Tuesday, June 28, 2016

We're Going About It All Wrong

   Phishing, scam, spam and malicious emails are an ongoing problem.  A recent study found that rates of these malicious emails are worst in months that have an "a", "u" or "r" in the name, with highest delivery volumes on days ending in a "y".

   Seriously though, while the worldwide spam volume seems to be trending down since a peak over 70% in 2014, rates were trending up in the first quarter of 2016 and the percentage of email that is spam or malicious is well over 50%.

   Email, along with malicious files on websites (whose links are usually delivered through email!), continue to be the top malware vectors.

   In fact, attackers don't even need to use their best, or most complex, attack methods.  It's far more cost-effective to send out random or targeted email, or to place random malicious files on websites and email out the links.  Remember, most cybercrime is economically motivated.  It's a business and the goal is ROI (return on investment).  And business is good.

   It's a big problem because we are fundamentally trusting beings.  I've always believed that people want to do the right thing.  When it comes to people, we should assume positive intent.

   However, email is not a person.

   Most email isn't even sent from people, it comes from bots - some are automated mailings you subscribe to, most are not.  "Bots" is short for robots, referring to programs that perform online actions including sending email.

   TNO - Trust No One - is a security philosophy used on some networks.  In a TNO network, the security professional builds controls assuming that any system is, or may be, owned (that means infected by a virus or otherwise controlled by an attacker).  There is no trust given, nor access to any data or other resources, until positive identification can be established.  While this may seem to make sense, it can be quite costly and disruptive.

   When we receive and read an email, we assume it's from a person and we assume positive intent.  But as mentioned above, plenty of emails are not from a person.  And we know that even if it is from a person, it might not be from who you think it is.

   When you open an email, and if it's legit, from a known source, with a clean link or attachment, we click.

   But how about if we use a TNO approach with email?

   Here's how it works... when you get an email, assume it's spam or phishing.  Assume that if you click on a link or open an attachment you could get your systems infected with malware, be the victim of a ransomware attack, or cause a data breach.  Assume that if it says it's from the CEO, that it's not.
   Now read the email.  Look at the From: address.  Look at the use of language.  Look at the signature block.  Be skeptical.  Trust no one.
   Make the email prove to you that it's legit.  Then, if you must... click.

   This may sound like it will take too much time.  But, if you just practice being skeptical, you'll find you just view your email through a different lens.  Rather than assuming the email is good and look for signs of badness... assume the email is bad and look for signs of goodness!  That really works because good stuff is countable - people tend to write in a repeatable style.  Project-related emails are expected.  There is a saying in security... you can't enumerate badness.  That means that there is more bad stuff out there than you can count.  So if we start by assuming the email is malicious and make it prove otherwise, we can more naturally protect ourselves.

   Give it a try!  Remember... people = good; email = bad.  Have a nice day! :-)

No comments:

Post a Comment