Rarely does a dull moment pass when you’re dealing with cyber security, mainly because it feels as though a new threat or data breach is just around the corner.
The messaging regarding cyber security and the threat of cyber-attacks has recently come in for some criticism, and while there certainly appears to be a growing fervour regarding the coverage of cyber security, the potential threat should not be dismissed as scaremongering.
The reality is, is that cyber-attacks happen constantly and the vast majority are either never reported, not big enough to make the news, or the victim simply doesn’t know that they are a victim.
The very real threat posed by cyber-attacks is highlighted in the latest Data Breach Digest (DBD) report from Verizon. The companion to the company’s annual Data Breach Investigations Report, the DBD contains different prevalent scenarios that occur at any given time.
The report looks at real world scenarios that have happened and looks at them from the investigative response point of view.
The DBD says: “Carrying forward from last year, we have come to realise that these data breach scenarios aren’t so much about threat actors, or even about the vulnerabilities they exploited, but are more about the situations in which the victim organisations and their IR stakeholders find themselves.”
CBR takes a look at the different scenarios so that you can learn from the experiences of others.
Down to the Wire
This situation is about fraudulent wire transfers – yes these still happen and it’s more common than you think.
Typically threat actors use social engineering tactics in order to fool someone into processing a fraudulent wire transfer.
This particular victim, a CIO, was informed that the finance department was missing an international tax form for a wire transfer that had happened three weeks prior. That missing form prompted the finance director to request it from the accountant who had originally submitted the request.
Unfortunately the accountant could not recall the details of the transaction.
The company’s wire transfer process requires its accounting team to first email an invoice that contains various details about the bank account information, invoice amount, type of services and so on. That is then reviewed and, if approved, it is sent on to the wire transfers department that then reviews and processes it.
The RISK Team was deployed and they found that the email domain was different from the corporate email by one character.
What transpired was that a domain, which was very similar to the company’s, had been registered a few days before the wire transfer emails were sent.
Further investigations revealed that numerous external IP addresses had been successfully logging into the accountant’s email using email web access.
What can be learned from this?
- Require two-factor authentication for access to email from internet.
- Prepend a marker (e.g., “subject: [External]…” to the subject line denoting externally originated emails.
- Require secondary authorisation for wire transactions over a certain dollar amount.
- Require Virtual Private Network access for telecommuters accessing the corporate environment.
- Provide, at least annually, user security training.
The response should following these points:
- Maintain sufficient logging of access to email accounts from external source.
- Collect volatile data, memory dumps, and forensic disk images prior to system shutdown.
- Encourage and recognise employees who report potential security issues.
- Engage bank fraud investigators for assistance, when applicable.
- Engage law enforcement for assistance, when applicable.