So, the words Cyber Security Consultant get banded around easily, yet many of us don’t even understand what a Cyber Security Consultant does. I will use an encounter I found myself in recently with a client who wanted the services of a ‘Cyber Security Consultant’.
The client in question, I will refer to
as ‘the client’. It is a Small business of around 25 Users. They work in the
business of Ecommerce. In simple terms, they sell products online. They provide
fast delivery on items that are required, even the very same day.
This business has 2 key challenges to understand –
- Even the slightest downtime can be detrimental to the client, and nullify their competitive advantage of same day delivery.
- The nature of an online only business means the brand is displayed online – there is no brick and mortar building for customers to visit. The brand values that has been cultivated so carefully over the last 3 years with painstaking marketing campaign after campaign can all too easily be destroyed by the simplest phishing email.2
For context, we need to be aware that the client is receiving
around 500 phishing emails per day, with around 2% of phishing email getting
past the filters. That is around 10 emails per day.
While this may seem low, even the best Security Awareness
Training delivered to staff won’t guarantee that every single employee won’t
click a phishing link. After all, humans are always the weakest link in
The C level executive of this client, expressed his concerns
about the potential downtime that may occur from a breach, the customers loss
of confidence in the company and related outcomes all resulting from a breach.
In order to help the client, we had to develop a strategy that incorporated a greater level of Cyber Security. There isn’t a silver bullet one size fits all approach to this – we needed multiple layers of defence.
Cyber Security 101: The strategy
the first step we took was a full Network Audit to ascertain the technicalities
and to ensure the network was in good shape. Once those things had been checked
off and we were happy we had a solid baseline to build upon, we started to work
through the critical business processes. We set about creating a strategy that
would improve the clients security baseline significantly – something this can be
done in a few simple steps – sometimes not.
generally work through threats on a severity basis, then we focus efforts on
the area the business is most likely to receive a threat from. We worked through
the network systematically and observed how users accessed applications/web
amongst other things.
regularly receives legitimate emails from International companies – and with
this a whole host of external phishing emails too. This was determined to be
our clients most severe threat, which is also most likely to happen.
emails using international domains names is an extremely common way of sending
phishing emails. What’s more, the phishing emails had been sent from new email
addresses created just for this purpose – no spam filter would have a chance
emails are the scourge of Cyber Security Professionals existence, as a first
line of Defence (Office 365 spam filtering in this instance) is very unlikely
to block these unless the domain name within the web link is already marked as
malicious in a database somewhere.
A good course of preventative action for the human element in this particular occurrence is Security Awareness Training – which the client already had in place – it is always rather refreshing to see that a business is taking Cyber Security Hygiene seriously. However, this risk was deemed to be too much by Management.
Implementation of Safeguards
problem involved something that could not be stopped with any level of certainty,
we looked to implement a next generation endpoint antimalware solution with web
app blocker. This is a good start and something that was lacking, a huge
improvement over the standard Windows Defender antivirus.
We pushed forward to enhance the level of protection, by setting up Advanced Threat Protection in Office 365, which supplements our endpoint Web App blocker very nicely and allows attachments and URL’s to be detonated in a cloud sandbox – a bit like a sandpit for naughty files.
these 2 solutions had lowered the Phishing Threat substantially. Outlook still
has some inbuilt security features which are often disabled by default. Setting
Outlook to not download pictures and images from external sources it is not familiar
with helps to prevent phishers from knowing you have received their email and
Our client also
had particular sensitivity to a threat to do with Excel spreadsheets – they received
a tremendous amount of these a week from external sources. With management
blessing, it was deemed highly desirable to disable marcos’s within Excel
Spreadsheets incase employee’s actually fast clicked a malicious attachment. Along
with arming Outlook with a feature to rename the last 3 letters of any
potential malicious file extensions which prevents excel spreadsheets that have
been received from external sources from opening easily.
Our client had an available, helpful part time IT person who worked happily through the safeguard implementation on each machine using our suggested roadmap and techniques.
Given that all
of these safeguards were provided with a gradual roll-out plan, our client had
minimal disruption. Although these controls may seem basic individually – once combined
can create a substantial barrier for phishing / malicious emails.
When we look
at the controls in place, we can give a Qualitative rating on the mitigation
measures we have put in place – it’s very hard to assign a £ value to this.
Long term, the solution is permanent and the client is happy with the safeguards.
What we can learn from this
Our client requested a consultation from a qualified Cyber Security Consultant for a small project, it has been a particularly interesting one because there’s been such a strong focus one particular threat vector.
- Don’t assume one single silver bullet solution exists – sometimes anti malware products may claim it does but the reality is far different. Defence in depth is always the key to Cyber Security success.
- Making changes to endpoint machines
is time consuming, ensure you have man power available.
- A sound Cyber Security methodology
is always based on multiple layers of security
is always better than cure, but this does not mean throwing everything including
the kitchen sink into the mix. You need to select technical controls that won’t
have a detrimental effect on user productivity – and all changes need a check
and balance mechanism.