Time to protect – BEC Series #3

A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?

Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.

Part 1 and Part 2 covered the first checkpoint in the list – Discover.

Next, we’re going to tackle the second point on the list – Protect. First up:

  • Implement Multi-Factor Authentication (MFA) wherever possible, but especially for remote access to webmail, VPN and other critically sensitive services. Proper MFA is the most significant preventative control against BEC.

Let’s call this out again – Proper MFA is the most significant preventative control against BEC.

So, what is MFA? Multi-Factor Authentication commonly consists of two or more of three components:

  • Something you know. This may be a password, PIN, etc.
  • Something you have. This may be a SMS message, a hardware or software token, a USB drive, a physical key, etc.
  • Something you are. This may be a fingerprint scanner, retinal scanner, facial recognition, vocal verification, etc.

This combination of items helps prevent compromised passwords and accounts.

There’s been a fair amount of discussion about SMS tokens as one of the MFA options that are leveraged. NIST has deprecated SMS as an option, but hasn’t said it’s completely unusable. In my opinion, it can be better than nothing – if you’ve had an incident, and can deploy MFA with SMS quickly, then move on to stronger mechanisms…it’s at least a step in the right direction. To borrow from Maya Angelou – Do the best you can until you know better. Then when you know better, do better.

The next point involves protecting your externally facing assets:

  • Consider restricting access to Internet-facing webmail services to specific IP ranges, or requiring remote users to be logged into a VPN to gain access to the service.

If your webmail instance is externally facing, how can you protect it? Does it need to be available to all users, or can you implement an ACL? Can you leverage a VPN?

Now let’s look at process and procedure – how can you leverage those to prevent BEC?

  • Implement heavy scrutinization for any process that moves money, or that would suffer from email exposures, and routinely audit it against best-practices.

What is valuable to your business, and in the event of a compromise, what would an attacker’s preferred acquisitions be? Do you move money – financial institutions? Do you move private data – healthcare? Do you have intellectual property to protect? Audit, audit, audit. Don’t allow a single point of failure to leave you vulnerable in this space.

How can you help your people help you? BEC begins at the user level – protection and education are important as well.

  • Implement keyword filtering/highlighting for common fraud terms in email bodies and add a subject tag such as [EXTERNAL] to all emails originating outside the domain.
  • Implement appropriate email filtering, anti-malware and phishing detection controls. Routinely conduct phishing exercises with various content and forms of trickery to better maintain user awareness and tune your prevention and detection systems in an ongoing manner.
  • Provide ongoing user training about the risks of email compromise and how to report suspicious account and email activity. Have them pay special attention to requests for secrecy and/or urgency in transactions.

If any of you have heard me speak about incident response exercises, I’m a huge proponent of the carrot vs. the stick in this space. Don’t call out the person who makes a mistake – call out the people who did something right! Create a culture where everyone is comfortable saying something…over and over, we’ve witnessed our clients preventing a BEC simply by the right person saying – this doesn’t look right.

If you need to call someone out for training, or retraining, due to their susceptibility, please do – I’d never advocate skipping this. But do it privately, and don’t attempt to make them feel weak or wrong for making a mistake with a phishing exercise. Shame doesn’t teach people very well.

Again, we’ve covered a lot here – so we’ll pause before taking up the next item in the series.

Questions? Comments? I’d love to hear from you – lwallace@microsolved.com, or @TheTokenFemale on Twitter!

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

This entry was posted in 80/20 Rule for Information Security, Awareness, Emerging Threats, General InfoSec, Phishing, Threat-Centric by Lisa Wallace. Bookmark the permalink.

About Lisa Wallace

Lisa Wallace joined MSI in 2015 as a security focal and project manager, and became Technical Director in 2017. She is involved in internal and external penetration testing application assessments digital forensics threat intelligence incident response eDiscovery efforts She is responsible for scoping our efforts across all workstreams, as well as project and staff coordination and management. She has worked in a variety of fields, including utilities, financial services, telecommunications, and consulting in a number of ancillary industries.