Huguens Lops 03-17-2020 IASP-470 Increasing End-User Security over email attacks.
Huguens Lops
03-17-2020
IASP-470
Increasing End-User Security over email attacks.
The Cyber threat is one of the most serious international security challenges we face in today’s
society. A turning point in the history of hacking occurred with the proliferation of personal
computers during the 1980s. Practically anyone could buy a computer for their use. These
computer, along with devices called modems that enabled computers to communicate with each
other over telephone wires, extended the reach of hackers. It was during this time that some
hackers decided to use their skills for criminal purposes. They copied and distributed commercial
software and games. A few hackers unleashed virus capable of shutting down computers and
entire network systems. To differentiate themselves from these malicious coders, legal hackers
began referring to themselves known as white-hackers. Today, the term hacker is commonly
used in association with malicious activity. However, computer experts typically use hackers to
describe anyone who seeks flaws in software that can be exploited, whether for good or bad
purposes. It is expanding everyday therefore increasing the need to develop and tighten security
measures to ensure the protection of everyone using the web technology. Hackers have become
the biggest nuisance in the word where end-user need to be aware. Those criminals have many
strategies to steal data from your company. Malicious email remains one of the most significant
and ongoing computer security threats that end-user is facing. Cybercriminals use a variety of
email based- attacks threats to deliver malware, and organizations everywhere need to
understand these threats and how to implement effective safeguards. Malicious email authors are
very smart and relentless, and they are constantly developing new, or at least different ways to
deceive and attacks us, Although the malicious payloads found of email-based attacks frequently
change, the vast majority of cybercriminals use basic strategies such as Malicious attachments,
links to malicious web pages. There is a list of some of the most significant and dangerous email
attacks.
infect the users’ systems and deny them access to their most valuable assets, such as confidential
or corporate data. Typically, this is done by encrypting the most important documents, making
them unreadable, until a ransom for the decryption key is paid. This is one of the messages that
prompts a victim to update the Chrome’s font by downloading an executable file:
Spoofing is a kind of email protocols of lack effective mechanisms for authenticating email
addresses, hackers are able to use addresses and domains that are very similar to legitimate ones,
deceiving victims into believing that fraudulent emails are from a trusted individual.
Man-In -the Middle Attack (MITM) is a form of and is a cyber eavesdropping security issue
where the hacker secretly intercepts and tampers information when data is exchanged between
two parties.
Whaling / Business Email Compromise (BEC), also known as “whaling” target’s an
organization’s biggest fish. This is a type of social engineering scam where an attacker sends an
email to someone in the organization that has the ability to execute a financial transaction.
Spam: Despite a number of ways to filter out unwanted email, spam remains a significant
challenge for organizations. While ordinary spam is simply considered a nuisance, spam is also
frequently used to deliver malware.
Key Loggers: In the most damaging data breaches, the criminals behind the attacks nearly
always utilize stolen user credentials. One effective method criminals use to obtain IDs and
passwords is a key-logger, often delivered by email when victims inadvertently click on a
malicious attachment or link.
Some Companies always fail when end-user is lack of computer knowledge, I remember 5 years
ago when I was working at a check-cashing where we were being hack. The criminal had access
to our system and steal customers data. At the check cashing we provided many services such as
cashing checks, wire money and bills payments. The black guy had access to our wester union
services so he wired money to some people that we do not even know, when we found out what
was going on but at first, we did not know what to do so we simply unplugged all the cables in
order to stop the hacker’s activities. There was something I realized all my coworkers used to
save the passwords from the websites which was not ok to do. Now an end-user Do not want to
use strong password just to make it easy to remember, as professional we need to provide
security awareness for end users.
As much as technology can be used in a bad way email attacks, malware and other related
suspicious activities, it can also be used to defend organizations against cyberattacks. Since
email attacks is the most common source of most phishing attacks that a lot companies receive.
As we provide training for end-user, up to date the user browsers is the first mechanism to help
avoid phishing email attacks. Some browsers have security mechanisms in place in the browser
itself to help identify and block phishing as well as malware coming from various sites a user
might go on. Chrome as example has a setting turned on by default called “protect you and your
device form dangerous sites:
A strong Passwords is another absolute bare minimum way of email way to email security, end-
user tend to create a simple password just very easy to remember which is very easy for the
hacker to find out. The administrator should enforce users to change the passwords at least every
four weeks and it’s a must for end user to do so. Use a mix of different types of characters to
make the passwords harder to crack therefore the hacker will have a very minimal chance to get
access to your computer or might take them decades to damage your systems. Configure
password policy for users and administrators:
Enabling password policy will expire administrator and users accounts password every 60 days,
password policy can be enforced for logins made on inSync management console, inSync client,
and inSync Web.
password policy is not available for managed service provider(MSP) console.
Updating software:
It is easy to skip software updates when its required to do so, users think it is not important and
think that your computer are working fine and fail to update their software which can be a totally
disaster, a costly mistake and a good advantage for hackers. Updating the system software will
patch weak spots on your server and vulnerabilities which can be used for malicious attacks.
Phishing attack protection requires steps be taken by both users and enterprises.
For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true
identity. These can include spelling mistakes or changes to domain names. Users should also
stop and think about why they’re even receiving such an email.
Links inside messages resemble their legitimate counterparts, but typically have a misspelled
domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL
was change to myuniversity.edurenewal.com.
End-user must very careful before open emails, it is important to take a close look at who sent
you the email. Before open an email, you should double check to see that you know the
individual sender, it should be someone with whom you communicate daily. Examine the
address list, check your coworkers if the receive the same email. Suspect the subject such as
work communication should be related to your job function, so be sure to go over at the subject
line. Check to be sure that subject is one that you would anticipate receiving in the first place.
Scrutinize the time What time of day was the email sent? Was it at a time that you would expect
someone to be sending you a business email? While many of us work with counterparts all over
the globe, it is still possible to detect emails that are sent outside of the norm and avoid opening
them. Avoid strange Attachments and Hyperlinks You can reduce the likelihood that you are
opening or clicking malicious content by examining a few things. First – did you expect an
attachment, and is it a common file type that you would expect to receive as part of your job? If
not, don’t open it! Does the file have a weird name, or are there unusual symbols in the
filename? If so, that is another sign to leave the file unopened and the link unclicked. Beware of
Unsettling content an email containing unsettling, startling, or urgent content that requires
immediate action on your part is often signs of a phishing attack. We have all seen the phishing
emails claiming that your bank account was hacked and you need to log in right away.
Training end-user to raise awareness of phishing attacks is a major component in an overall
security strategy. Follow up with the steps will save you and protect your company for future
email attacks.
References:
“Security Awareness for End Users.” Infosec Resources, resources.infosecinstitute.com/category/enterprise/securityawareness/security-awareness-roles/security-awareness-for-end-users/#gref.
“Types of Email Attacks and the Damage They Can Cause.” CloudSecureTech, 15 Dec. 2016, www.cloudsecuretech.com/types-of-email-attacks-and-the-damage-they-can-cause/. Accessed 17 Mar. 2020.
“Six Tips to Stop Phishing Attacks.” SC Media, 18 Oct. 2018, www.scmagazine.com/home/security-news/sc-security-ops-center/six-tips-to-stop-phisherman/. Accessed 17 Mar. 2020.
“What Is Phishing | Attack Techniques & Scam Examples | Imperva.” Learning Center, 2019, www.imperva.com/learn/application-security/phishing-attack-scam/
Slavin, Brad. “7 Ways to Protect Your Organization from Email-Based Ransomware Attacks.” DuoCircle, 10 Feb. 2018, www.duocircle.com/phishing-protection/7-ways-protect-organization-email-based-ransomware-attacks. Accessed 17 Mar. 2020.
“How to Avoid Phishing Attacks. Security Awareness.” Spinbackup Blog, 9 Jan. 2019, spinbackup.com/blog/how-to-avoid-phishing-attacks/. Accessed 17 Mar. 2020.
Hiskey, Michael. “Guide to Email Security.” Www.Avanan.Com, www.avanan.com/blog/guide-to-email-security. Accessed 17 Mar. 2020.
“Types of Email Attacks Every Business Should Prepare For.” Tessian, 14 Nov. 2019, www.tessian.com/blog/email-attack-types/. Accessed 17 Mar. 2020.
Higgins, Melissa, and Michael Regan. Cybersecurity. Minneapolis, Minnesota, Essential Library, An Imprint Of Abdo Publishing, 2016.