It’s a fact, in industries or on building sites, professional people make mistakes or, worse,Â getÂ injured. Why? Because their attention is reduced at a certain point. When you’re doing the same job all dayÂ long, you get tired and lack of concentration. The same can apply in information security! For a long time, more and more solutions are deployed in companies to protect their dataÂ and users. Just make your wishlist amongst firewalls, (reverse-)proxies, next-generation firewalls, ID(P)S, anti-virus, anti-malware, end-point protection, etc (The list is very long). Often multiple lines of defenses are implemented with different firewalls, segmented networks, NAC. The combination of all those security controls tend to reduce successful attacks to a minimum. “To tend” does not mean that all of them will be blocked! A good example are phishing emails, they remain a very good way to abuse people. If most of them will be successfully detected, only one may have disastrous impacts. Once dropped in a user mailbox, there are chances that the potential victim will be asleep… Indeed, the company spent a lot of money to protect its infrastructure so the userÂ will think “My company is doing a good job at protecting myself, so if I receive a messageÂ in my mailbox, I can trust it!“. Here is a real life example I’m working on.
AÂ big organization received a very nicely formated email from a business partner. The mail had an attachment pretending to be a pending invoice and was sent to <firstname.lastname@example.org>. The person reading the information mailbox forwarded it, logically, to the accounting department. There, an accountant read the mail (coming from a trusted partner and forwarded by a colleague – what can go wrong?) and opened the attachment. No need to tell the rest of the story, you can imagine what happened. The malicious file was part of a new CBT-Locker campaign: The new malicious file was generated only a few hours before the attacks and, no luck, the installed solutionsÂ were not able (yet) to detect it. The malicious files passed successfully the following controls:
- Antivirus/Antispam on the incoming MTA in the DMZ
- A Next-Generation firewall (between the DMZ – LAN)
- Some extra checks on the internal Exchange server
- An end-point protection system
Users, don’t fall aspleep! Keep your eyes open and keep in mind that the controls deployed by your company are a way to reduce the risks of attacks. You car has ABS, ESP, cross-lane detection systems and much more but you still need to pay attention to the road! The same applies in IT, stay safe…