Using Cyber Common Sense to Combat Threats to Privacy and SecurityOctober 2010
Topics: Computer Security, Information Privacy, Information Security Risk Management
Our actions are often based on expectations. This is especially true for many of our electronic transactions. For instance, if you expect an email delivery notice from UPS, then a clever UPS impersonator might be able to tailor a message that fits your expectation of a valid delivery message. Even if the email doesn't fully conform to "normal" UPS notices, but includes the correct logo, you might not question it in the middle of a busy day. You might click or open an attachment without giving it much thought.
Extend that concept to the wider world. When you have a business or personal relationship or are a member of a society or group (such as Facebook), you're more likely to confuse an imposter with the real thing. Unfortunately, the expectation of trust among familiar individuals and groups can open the door to a range of cyber threats.
One of MITRE's key roles in today's connected world is to help our government partners combat these cyber threats, particularly the full-on attacks that comprise the Advanced Persistent Threat (APT). As you'll see below, not all threats to IT systems are part of the APT, but MITRE seeks to adopt what we have learned from dealing with the APT for all levels of cybersecurity.
Among other things, we've adopted a concept from the classified world: operational security. Successful operational security requires you to be aware of your surroundings both the virtual and physical environments. This vigilance can help you maintain your privacy, identity, and safety, as well as your employer's sensitive customer and staff information. By following some fundamental principles of operational security, you can continue to trust your friends and acquaintances, while avoiding those who would do you or your workplace harm.
When Email Hangs out with Dubious Characters
When it comes to your computer, it helps to start with one of the easiest doorways into the system: email. So, here's a basic operational security question: do you know where your email address has been?
Do you leave it at conference registrations? Use your work email for personal business, such as shopping or social networking? Publish papers? Been on conference panels? Everywhere your email address has been means you should assume someone you don't want to have it probably does, or will.
The wide availability of your email address (or addresses) can lead to a variety of possible misuses, from the relatively harmless to the targeted cyber attack. The most common form of misuse, spam, is familiar to anyone who has ever logged into his or her email account.
"Spam mainly consists of unsolicited email messages that try to sell you something," says Ellen Powers, MITRE's information security awareness program manager. "It's typically generic and often not personalized although your name might appear in the subject line. Also, spam tends to come continuously, often several times a week."
In other words, spam is annoying, even distracting, but not typically a threat to your privacy or financial well-being. Unless, of course, you click to make that purchase, thus revealing your credit card information or other personal information. (The messages you receive after subscribing to a mailing list are not technically spam, by the way, since you voluntarily chose to receive them.)
Fortunately, most email systems come with junk or spam filters, a feature that security experts recommend you keep turned on at all times. MITRE, for instance, uses a corporate spam filter that blocks such messages aimed at employees. And we also encourage employees to use the junk mail filters in their email program.
Phishing Expeditions Increase the Threat
The next level up in cyber threats, called "phishing," is different. For one thing, it's not generally generic. Phishing includes messages that attempt to con you into revealing sensitive information, such as your credit card information.
"The messages usually come disguised as an alert or invitation from a trusted source, such as your bank or the IRS," Powers says. "They often want you to click on a link for a website that looks like the real thing or open an attachment for confirmation or verification."
The small-time "phisherman" may personalize the message in some manner (perhaps your name appears within the message itself). Unlike spam, phishing attempts come in discrete attacks, not in a continuous wave. The most common reason for these attacks is to trick you into providing access to your money or provide information for identity theft.
Also unlike spam, phishing does much more than just fill your inbox. Instead, these messages ask you to take actionsuch as opening an attachment, clicking on a link, or copying and pasting a link into your Web browser. Should you fall victim to the enticements in a phishing message, security weaknesses in your or your company's system will likely be exploited, such as an unpatched vulnerability in your Adobe Reader. This vulnerability then allows malwaremalicious softwareto stealthily be installed on your system, usually to begin collecting your sensitive information, such as banking credentials and other login information.
Not all phishing comes from "commonplace" cyber criminals, however. There is another, higher category of threat that uses this type of tactic: those associated with the Advanced Persistent Threat. The APT may come from organized crime groups, nation-states, or other entities or individuals who want to "reside" on a computer for a variety of reasons. APT attacks are often aimed at organizations usually (but not always) by way of targeting key individuals or groups within that organization, launched in an attempt to gain entry into the corporate network.
Hover, Don't Click!
What makes APT messagesand phishing ones, for that matterso devious is that they appear to be legitimate messages, with embedded links that appear normal or with attachments with valid-sounding names. Sometimes attachments appear "real" after they've been opened, to further disguise that something "bad" has taken place.
The best defense, of course, is not to fall for any fake messages in the first place. But some phishing and APT messages are quite clever, using real-looking logos, personal information, and other devices to get you to click the link. The email may be "sent" by someone you know, such as a friend or colleague. (This is particularly common when an individual's Facebook or other social networking account has been hacked.) Or the APT might set-up an account, such as on Yahoo! or Gmail, with the name of an actual employee or sponsor, thus lending even more credibility to the message at a glance.
Because operational security begins at home (and in the office), MITRE has developed a technique that uses the mnemonic EARNEST (see "The Importance of Using EARNEST," at left) to increase the self-questioning of email messages. We added this to our own cyber awareness program to help employees recognize cyber threats that they may not have previously identified.
Such awareness has given MITRE an edge in detecting a cyber attack. EARNEST succeeds through surprisingly simple steps. For instance, when a suspicious-looking email arrives asking you to click on a URL, question how the link is "exposed." You can hover your cursor over the link. The link may look like the name of your bank (for instance), but when you hover (don't click!), if the link leads to a completely different URL, that's one of the biggest indicators that the message may not be what it purports to be. In rare instances, there's a good reason for the alternate URL, but you may have to verify the information in another way, such as through a phone callespecially if the message passes the other EARNEST checks.
A couple of other tips: Always be cautious about opening attachments you don't expect or for which determining more information is necessary. And look out for emails that include nothing but a link or an attachmentno message, no explanation. Such email should be viewed skeptically from the start, especially if the other EARNEST checks give a strong indication that something's amiss. In most cases, the best thing to do is delete the email immediately. If you work for a company with a strong cybersecurity program, follow the proper procedure for attaching the original message so that the email headers are preserved, which will aid in forensic investigation. Then delete the message.
Your Cybersecurity Posture Goes Everywhere
As Powers notes, good cybersecurity isn't the only way to protect your and your company's information. Real operational security relies on a heightened sense of alertness, not just automated systems or deleted emails. The human factor is what sets real cybersecurity awareness apart.
"True operational security really means being aware of the 'footprint' you leave wherever you go," Powers says. "For instance, if you conduct sensitive matters, either personal or professional, over cell phones, you should never assume privacy.
"In the work world, conference attendee lists are a big source of emails for hackers and other criminals," she adds. "So watch for suspicious emails after attending an event where you gave out that information. One event might be the source of phishing attempts even years into the future. And be wary of a stranger asking too many personal questions, especially someone who wants to find out who in your company does what. That person may be trying what's called 'social engineering'getting you to reveal sensitive information about your company and its work. This is true of cold calls toophone phishing is still a successful method for penetrating cyber defenses."
She also recommends taking extra steps to secure your personal information. "If you have a wireless network router in your home, change all the default settings and be sure to set it to use encryption. You'd be surprised how many people don't take that simple step, so everything they do on the Internet can become visible to a determined criminal."
Powers advises that everyone in today's interconnected and increasingly wireless world maintain a sense of "active uncertainty": Allow technology (such as firewalls and virus protection) to help where it can, and use common sense at all times. What you wouldn't do in the physical world, you shouldn't in the cyber world either.
"We don't want to paralyze people into inaction," she says. "We want people to have enough savvy to keep them secure. But we know that the individuals and organizations behind the APT are very clever. As technology and defenses change, malicious tactics change. As we continue to be aware of changing threats and act accordingly, we can avoid a lot of very damaging situationsto ourselves, our companies, our communities, and even our country."
by Alison Stern-Dunyak