Cyber Month: Thursday Thoughts with Thijs: phishing & ransomware

Cyber Month is coming to an end, hasn't it absolutely flown by! During this 10th anniversary of cyber month, a plethora of activities have taken place across Europe including conferences, trainings, workshops, webinars, and presentations to promote digital security and cyber hygiene.

The observant reader may now be thinking but 'what about the two central themes that the European Union Agency for Cybersecurity (ENISA) had chosen? Thijs still hasn't actually mentioned them?!'. Until now.

Of course, we're going to explore phishing and ransomware! The fact that these topics are now recurring themes for the month isn't really a surprise as they're both increasingly common, and we're certainly hearing more about them in the news and their consequences. Whilst phishing and ransomware might seem like two different ideas, they're actually linked to each other more than you realise. For instance, a phishing campaign - where someone is hoping you'll take the bait in exchange for your personal data - might trick an employee in an organisation into opening a file and unknowingly opening a door for a hacker, who could then make their next move by blocking certain files and only granting access back to the organisation in return for a large sum of money, AKA a ransom. That said, it doesn't necessarily mean that when phishing is involved, a ransomware attack will also happen - the two aren't mutually exclusive.

Phishing is everywhere, with new campaign styles and themes developing all the time - think about when most of the world was in lockdown and phishers decided to benefit from that. Anyway, I thought it might be worthwhile to give you some pointers on how to recognise most phishing campaigns. If you fancy talking it through in a bit more detail, feel free to give me a call .

Something quick and easy that you can do at first glance: check language use and spelling - is the company name correct? Has the sender attempted to disguise similar looking letters to deceive you (such as nn' for m' or capital Is in place of lower-case Ls?). Regarding language use bear in mind that phishing attempts aren't always constructed logically, with sentence structure occasionally being a bit off. This might imply that the sender has used an online translation for a website which was of limited quality.

Yet another aspect to consider is the URL the criminal wants you to click on. More times than not, the sender's domain won't match the link in the e-mail - so keep a close eye on this!

Consistently within phishing attempts is a sense of urgency; a request that must be actioned within a certain timeframe or face a consequence such as a fine, bad rating, etc. Simply ignore such requests and report the e-mail (as per your organisation's policy) to the responsible team who can then determine whether it is indeed a phishing e-mail and what you need to do, if anything.

Maybe you've already clicked on something in a lapse of concentration that you now think could have adverse consequences? Maybe? Don't be afraid to inform the responsible team, immediately! The sooner the team is informed, the sooner they can take (technical) measures and will be eternally grateful to you and learn from this for the future.

Possibly, this phishing incident could have turned into ransomware. If so, speed (and time!) is of the essence. The faster systems can be (controlled) shut down, the less recovery work will be required.

Besides quick reporting, what else can you do to prevent these kinds of incidents? Well, it may seem obvious, but often employees still use unfamiliar USB devices because it's just a bit more convenient' - FYI, it's not. How do you know that someone hasn't tampered with your USB when you weren't looking? You could plug that into your machine and it be taken over by ransomware or malware that begins ravaging your network. Instead of using USBs for sending or receiving files, use file exchange software provided by your organisation. If your organisation hasn't made these tools available yet, ask for them!

Criminals also simply exploit (known) vulnerabilities in applications, operating systems, and the like. Make sure you keep on top of your updates for these applications, therefore reducing the chance of an attack by criminals. Easy, right?

As a side note, you may remember that I pointed out in a previous blog post that, as an ICT/security team, you cannot entirely rely on colleagues who may or may not (accidentally) click on a link or open a file - you need to deal more in absolutes.

It's important to know and be able to recognise the different types of incidents, events, or scenarios, before they even happen. So go through all the different types, list the corresponding technical measures needed to resolve them, and use this for the basis of your incident response plan.

Think about a good backup and restore strategy (also tested and approved, of course), and make this part of the incident plan too. It's absolutely, and I can't stress this enough, imperative that you go through your incident response plan at least once, so you know whether it works. Let's be honest, we all like surprises from time to time, but not in cyber. Then you avoid surprises as much as possible.

Finally, some thoughts that I'd like to leave you with about preventing incidents:

No single organisation is the oracle. Procedures and measures are often ignored in large-scale cybersecurity incidents because of the stress they cause - don't be reluctant to seek external expertise (as the old saying goes, a problem shared is a problem halved). Make this part of the incident plan as well.

Be as clear, straightforward, and transparent as possible in communicating to your stak

LINK:	https://www.resillion.com/cyber-month-thursday-thoughts-with-thijs/...
	See more stories from eurofins

More from Eurofins