CYBER SECURITY
REGULAR EXTENDED MANAGEMENT TRAINING
Presented to Board Members and Members of the Senior Management of the MONETA Concern Companies in March 2021
Classification: MONETA Access:
Distribution: Internal Destruction Mark: V10 Internal Internal
PURPOSE OF THE DOCUMENT
Presented Cyber Security REMT materials aim to provide a simple and short yet highly effective understanding of current cyber-security threats, their impact and how to detect and correctly respond to them.
On the following pages, you will find selected topics from the cyber-security area that, in our opinion, are crucial and highly relevant to you – executive employees. These include:
common threats like phishing and vishing targeted at board members or other company representatives;
password creation and manipulation best practices;
safe usage of company devices;
recommendations on security of your on-line accounts (not limited to company accounts);
important contacts for security-related matters in MONETA.
Finally, in the Examples section (which can be considered an appendix) you can review practical examples of how cyber attacks work and how they may impact day-to-day operations. We believe that presented information can also be beneficial in your personal life. In case you have any questions, please do not hesitate to contact us.
2
TABLE OF CONTENTS
1. How To Detect Fraudulent Attempts 2. How To Report Phishing
3. Password Handling
4. Working With Company Devices 5. On-line Account Security
6. Important Contacts
EXAMPLES:
Steps in a Phishing Attack
Example 1 – Targeted Phishing Attacks Strike High-Ranking Company Executives
Example 2 – Hackers Stole $300 Million from 100 Banks Using Malware
Example 3 – The Math Behind Password Cracking and Why Password Size Matters
3
As an Executive employee, you will be targeted
Senior executives or stakeholders in organizations are often the target of cyber attack, because of their
access to valuable assets (usually money and information) and also their influence within the organization.
HOW TO DETECT FRAUDULENT ATTEMPTS
Vishing. Phishing. Smishing. These terms sound like something a child made up and then decided to make the other two rhyme. But as you likely already know (or will soon discover), vishing, phishing, and smishing are very real and very dangerous threats to businesses and individuals alike. Phishing is an overarching term for an entire category of cybercrime against people and businesses alike that involve cyber fraud. The attacks can be made via e-mail, over the phone, using text messages or even social media accounts.
PHISHING
Based on the concept of fishing, phishing is a virtual form of hunting that involves tricking users into “taking the bait” and getting hooked. The category of attacks typically involves cybercriminals impersonating a person or organization and using various tactics to extract information or compel the victim to perform a particular action. At its core, phishing is a medium for an attack but isn’t the weapon itself. Theseattacks often require youas the victimto do something – click on a link, open an attachment, download a file, etc. These actions typically will trigger the “payload” – the actual weapon of choice – which often comes in the form ofmalware or ransomware. However, some cybercriminals will instead drive you to afake sitethat’s designed to look like the real deal. There, you’ll be asked to update, change, or confirm sensitive information like youraccount informationandpasswords.
VISHING
Vishing, orvoice phishing calls, are a form of scam that aims to get prospective victims to share personal or financial information. Scam calls have risen significantly over the past couple of years. In 2017, scams represented only 3.7% of all incoming mobile calls. In 2018, that number reached nearly 30%. There’s one key thing you should always do whenever you receive anunsolicited call (especially from your bank or financial institution in particular): Hang up and call back using the phone number from anofficial website. Don’t ever use the contact information that’s provided to you in an email, a text message, or through an unsolicited phone call.
SMISHING
Smishing is a phishing attack carried out over mobile text messaging, also known as SMS phishing. As a variant of phishing, victims are deceived into giving sensitive information to a disguised attacker. SMS phishing can be assisted by malware or fraud websites. It occurs on many mobile text messaging platforms, including non-SMS channels likemobile messaging apps(e.g., WhatsApp, Viber, Signal). The good news is that the potential ramifications of these attacks are easy to protect against. You can keep yourself safe by doing nothing at all. In essence, the attacks can only do damage if you take the bait.
5
Don’t be afraid to verify the legitimacy of a request (via different communication channel).
HOW TO REPORT PHISHING
If you suspect that you have received a message that fraudulently encourages you to submit your information or to fill out a web form, you can report it using the "Report Message" add-on:
1. Highlight the desired message or double-click to open it.
2. From the menu in the top bar, open the Report Message tab and select Phishing Attack.
3. Confirm the dialog with the Report button.
6
Report all suspicious messages via "Report Message" in Outlook or phishing@moneta.cz
This will move the message to the Spam folder and
send a sample of the suspicious message to our
internal Cyber Security team for investigation.
PASSWORD HANDLING
7
Use a sentence instead of a single word. Length is the new king.
Do not use the same password for multiple systems
At the same time avoid using the same passwords for work and personal purposes.
Do not share your passwords
Do not share your passwords under any circumstances with anyone, including your supervisor or Service Desk.
Do not write down passwords
Remember your passwords, do not write them on paper or calendar.
You can use the password manager applications for safe storage: 1Password, LastPass or KeePass.
Create strong passwords
Short and simple passwords can easily be guessed or brute-forced by the attackers.
Password is a string of words, characters, or numbers used to authenticate the user. It is something only the user knows, and therefore knowledge of the password is considered to verify his identity.
For a detailed explanation of password strength and password cracking, please refer to the Example #3.
WORKING WITH COMPANY DEVICES
Use only company-managed devices.
Personal devices (e.g., laptops, tablets) are not protected in the same way.
Avoid using public Wi-Fi.
It’s much safer to use smartphone as a hotspot.
To access Outlook, Teams and other MS Office applications from your smartphone, you need to enroll it in the Company portal.
Detailed step-by-step guide can be found on the Service Desk Confluence.
Be careful when clicking on links.
If possible, always check where the link leads to by hovering the mouse cursor over it.
When signing to Microsoft services, the correct address will always behttps://██████.cz/
8
Protect your devices physically as well as digitally.
WHY SHOULD YOU LOCK YOUR SCREEN WHEN YOU'RE AWAY?
This helps prevent others from viewing or using your device when you're not around. Set up your computer and mobile devices to automatically go to screensaver after a certain amount of inactivity. In addition, manually lock when leaving your device unattended.
MACOS SHORTCUT
WINDOWS PC SHORTCUT
ON-LINE ACCOUNT SECURITY
Enable two-factor authentication if possible
We’ve been banging the two-factor verification drum for a while now, and you can set it up on most online accounts, including ones for Apple, Google and Microsoft. It means even if someone gets ahold of your username and password, they won’t be able to log into your account on a new device without an extra code delivered over SMS or through an app.
Which means they’ll need physical access to your devices.
Close accounts you’re not using
Here’s what happens to your old, unused accounts on the web: They get hacked. And
sometimes they lead the way to the more valuable accounts that you really do care about, so it makes sense to keep the number of accounts you’re using down to a minimum. As an added bonus it means you’ve got fewer usernames and passwords to worry about.
Use a secret email address
If someone knows your email address, they’re halfway to knowing how to log into your accounts—and these days it’s not that difficult to find out someone’s email address.
Setting up a private email address (that doesn’t really relate to your name) solely for logging into your social media accounts is another way of keeping them more secure.
Watch what you share online
Your accounts are only as secure as the weakest links protecting them – and those links often involve someone impersonating you. Make sure personal details that can be used to verify your identity, like your home address, your birthday, or even what soccer team you support (is that your “secret security question”?) aren’t all over your social media profiles.
9
Consider how information about you that is publicly available could assist an attacker who is trying to impersonate you. Less is more.
Recently established partnership with ███████
(MONETA’s cyber threat intelligence solution) allows us to monitor whether e-mail addresses of our employees and accounts associated with them have appeared in a data breach or have been stolen by a botnet.
If you provide us with your personal e-mail address, we can monitor it as well and proactively warn you in case any account associated with it may have been
compromised (cyber-attack, data breach etc.). This is completely voluntary and up to you. All @moneta.cz e-mails are already being monitored.
If you are interested, please contact us directly via:
█████████████@moneta.cz,
███████████████@moneta.cz or
█████████████@moneta.cz.
PERSONAL ACCOUNTS MONITORING
IMPORTANT CONTACTS
10
When in doubt, don’t hesitate to contact us. Better safe, than sorry.
Service Desk
████████ @moneta.cz
Cyber Security Hotline +420 ████████
Senior Manager Cyber Security
████████ @moneta.cz, +420 ████████
Phishing Report
Please use the “Report Message” button in Outlook
Examples
11
A good way to increase your understanding of cyber security is to review examples of how cyber attacks work, and what actions organizations take to mitigate them.
STEPS IN A PHISHING ATTACK
12
91% of cyber attacks begin with phishing e-mail.
SELECT VICTIMS DELIVER PHISHING
HOOK BYPASS FILTERS EXECUTION EXPLOITATION PAY OUT
Cull from past breaches Guess based on
organization and e-mail structure
Scrape from web and social media
Purchase lists
Hijack legit site or social media account and phish its followers
Impersonating e-mail
Social media or web comment
SMS Message Voice Mail
Use attachments not commonly blocked (.doc, .zip, .pdf)
Using URL shortener to hide true address
Mix legit graphics and links in message with false ones Leverage or subvert legit pen-test or admin tools
Victim click on executable and runs malware
Malware executes and collects credentials Malware executes and pivots internally
(ransomware)
Credential, credit cards, accounts all sold on darknet markets
Malware creates persistent connection to corporate network
Cashing out credit cards Malware collects additional personal details
Malware turns device into a bot for crypto-mining or other attacks
Victim goes to malicious website
Malicious website collects credentials
Malicious website collects payment card data and personal info
Malicious website launches drive-by download
EXAMPLE #1
An evolving phishing campaign observed at least since May 2020 has been found to target high-ranking company executives across manufacturing, real estate, finance, government, and technological sectors with the goal of obtaining sensitive information.
The campaign hinges on a social engineering trick that involves sending emails to potential victims containing fake Office 365 password expiration notifications as lures. The messages also include an embedded link to retain the same password that, when clicked, redirects users to a phishing page for credential harvesting.
"The attackers target high profile employees who may not be as technically or cybersecurity savvy and may be more likely to be deceived into clicking on malicious links,” Trend Micro researchers said in an analysis.
"By selectively targeting C-level employees, the attacker significantly increases the value of obtained credentials as they could lead to further access to sensitive personal and organizational information and used in other attacks.“
According to the researchers, the targeted email addresses were mostly collected from LinkedIn, while noting that the attackers could have purchased such target lists from marketing websites that offer CEO/CFO email and social media profile data.
What's more, Trend Micro's investigation unearthed a possible link to a user handle on underground forums that was spotted selling a credential harvester tool as well as stolen C-Level account passwords anywhere between $250 to $500.
The researchers uncovered at least eight compromised phishing sites hosting the V4 phishing kit, raising the possibility that they were used by different actors for a wide range of phishing campaigns directed against CEOs, presidents, board members, and founders of companies located in the U.S., the U.K., Canada, Hungary, the Netherlands, and Israel.
13
Targeted Phishing Attacks Strike High-Ranking Company Executives
Source: https://www.zdnet.com/article/a-hacker-is-selling-access-to-the-email-accounts-of-hundreds-of-c-level-executives/
EXAMPLE #1
14 Sample of fake Office 365 password expiration notification e-mail
The seller's ad on Exploit.in (underground forum)
EXAMPLE #2
According to a report published by the New York Times in 2015, hackers have stolen as much as $1 Billion from more than 100 banks and other financial companies in almost 30 nations, making it "the most sophisticated attack the world has seen to date.“
In late 2013, banks in Russia, Japan, Europe, the United States and other countries fell victim to a massive, sophisticated malware hack that allowed the hackers to spy on bank officials in order to mimic their behavior.
In order to infect bank staffs, the hacker group sent malicious emails to hundreds of employees at different banks. Once open, the email downloads a malware program called Carbanak, that allegedly allowed perpetrators to transfer money from the banks to fake accounts or ATMs monitored by criminals.
The attacks continue, all using roughly the same modus operandi:
15
Hackers Stole $300 Million from 100 Banks Using Malware
Source: https://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html Hackers send email
containing a malware program called Carbanak to hundreds of bank employees, hoping to infect a bank’s administrative computer.
Programs installed by the malware record keystrokes and take screenshots of the bank’s computers, so that hackers can learn bank procedures. They also enable hackers to control the banks’
computers remotely.
By mimicking the bank procedures, they have learned, hackers direct the banks’ computers to steal money in a variety of ways:
transferring money into hackers’ fraudulent bank accounts;
using e-payment systems to send money to fraudulent accounts overseas;
directing ATM.s to dispense money at set times and locations.
EXAMPLE #3
Brute-force attacks are carried out by hackers who try to crack a password by simply trying out different combinations of characters in quick succession. The algorithm is very simple and is limited to trying out as many character combinations as possible, which is why it is also called "exhaustive search". The attacker usually uses a high-performance computer, which performs a great deal of calculations per second and, accordingly, can test a high number of combinations in the shortest possible time.
The method is often used successfully in practice, as many users use short passwords, which often consist only of the letters of the alphabet, drastically reducing the number of possible combinations and making guessing easier.
When creating a password, the following characters are usually available:
numbers (10 different: 0-9),
letters (52 different: A-Z and a-z),
special characters (32 different).
The number of possible combinations is calculated using the following formula:
possible combinations = possible number of characters
password lengthAny 8-character NTLMv2 password hash can be cracked in approximately 7 days (assuming the character space includes all uppercase, lowercase, numbers, and symbols).
In contrast, the time required to compute the full 10-character space is just over 188 years; 12 characters is 1 million 735 thousand years, 14 characters is 5 billion 835 million years, and 16 characters more than 147 trillion years*.
Conventional wisdom says that a complex password is more secure. But in reality, password length is a much more important factor because a longer password is harder to decrypt if stolen.
16
The Math Behind Password Cracking and Why Password Size Matters
* Note that these speeds are based on a current average cracking system infrastructure, well-funded malicious actors could achieve much faster speeds.
6 095 689 385 410 816 = 94
8The End
17