Security Panel – The Cybersecurity Show – S1Ep9
ANDREW MCLEAN [00:00:31] Hello and welcome to the security panel. Today, we’re going to be talking about something that affects both businesses and consumers alike. The idea of Phishing, Phishing, e-mails and fishing in general. No, I’ve been told before I came on that wasn’t to tell any fish puns. So because I believe it’ll be a big red herring. So just while the audience mulls it over, let’s rock on with our first fantastic guest. I am joined by the security analyst, for Celerity Josh Read. Welcome.
JOSH READ [00:01:01] Thanks for having me.
ANDREW MCLEAN [00:01:02] So, Josh, why don’t you tell me a bit about yourself and what you do at Celerity.
JOSH READ [00:01:06] Yes, so at Celerity I’m the security analyst, which involves the making and analysis of phishing threats, phishing simulations, as well as other email based threats and company threats such as business, email compromise and that area of security.
ANDREW MCLEAN [00:01:26] It’s really interesting. My father was hacked today in a in a phishing attack on his Facebook. I know what it means. You know what it means. But just for anyone out there that doesn’t know, can you tell me what’s exactly is phishing.
JOSH READ [00:01:40] Yes, so phishing is the act of sending an e-mail via an email communication channel such as Outlook, Gmail could be any domain you want to with the aim of obtaining information or a service from someone that they potentially might not want to do if they knew the real situation. So the art of me sending you an email asking for your Netflix account password because your password has expired, that would be a phishing attack and a phishing emails. It is basically me sending you an e-mail asking you for personal identifiable information or a certain request which may put you in a bad light or in a bad situation.
ANDREW MCLEAN [00:02:27] It’s very interesting, people talk a lot about data breaches and I read somewhere that 90 percent of all data breaches are due to phishing. Of course, this things like the Podesta e-mail hack during the U.S. elections and various other e-mail hacks and generally when you hear about e-mail hacking, they’re talking about phishing aren’t they.
JOSH READ [00:02:48] Yes, mostly. Obviously, the main in for an attacker would be a phishing campaign. It’s how they access to internal systems. It’s how they get access to company or even customer data, which ultimately will revolve with GDPR sanctions and issues along those sorts of lines. But the main in for people is phishing. I mean, it’s a potent threat which is present in all types of businesses any size and whatever business undertakings they they do.
ANDREW MCLEAN [00:03:27] And of course, you’re a cybersecurity expert, what’s your thoughts on the rule of phishing in cyber security?
JOSH READ [00:03:36] I think now more than ever, it’s important that phishing is focussed on, It’s not just in the work life that an end user should be worried about phishing, its also in their personal life. It can follow you around and follow you abroad. It doesn’t stop when you leave work. You know, if you if you manage to give away your personal bank account details, you’re not only putting yourself at risk at work, but you’re also putting yourself at risk at home and on holiday and all sorts of areas that you may go. So it’s more, you know, how do businesses protect their users and make them aware of how how potent phishing is and how dangerous it can be. A lot of the time, phishing is glossed over. It’s looked at and seen. You know, it’s just a it’s just a malicious e-mail or something that could be could be malicious, but it’s not really top of our priority list. But in actual fact, it should be at the top of everyone’s priority list since GDPR law has come into play. The pressures on businesses to make sure that their company, their compliant with data protection and other areas of cybersecurity, it it’s just amplified it’s amplified the pressure on the businesses. And it needs to be, something like phishing needs to be met head on and it needs to be educated against. Otherwise, it’s like a weed. You know, the longer you leave it, the bigger it grows. If you keep on top of it and you know it, weeds will always, always appear. But if you keep on top of it it will nullify the issue until it’s almost out of sight. But it’s a continuous development and continuous monitoring.
ANDREW MCLEAN [00:05:21] I mean, back in the day, we were talking MSN and hot meal time, e-mail, fraudulent e-mails used to be fairly easy to spot someone was gonna give you 100 billion dollars if you transferred fifty thousand pound in their account. And so on and so forth. And it’s obviously a lot more complicated now and it’s a lot more sophisticated. But what I get the impression with these is the phishing attacks tend to go through different trends. There are trends a bit a bit like ransomware was a big trend for a while and viruses and things like that. Have you noticed any trends occurring recently?
JOSH READ [00:05:58] Yeah, so there’s been two main trends I’ve seen over the past three months or so. The first one would be SharePoint phishing e-mails. A lot of them, the typical attack type would be you receive an email saying Joe Bloggs has shared a file with you via SharePoint. So you click the email and there’s a link and then it doesn’t look malicious from the outset. A lot of the times the link isn’t actually malicious. That isn’t the malicious link that’s in the email. When you click that link, it will automatically redirect you to another link. And that second link is the phishing link. So as far as email filters go, they look at the email on its core, metadata value and they say, well, this URL isn’t malicious, this is just an empty, empty URL web page that basically redirected to another domain. But we don’t have we can’t see that domain. So it is very hard for email filters to stop. Now, when you go into that and then you submit your date, Microsoft credentials to the SharePoint page, you are then giving up your Microsoft account, your work account. Subsequently, the distribution model of that email is frankly amazing in some way. I’m in awe of it. But the email then when you’ve given up your Microsoft credentials is then your email account is hacked and the email is then distributed by what looks to be you to all of your contact lists. So it preys on the Oh, you know, Dave sent me an email, It must be must be important or urgent. And obviously, the bigger the fish, so to speak, the better. If you can get the CEO and get him to compromise his account and then go in and say, you know what I need I need five hundred thousand pound wire into this account if need to finalize this deal. It is basically a reoccurring, and it is literally like a weed once it gets its roots in, It can work its way through the organization very, very quickly.
ANDREW MCLEAN [00:08:05] I mean, it’s interesting. There are lots of different ways to compromise a network, compromise a company, compromise an individual, why are phishing attacks particular, so popular.
JOSH READ [00:08:17] The main the main issue, though, the main thing, reason why phishing attacks are used so widely is the cost and implementation of a phishing attack is free. There is nothing stopping you leaving where we are today, going home and setting up an email account called [email protected] or some variant of that and then sending a specially crafted email to one of your mates to basically supply them with your password. It might not be successful, but it’s still a phishing email and it’s still a threat. And you know, we talk about spending a while crafting an email and designing it for specific customers. But at the end of the day, if you’re sending 10000 emails out to 10000 different people and you only get five or six, that is still a win because you’ve spent zero pounds and you’ve spent very you’ve spent very little time designing it and you hit in the masses and you collecting back a few, that’s still still a win from an attacker’s point of view and that’s why it’s so dangerous. It doesn’t matter how how obvious the phish is, there will still be people who will fall for the phish. It’s natural human behaviour to be intrigued by phishing emails. So that’s why, you know, that’s the threat of them.
ANDREW MCLEAN [00:09:40] Do you think some people just out of curiousity click on that link anyway, even though they probably know it’s a phishing email.
JOSH READ [00:09:46] Yeah, so they almost want to see what’s on the other side, it’s like a Pandora’s box affect. Oh, I wonder what happens if I actually open this and it’s you know, it’s curiosity killed the cat. It’s I want to see what’s what happens. A lot of the time it’s very, very disappointing on the other side and all it is a blank page with some, you know, a log in box and you’ve got to log in. But sometimes it is very, very interesting and the methods and so the tactics that are used by attackers differ in every single campaign. And you can almost image the person on the other side of the attack and what they are planning and what they’re trying to do. It is very, very interesting and it’s something that, you know, although it is bad clicking on links it should be educated against. Expose them in a safe environment to the threats of phishing through phishing simulations.
ANDREW MCLEAN [00:10:44] I keep hearing stories of people who let’s say you run a small, small business and they have received the phishing email. They’ve clicked on something, It’s told them to log in again. They’ve done it, someone’s compromised their email system. Emailed their account in straight away saying please have all payments now go to this account. And then suddenly they lose their money and then they also start emailing out clients and things like that. What I’ve never understood about that is are these attacks, Is it just a wide net? Just just let’s just send out as many people as possible. Or are they becoming a little bit more targeted?
JOSH READ [00:11:30] It’s dependent on what the attack is really. You will always be able to spot the wide open fishnet in the water and see what I can catch sort of attacks and those you generally follow a very generic Microsoft attack plan. The Microsoft is an organization I think 78 percent efficient e-mails related back to Microsoft in an impersonation type of view. And the reason why that is, is I honest to God, couldn’t tell you a single organization that doesn’t run a Microsoft product. It’s it’s an easy show go place for attackers to target. I know that your organization runs Microsoft. Therefore, if I send you a Microsoft e-mail, there’s a high chance that it will be congruent to you. It will be relevant to you and you’re more likely to click as a result. And the you know, where where it really differs is when you see something that maybe isn’t very, so like you’ve got Google, Microsoft, Netflix, Amazon, PayPal, Donkey Sign, they’re all very generic, you know, they’re a stab in the dark, let’s see what I can catch. But when you get into nitty gritty details, when they targeting an actual organization, organizational sort of systems. So, you know, if you’re targeting the payment system and you’re saying, oh, yeah, we haven’t received payment, or sorry your wage this month will be cancelled? It’s actually relevant to your organization’s payment. That is then spearfishing. So that is the line between fishing and spearfishing. Fishing is more the throw the net out, see what happens. Whereas spearfishing is more the harpoon gun shooting a specific fish because you know that you were able to get that one fish.
ANDREW MCLEAN [00:13:22] Do these, where do these? I’ve received emails before. We’ll talk about other methods of phishing in a minute. But I’ve received emails before and they’ve been very, very specific, they’ve included your your phone number has been compromised to my email address. It gives you the last couple of digits to the phone. Where are people getting the information from these very targeted.
JOSH READ [00:13:48] Well, the issue is, is since GDPR has come into play, people have been made more aware of what data they’re submitting and where they’re submitting it. Who is getting access to it. now, It’s a ripple effect and it’s you know what has happened to my data prior to GDPR law? Where is it gone? You know. You know, just from a simple Google search on some people. Some of my close relatives, I’ve been able to find personal identifiable information very, very quickly. And it’s something I could build a potential email around. We were doing it on the train dow tonight, today I was merely looking on my, you know, my colleagues on Google and seeing what information I could find to potentially build a targeted phishing email to see if they would click or what data they would submit. And it was very, very easy and very, very quickly that the amount of data is situated on the Internet about any one in particular person is is astounding. And is probably one of the main reasons why GDPR was brought in is to put a belt on it all and control and make sure that it’s regulated in some sort of orderly way.
ANDREW MCLEAN [00:14:58] Yeah, so, I mean, you could almost become an imposter. So my my colleague over there who is pressing the buttons, Ben, if it was a targeted email and they’d got enough information, they could pretend to be Ben, email me and send things, is that becoming more common.
JOSH READ [00:15:19] Yeah so we’re talking about the distribution models of phishing emails now. So the commonly seen, especially in my line of work, I have seen a lot of lot of emails that have a replication model where they manage to fish one of the accounts and to make it look like it’s coming from them, they use their email account and then distribute that email to all their contacts. And a lot of their contacts in their address book will be internal staff or colleagues that they work for. If I was to receive an email from one of my colleagues, I would look at it and go, oh yeah, that’s I know him, I’ve met him, I’ve talked to him five minutes ago. And that element of it makes it more dangerous. It’s the oh I’ve talked to him, I know him. And it is a familiarity, it’s the you know, I know I know this person. I know that they wouldn’t be doing anything malicious. But nine times out of ten, it won’t be them. It will be someone else, yet behind a computer screen.
ANDREW MCLEAN [00:16:18] Let’s stay on this topic of familiarity. We talk but familiarity in emails, we talk about receiving emails and clicking. But it’s not just emails, is it? There are other channels of phishing out there. Can you tell us a little bit about some of the channels that are.
JOSH READ [00:16:34] Yeah so the upper umbrella of it all is called social engineering. And that is basically the definition of the art of social engineering situations and controlling people’s emotions and personalities in order to get what you want. That’s been around a decades. And that and the modern adaptation of social engineering in the 000s, the decade this decade has been surrounded around phishing. But then also on top of that, you’ve got, so you have phishing, which is your email based phishing. You’ve got spearphishing, which is a targeted attack, it’s a small number of people. You’ve also got Smishing which is SMS phishing. So texting, if I was to text you saying you haven’t paid your water bill, please text back. That is used a lot in two factor authentication phishing as well. And then you’ve also got vishing, which is voice phishing. Quite commonly these are associated with these tech support calls that I know my grandma has received, unfortunately. And you know, we’re seeing a problem on your end with your Wi-Fi, please, can you type, you know, install team viewer and let me log into your laptop, install malware. That vishing is basically what that’s what that is. But then there’s also other elements that I’m personally seeing and I’m naming myself. So currently what I’m seeing a lot of is social engineering phishing, social media phishing, which is, you know, we have these two tickets that haven’t been claimed. Please click the link and submit your idea data. And a lot of the time it’s your Facebook log in details. A lot of people then the instructions in that Web page will tell you to share that the posts. So it’s the it’s again, the replication model. So you click share, your friends see it and say, oh, my friends shared this, I must share it again. And there’s been everything from holiday giveaways to car giveaways to weight loss, diet plans that have all been sort of replicated in some sort of fashion across social media. And I’ve sort of named it soshing because the search engine, social media, phishing.
ANDREW MCLEAN [00:18:59] It is, you said the word criminal, cyber criminals, that’s what it is I think people forget that there are criminals on the other side trying to exploit, either trying to get a companies data or trying to blackmail a company or something like that. And as I said before about these old school, three or one, they used to be fairly obvious. They used to have poor grammar, poor english, everybody was my excellent friend. But it’s a lot more sophisticated now. How are cyber criminals now using, what kind of tactics are they using to get users to actually click on these links?
JOSH READ [00:19:39] Yeah, so it’s very well documented in literature and within industry. So the two main almost tactics used by criminals are the active authority, so as human beings, we are socially compliant to comply with authority. You know, if your boss asked you to do something, you’ll say, yeah, sure, let’s do it. So by acting authority over the user and saying you need to do this because you know, I’m your boss, you should do this. People are more complied to, you know..
ANDREW MCLEAN [00:20:18] Milgram’s obedience to authority, people will respond to authority.
JOSH READ [00:20:22] Yes, obedience authority and then there’s also distraction so hitting them with something hard right at the start saying, right, you will lose access to your account and they lose all other senses. And they only focus on the one sentence which says I will lose access to my account and that is what they focus on. They everything else they ignore, they look at it and go, I don’t know what this is saying and then their judgment is shrouded and they don’t understand the email and the context of it and they will not pay attention to the nitty gritty details like the email domain or the URL. And those both those tactics are used. But then there’s also, you know, other many other tactics that are documented.
ANDREW MCLEAN [00:21:04] Well, we’ll talk about some of the the ways that we can we can avoid this, both the technological and human ways, but let’s just one last question on the top level of this to do with if I get an email now and it is a phishing email and I’m unaware it’s a phishing email, how do I know what telltale signs are there?
JOSH READ [00:21:26] So the main thing is, is, is the rule of five. So whenever I look at an email, I will look at the sender, see if it’s, you know, someone I know or if they’re pretending to be Google. And it’s coming from a domain called Yaba.com. That will be the first telltale sign. Second telltale sign would be the recipients of the email, are recipients blank, has everyone been blind carbon copied into it. That would be another sign. And then is it targeted towards me? Is it dear Josh or to Josh? Hi, Josh, is it me or is it hi. That would be another telltale sign. URL’s, are the URLs different to what they say in the text? You know, in the text it might say HTTPS Google.com but then when you hover over it and you see the actual link, it’s saying, oh, yeah It’s not, It’s not Google It’s, you know, Yemeni yema doo-dah.com. And then the final one is the whole feel of the email. You look at the email, I personally can look at the email and within five seconds I’ll know whether it’s either a phishing attempt or there’s something wrong with my computer. And generally speaking, very poorly formatted gramatical errors and do not really have any logical or professional feel about them, which is the main inkling I will get and probably the first thing I’ll know is when I look at an email.
ANDREW MCLEAN [00:22:56] OK, so that’s you. You know all about cyber security. You know how to keep yourself safe. But if I’m an organization, so I’m an organization, I could be small, medium, large. How can I protect my organization from phishing attacks?
JOSH READ [00:23:13] Yeah, so this is what propose as a pyramid, as it were. So at the bottom, you have your education, whether that’s workshops, one on ones, conversations, posters or out throughout the office. It is about raising the awareness of cyber security. It’s about instilling a culture throughout your organization so that they are aware of phishing threats. Then the third, the next layer up from that is phishing simulations. It’s key to simulate and test whether people are actually learning anything from the education you are providing. You know, there’s no point in education if you’re not testing the education. And then the layer up from that is your your physical infrastructure and your email filters, your antivirus and that sort of thing. That is the second to top layer and that will provide you with the very weak because there is no technical measures that can stop phishing because of its ability to be, you know, bypass filters with different methods, that that would be the second layer. And then the top layer is the key radar or log log reviewer CPM technology, IBM. And that will collects all of the logs and it will process them and almost give you a a trail of where the emails gone, who it’s sent from and give you the best metadata you need to conduct investigations in the event of a phishing attack, which will also speed up data breaches and may also allow you to conduct investigation and stop an attack, just in time, by locking down accounts, by investigating links, blocking links on a proxy and that sort of thing. And it’s something which the citadel package from Celerity offer is something that we are very keen on offering.
ANDREW MCLEAN [00:25:16] But just for the benefit of the viewers, what exactly is citadel?
JOSH READ [00:25:21] So citadel is a package of various different technologies. So within that we have Q Radar. We have managed encryption. We have efficient simulations. It’s a package which can be picked up, dropped in an organization and can be managed by Celerity. And it cuts all the hard work out of what is associated with cybersecurity and modern day technology.
ANDREW MCLEAN [00:25:47] When you say phishing simulation, you can actually run a scenario in your organization.
JOSH READ [00:25:53] Yes.
ANDREW MCLEAN [00:25:53] So it’s good for training for the human.
JOSH READ [00:25:56] Yes, so that again, I said before what what is the point of education if you can’t test that education? So this is how we would test the education, is we would design a crafted spearphishing email or a phshing email. I would then deploy it to your organization and then I would monitor who clicked the email, who submitted data, what data they did submit and whether they reported it. And those are the four key insights. And you can almost view them as four different layers of success or failure, whichever way you look at it. So if they open the email and report it, that’s the best result you could get. If they open the email didn’t click the link, then yeah, they could report it, but it’s not the best. If they click the link. Yeah, they link if there’s any auto execute malware within that link it would have infected them as a potential threat. And then the worst one is yeah they click the link and they submitted company data which is not what you want and is what you should, they’re the people you should be targeting with education. And it’s that sort of quantifiable look at phishing which allows people to better target their education and provide overall a better and more tailored education package.
ANDREW MCLEAN [00:27:14] And final final question, I’m an organization, I’m a boss boss. My employees are the biggest threat. Is that fair to say? And if so, what advice would you give to the actual organization for the actual human beings?
JOSH READ [00:27:34] The best advice I can give is educate, educate, educate. There is nothing more powerful than education. The if you buy instill in education within the organization, you’re providing a cybersecurity culture within your organization. And it needs to come from the top down. It needs to come from upper management and they need to say, right, I’ve had enough for this, we need to do this. And by doing that, it filters through all the all the streams, all of the working teams, and they are informed from the top down that they need to focus on cybersecurity. It should be something which is instilled within every single organization. Cybersecurity is, if not probably the most important areas of a business in modern day. And it is only going to get more and more important as more and more technology becomes available and it’s been used. It’s becoming ever more important that we find ways to protect and find ways to monitor and those those are ever more imperative that we know we monitor. So it’s really it’s you know, it’s key in education is that catalyst, it’s getting people talking, it’s engaging them. And by putting simulating through a safe environment, you’re also allowing people to be exposed to phishing threats and be able to conduct their own analysis because everyone’s analysis is different.
ANDREW MCLEAN [00:28:58] So in summary, focus on the technology and focus on the human beings that are in your organization.
JOSH READ [00:29:05] So human centred.
ANDREW MCLEAN [00:29:07] So Josh, sticking briefly with the topic of cybersecurity other than phishing, which we’ve covered. How how does Citadel help organizations educate people around cybersecurity?
JOSH READ [00:29:21] Yes, so as Celerity offer a Citadel package which involves education, both workshops on premise and also online, I know I personally take part in it in order for our employees to be classed as Celerity employees, it was part of the initial initial onboarding fares we had to finish to finish and complete this online course. And it did from the outset instill a cyber culture in your mind, and it allowed you to understand the importance of cybersecurity within the organization, which is really the key answer that needs to be done. I personally think that all organizations should be doing online or at least online education courses as part of the onboarding process. So they know as soon as they enter their organization that it’s game on and they know what to do when phishing emails appear in their inbox.
ANDREW MCLEAN [00:30:17] Perfect. Well, Josh Reed security analyst for Celerity, thank you very much for joining us.
JOSH READ [00:30:22] Thank you.
ANDREW MCLEAN [00:30:23] So you’ve been watching security panel. We have set sail into the now charted waters of phishing. And remember, think before you click. I’ve been Andrew McLean. Thanks for watching.