of the biggest risk factors in data breaches, individuals have to do their part to supplement their cybersecurity stack. This is especially important because, by empowering your employees, you’re taking the burden not only off them, but off of your information security team. For smaller teams, this is vital. For more insights from the panel discussion, click here. Cybersecurity frameworks and strategies can’t be static There’s a lot that goes into creating an effective cybersecurity framework and strategy. They take months – even years – to create and implement. But, they have to constantly evolve in tandem with both external and internal factors. Privacy laws, regulations, compliance standards, company size, board members, budgets, individual employees – even the Coronavirus! – all effect and should, therefore, influence strategies. It’s a minefield, but unless all these things are considered and constantly re-evaluated, organizations will put themselves at risk.  It takes a cybersecurity strategy that’s customized, and re-customized, to keep networks and devices secure and to empower and enable employees to make smart security-related decisions. Breaking in is easier than defending While spam, phishing scams, and more targeted attacks like spear phishing are relatively easy for attackers to pull off, spotting these nefarious emails is hard…even with training. Interestingly, though, according to Glyn Wintle, an ethical hacker and penetration tester, employees tend to be incredibly confident in their ability to spot phishing emails, with just 3% of people saying they have a low probability of falling for a phishing scam.
Unfortunately, confidence doesn’t equate to actual ability, especially when hackers combine bulk email lists, technical acumen, and social engineering.  By abusing trust, piquing curiosity, and/or creating a sense of urgency, hackers can get whatever it is they’re after – from log-in credentials to a bank transfer – from at least one person out of the tens, hundreds, or thousands they’ve emailed. Interested in learning more about cybersecurity from a hacker’s perspective? Click here. There are some fundamental problems with cybersecurity awareness training Mark Logdson sees three problems with cybersecurity awareness training: it’s often irrelevant to the audience or user, it’s generally quite boring, and it’s expensive in terms of investment and lost productivity during the training itself.  Mark said it best, “We knock out CBT (computer-based training) for 20 minutes, put a test at the end of it, and we expect “Johnny” to be grateful for having spent that time in the training and to have been thoroughly entertained.” You also hope he’s learned something. This likely sounds familiar to both cybersecurity professionals who implement awareness training programs and the employees who take part in – or should we say endure – quarterly or annual training sessions. Of course, Mark isn’t suggesting that organizations do away with cybersecurity awareness training; he’s simply saying it needs to be more tailored to the risk areas in each individual organization in order to be most effective. You can read more about Mark’s approach here.
Cybersecurity isn’t just a support function, it’s an enablement function While cybersecurity has historically been a very siloed department within organizations, it’s becoming not only more integrated into overall businesses, but it’s also becoming an enablement function. In short, board members and employees across departments see the value in information security. In fact, more and more, representatives from cybersecurity teams are being called on to promote a business’s value proposition through its security. It makes sense, though, especially for organizations that handle large amounts of external data for clients or customers. In this case, security becomes a unique selling point in and of itself.
For an industry that has historically struggled to communicate its value and the return on investment for strategies, this is huge.  The insights offered at our first-ever Human Layer Security Summit were invaluable, not only for cybersecurity professionals, but also for employees and consumers. We’ll be announcing the next Human Layer Security Summit soon, so be sure to subscribe to our newsletter for the latest industry and company updates.   #HumanLayerSecuritySummit20
Human Layer Security
RSA Recap: The Human Element is More Than a Buzzword
By Erez Haimowicz
Wednesday, March 4th, 2020
Last week, Tessian was at RSA 2020 in San Francisco. While this was only my fourth month at Tessian, this was my ninth year at the annual cybersecurity conference, which I’ve previously attended on behalf of Mimecast, Proofpoint, and Cofense when I was part of their respective teams.  Last year the agenda was very much focused on automation, machine learning (ML), and artificial intelligence (AI), but this year, the theme was much more…human. More specifically, it was the Human Element. What is The Human Element? This theme, of course, resonates with all of us here at Tessian. After all, it’s why we’ve created Human Layer Security.  Humans and our propensity to break the rules, make mistakes, and get hacked are the foundation for everything we do at Tessian. We believe humans are an organization’s biggest asset, so long as they are empowered to make smart security-related decisions.  But, how do you actually enable and empower people to make those smart security-related decisions? How do you actually protect the Human Element?  While Tessian is clear and confident that stateful machine learning is the most effective way to protect the Human Layer, it seemed like a lot of other vendors relied on strong messaging alone to align with this year’s RSA theme and didn’t necessarily have the technology or functionality to back that messaging up. The Human Element Applies to Both Inbound and Outbound Threats If you look at cybersecurity historically, solutions have been focused on protecting networks, endpoints, and devices. You know, machines. But phishing isn’t a machine or technology-related problem. It’s a human problem. Sure, we can use spam filters or Secure Email Gateways (SEGs) to mitigate the risk, but it’s inevitably people that are both behind the attacks and the last line of defense. What about awareness training and phishing simulations? While this type of solution may have a positive effect in the short-term, the immediate gains wane over time as people forget the training and revert back to old behaviors. Tessian even published a report examining this problem. Phishing is – and has been – a hot topic and the inbound space is crowded with vendors that claim to protect organizations from this type of attack. But, the Human Element isn’t limited to inbound threats. It’s just as – if not more – relevant to outbound threats. Misdirected emails, insider threats, accidental data loss…these are all human problems that not only rely on people being aware of security policies and best practice, but also rely on people doing the right thing 100% of the time. This is a tall order when they are in control of more sensitive data and systems than ever before. Unfortunately, to err is human. And that – in a nutshell – is the problem. Humans will make mistakes. Humans will break the rules. Humans will get tricked or hacked. Visibility is Key Fundamentally, CISOs and other IT decision-makers understand this, but they may not have always understood exactly how big of a problem the issue of human error is. And, in my experience, visibility of the scope of the problem is the lifeblood to any cybersecurity strategy or framework.  Vendors know this, which is why we see so much messaging focused on fear-mongering; messaging focused on the size and scale of the problem with alarming stats that seem to only be trending upwards. We’ve been guilty of this in the past, too. But CISOs are tired. They want strong solutions, not strong messaging.
Strong Messaging Doesn’t Solve Cybersecurity Challenges It’s safe to say – especially given this year’s theme – that today, the cybersecurity industry and professionals within the industry have started to wise up to the problem of human error beyond phishing. In particular, they understand the challenges and consequences associated with accidental data loss and data exfiltration, and are beginning to have visibility of the scope of these problems, too. But they have very few solutions. While a lot of vendors shouted about the Human Element this year, their product offering hasn’t changed since last year, when they were shouting about AI, ML, and automation.  SEGs and other cybersecurity solutions don’t suddenly empower employees to inspect and identify threats with 100% accuracy just because their messaging is now more people-focused than it has been historically. Actually solving problems related to the Human Element takes innovation and disruptive technology that challenge widely-accepted – albeit ineffective – approaches that have previously been classed as best practice. A new tagline isn’t enough. The Future of People-Focused Cybersecurity Solutions Cybersecurity is a broad, expansive industry that seeks to solve an incredible range of problems. There are firewalls, web applications, password managers, sandboxes, and simple spam filters and new start-ups are cropping up nearly every single day claiming to solve for one or more of these problems. Why? Because the industry is one of the most important today given the digital landscape and is incredibly valuable because of that. In fact, the global cybersecurity market has grown 30x in the last 13 years and the industry received record venture capital investment in 2019.  But, growth is only good if we as an industry look at the problems we’re solving holistically. If we collectively recognize the Human Element is a challenge we’re up against, the next generation of cybersecurity solutions have to take a new approach to protecting human-digital interactions. Tessian is doing just that by creating Human Layer Security, a new category in the industry. We protect people on email from both inbound and outbound threats with stateful machine learning.  It’s not just messaging, it’s our genuine product offering.  Interested in how Tessian’s Human Layer Security platform can protect your data by protecting your Human Element? Book a demo now.
Human Layer Security
To protect people, we need a different type of machine learning
By Ed Bishop
Saturday, February 29th, 2020
Despite thousands of cybersecurity products, data breaches are at an all-time high. The reason? For decades, businesses have focused on securing the machine layer — layering defenses on top of their networks, devices, and finally cloud applications. But these measures haven’t solved the biggest security problem — an organization’s own people. Traditional machine learning methods that are used to detect threats at the machine layer aren’t equipped to account for the complexities of human relationships and behaviors across businesses over time. There is no concept of “state” — the additional variable that makes human-layer security problems so complex. This is why “stateful machine learning” models are critical to security stacks. The people problem
The problem is that people make mistakes, break the rules, and are easily hacked. When faced with overwhelming workloads, constant distractions, and schedules that have us running from meeting to meeting, we rarely have cybersecurity top of mind. And things we were taught in cybersecurity training go out the window in moments of stress. But one mistake could result in someone sharing sensitive data with the wrong person or falling victim to a phishing attack. Securing the human layer is particularly challenging because no two humans are the same. We all communicate differently — and with natural language, not static machine protocols. What’s more, our relationships and behaviors change over time. We make new connections or take on projects. These complexities make solving human-layer security problems substantially more difficult than addressing those at the machine layer — we simply cannot codify human behavior with “if-this-then-that” logic. The time factor We can use machine learning to identify normal patterns and signals, allowing us to detect anomalies when they arise in real time. The technology has allowed businesses to detect attacks at the machine layer more quickly and accurately than ever before. One example of this is detecting when malware has been deployed by malicious actors to attack company networks and systems. By inputting a sequence of bytes from a computer program into a machine learning model, it is possible to predict whether there is enough commonality with previously seen malware attacks — while successfully ignoring any obfuscation techniques used by the attacker. Like many other threat detection problem areas at the machine layer, this application of machine learning is arguably “standard” because of the nature of malware: A malware program will always be malware. Human behavior, however, changes over time. So solving the threat of data breaches caused by human error requires stateful machine learning.  Consider the example of trying to detect and prevent data loss caused by an employee accidentally sending an email to the wrong person. That may seem like a harmless mistake, but misdirected emails were the leading cause of online data breaches reported to regulators in 2019. All it takes is a clumsy mistake, like adding the wrong person to an email chain, for data to be leaked. And it happens more often than you might think. In organizations with over 10,000 workers, employees collectively send around 130 emails a week to the wrong person. That’s over 7,000 data breaches a year. For example, an employee named Jane sends an email to her client Eva with the subject “Project Update.” To accurately predict whether this email is intended for Eva or is being sent by mistake, we need to understand — at that exact moment in time — the nature of Jane’s relationship with Eva. What do they typically discuss, and how do they normally communicate? We also need to understand Jane’s other email relationships to see if there is a more appropriate intended recipient for this email. We essentially need an understanding of all of Jane’s historical email relationships up until that moment. Now let’s say Jane and Eva were working on a project that concluded six months ago. Jane recently started working on another project with a different client, Evan. She’s just hit send on an email accidentally addressed to Eva, which will result in sharing confidential information with Eva instead of Evan. Six months ago, our stateful model might have predicted that a “Project Update” email to Eva looked normal. But now it would treat the email as anomalous and predict that the correct and intended recipient is Evan. Understanding “state,” or the exact moment in time, is absolutely critical.
Why stateful machine learning? With a “standard” machine learning problem, you can input raw data directly into the model, like a sequence of bytes in the malware example, and it can generate its own features and make a prediction. As previously mentioned, this application of machine learning is invaluable in helping businesses quickly and accurately detect threats at the machine layer, like malicious programs or fraudulent activity. However, the most sophisticated and dangerous threats occur at the human layer when people use digital interfaces, like email. To predict whether an employee is about to leak sensitive data or determine whether they’ve received a message from a suspicious sender, for example, we can’t simply give that raw email data to the model. It wouldn’t understand the state or context within the individual’s email history.
People are unpredictable and error prone, and training and policies won’t change that simple fact. As employees continue to control and share more sensitive company data, businesses need a more robust, people-centric approach to cybersecurity. They need advanced technologies that understand how individuals’ relationships and behaviors change over time in order to effectively detect and prevent threats caused by human error. *This article is part of a VentureBeat special issue. Read the full series here: AI and Security.
Page