Feb 22, 2018 Ralph Perdomo
"The end-user is the most susceptible and exploitable part to any computer network."
This is the most valuable insight I gleaned from my recent interview with Andy Lester, Nvoicepay's Security Systems Engineer in Compliance. Andy talks about sophisticated social engineering hacks—where the users, you and I, are exploited to gain access to the computer network.
Andy is a retired Air Force Non-comissioned officer with over 20 years of cybersecurity expertise. Although his primary responsibility is securing Nvoicepay's network—preventing attacks from social engineering and other intrusions—his advice can be applied to anyone dealing with passwords and computers on a daily basis.
Andy, your job requires you to study and analyze network intrusion. What are some past attempts that you’ve detected and how?
I’ve seen a few. One that comes to mind was a CFO receiving an email that appeared to be directly from the company’s CEO. In this case, the email required a quick response—first red flag—and it came from a spoofed domain—a huge red flag.
In this example, the attacker registered a similar looking domain name, but swapped a few letters around making it appear as if it was the company’s name. Fortunately, for that detail oriented CFO, it was recognized and reported.
You mentioned the message requiring a quick response is a red flag. Why is this something we should be looking for?
A lot of attacks try to trick the user into bypassing their standard procedures, trying to get them to take shortcuts and hurry things along. This is what’s central to a social engineering attack—an attempt to rattle you or distract you into doing something you’d usually not do.
Any time you get an email or a phone call that's asking you to hurry some process along, you need to slow down and follow your process that much closer. This is usually the hallmark of a social engineering attack.
So a sense of urgency in the message should signal you into being extra diligent?
Yes. Or them telling you how to respond. As in ‘reply to me via email because I'm in a meeting,’ or ‘don't call me because I'm on the road.’ You should be thinking to yourself, ‘why is this so critical—why is it so important, all of a sudden, for me to follow these steps?’ These should all be red flags.
You touched on another red flag earlier—a huge red flag as you put it. Spoofing. What is spoofing and what does it look like?
Spoofing—or email spoofing, in this case—is the creation of an email address with forged information. This could be like our example where letters were switched around in the domain to make it appear like a legitimate address at a glance or less crafty such as opening an account with a free email provider—like ‘firstname.lastname@example.org’.
You can actually get a lot of information from the domain address.
Can you expand on that? What kind of information can you get from an email’s address?
For starters, who’s it from? Again, a company like Microsoft is not going to send it from a Yahoo! address.
Next, as you go down the email, look for the company's name in the signature block. Was it signed? Was it signed by the same domain or the same user? Look at all the links. Hover your mouse over a link and see what pops up. Does that link domain match the same domain as the sender? Is it from a foreign country? This is going to be another big red flag.
It sounds like we should be looking for consistency in email links along with the domain name and signature.
Yes. But also look at the consistency of the message—look for consistency in the words and characters.
For instance, if you receive an email and it's got an "O" in it with the umlauts—the German double dots over it—question that.
Foreign country keyboards are different and use different character sets. Sometimes to get the English characters they don't use on a regular basis, they have to use what’s called alt-codes, or copy and paste them from other sources. When they do that, the font's different, the character’s are different—it just doesn't look right.
I once saw an example of a reported phishing attack, where they spoofed a Dropbox email. It used about four different character sets. It still read Dropbox, but they were all different letters. It didn't match up.
So to sum it up, when you’re evaluating an email, look for consistent styling, consistency in link domains, be on the lookout for international email addresses, along with suspect email domains like Microsoft using a Yahoo! address. Is this right?
Yes. And that’s what it’s all about—identifying and spotting red flags.
Part of my role is to teach people in the organization how to identify these red flags. I want to emphasize that IT and security teams are here to help. There's nothing that's so pressing that I can’t take a couple of minutes to teach you these things.
In network security, it’s always best to build a good offense alongside a strong defense.
Let’s switch gears here. You talked about being on the offense by learning how to identify social engineering attacks and spot spoofed emails.
Let’s talk defensive strategies like passwords. What are some password best practices?
First and foremost, never give your password to anybody for any reason. Especially IT! As a systems administrator, I can gain access to your account by other means. I don't need your password.
So, if anyone ever asks you for your password...
That’s a red flag! No legitimate organization will ask for your password. If anybody asks for your password via email, phone, or any other way, it's a bad sign. End the conversation right there.
Also, never write your password down.
So I shouldn’t keep a sticky note on my monitor with my password?
I know you’re joking but I certainly hope no one would actually do this. Don't ever write down your password and put it on a mouse pad or sticky note. Here’s an excellent example of why you don’t leave your password lying around.
In the cases with Edward Snowden and Chelsea Manning, these were insider threats. They used other people's credentials to steal and do the malicious things in their name.
So, even though you work with these people on a day-to-day basis, you don't want to trust them with your credentials. You don't know what they're doing in your name. If a coworker asks for your credentials always question them: "What's the reason behind this?"
Multiple passwords are difficult for most of us to remember. What are some tricks you can teach me to help better remember my passwords?
You want something that's easy to remember, but long enough to be secure.
Use a favorite song, or quote, or a verse from a book. You can take that phrase and make that your password. This type of password is called a passphrase.
Let’s take a movie quote: ‘May the force be with you.’
It could start with the number 5 for May—the fifth month of the year. You could alternate lower and upper case for ‘force.’ Abbreviate ‘with you’ as ‘wU’—again, mixing cases. An exclamation mark, substitute a letter with a number, things like that.
So my passwords should be based on some memorable phrase, replacing letters for numbers, mixing cases, and abbreviating it to make it easier to remember?
Yes and remember, don't reuse them.
There will be times where you do share a password, like the family’s Netflix account. Use a unique password for that account, so if it ever gets compromised, it's not a big deal. You can change and move on knowing it’s not the same password as your banking password or Gmail password.
Andy, thanks for taking the time to talk to us. In closing, would you like to share anything else you think is important?
Develop a relationship with your IT and your security team.
Most importantly, be skeptical. Be skeptical. Be skeptical. Be skeptical, especially when it feels like you’re being rushed or told to do something outside of your procedure. Always ask questions and never rush.
And never share your password.
Thank you, Andy.
Red flags and tips
Here's what you should be on the lookout for and how to protect yourself online:
|🚩||Does the email sender and domain make sense? Microsoft will never send out emails from a free email service such as Yahoo or Gmail.|
|🚩||Look at all the links. Hover your mouse over all links in an email. Links should point to the same domain as the sender address (Note: Marketing emails may include shortened URLs that don’t align with the sender’s domain).|
|🚩||Is there a sense of urgency? Social engineering exploits usually begin by instilling a sense of urgency in the message in order to get you off balance. Stop and pay extra attention.|
|🚩||Weird characters. Is the email comprised of odd characters and a lot of different font formatting? International keyboards may not have the standard English characters on them. Exploiters rely on copying and pasting letters from other messages—similar to a ransom letter.|
|☝||Make passwords from phrases. The most secure passwords are created from phrases that are easy for you to remember. Converting the phrase into shorthand with numbers, capitalizations, and special characters makes the password more secure.|
|☝||Unique passwords for everything. If a website ever gets compromised and hackers abscond with that password, you can be confident that they won’t have access to your bank or email password.|
|☝||Never share your password. Network and website administrators will never ask for your password—they have other ways to access your account|
|☝||Never write down your password. Prying eyes can spot a bright yellow sticky note with a password from a mile away. It’s safest to make a password that you can remember easily.|