現代のサイバー セキュリティが抱える数々の問題点。フィッシング詐欺を目的とした個人情報の漏えいや、マルウェア ペイロードを埋め込んだ悪質なドキュメント、組織のネットワーク内外に蔓延する「終わりなき脅威」に立ち向かうことのできる高度な検査能力、そして優れたリダクション (情報の秘匿化) とサニタイゼーション (情報の除去) 機能を備えた情報セキュリティ ソリューションが、問題解決の鍵を握ります。
現代のサイバー セキュリティが抱える数々の問題点。フィッシング詐欺を目的とした個人情報の漏えいや、マルウェア ペイロードを埋め込んだ悪質なドキュメント、組織のネットワーク内外に蔓延する「終わりなき脅威」に立ち向かうことのできる高度な検査能力、そして優れたリダクション (情報の秘匿化) とサニタイゼーション (情報の除去) 機能を備えた情報セキュリティ ソリューションが、問題解決の鍵を握ります。
In the last few years, we’ve seen digital transformation take over the mindset of businesses and there has been a huge push to ensure that organizations in all sectors are adopting technology that is at the forefront of innovation. Every sector from marketing to manufacturing now has some aspect of digitalization and we’re seeing everything from AI to quantum computing being embraced to leverage greater efficiency, service and profitability.
However, in the race to adopt, many organizations are failing to recognize the impact of emerging technologies on cybersecurity. Nowhere is this more applicable than in the CNI space – where our nation’s most critical data resides – where it’s vital that the security measures match that of the technology that has been introduced. While email security will always be important to the protection of data, it might not align with the use of messaging apps to share files. The secure firewall protecting data servers probably doesn’t extend to the data being used to train an automated risk management platform.
So out of the myriad new technologies being introduced into the CNI space, which are providing the biggest risk?
IoT is now a fact of life. From our phones to our fridges, from fitness monitoring to coffee machines, IoT is everywhere, and this goes for the CNI space too. More and more we’re seeing an integration of IoT into everyday operations and processes – everything from the monitoring of industrial equipment to medical equipment to defense communication systems. IoT can certainly help organizations become more effective – but they also create new risks and threats to critical infrastructure and services.
Because of IoT, more sensitive data is being shared digitally and at a fast pace. The data being stored by any company using IoT is more extensive than ever, so if there was an attack on the system, billions of data points could be compromised. For example, we have seen pirates hacking into IoT-enabled freights in order to access the larger network to steal bills of lading and identify the most valuable cargo aboard specific container ships.
Many companies only think about the individual device and forget the fact that one device connects to an entire eco-system. An IoT freight cargo is also connected to the whole shipping and the entire network of similar devices, databases and reports its data feeds into. One small compromise can result in the larger system falling victim to the cyber-attack. Security is only as strong as the weakest link.
AI is changing the way businesses operate. From the factory floor to back-end IT, automation is increasing speed and productivity, constantly learning and developing based on the vast quantities of data it processes. In theory then, AI is the perfect solution for cybersecurity where security monitoring data is growing at an almost exponential rate and conventional methods of processing it are starting to fail – something malicious actors recognize and are developing new methods of attack to take advantage of.
However, AI can also be (ab)used by a malicious player, causing catastrophic consequences. For example, last year, Darktrace identified an attack against one of its customers that used AI to observe and learn patterns of user behavior inside a network so it could go on to mimic this and blend into the background so as not to be spotted by security tools. Going undetected, this allows cybercriminals to infiltrate networks for longer periods of time and gain access to an organization’s most critical data. With AI being used in healthcare to augment diagnosis, what would be the impact if this was compromised?
The recent arrival of 5G, with significantly faster speeds, increased capacity and lower latency, will change existing operating environments forever. However, these benefits come at the expense of growth in the attack surface. The 5G-enabled devices and networks that underpin CNI operation could be compromised by new and traditional attacks, causing major chaos.
For example, the increased speed of a 5G network could be more readily used in a DDoS-style attack. Furthermore, with the increase in use, because of the increased bandwidth, the network itself will become a greater target. Where systems rely on real-time and continuous communication of data from large numbers of sources, for example in transportation networks, this has the potential to create chaos. And if we think about the future of this sector, with greater numbers of autonomous vehicles on the road – which will rely heavily on 5G connections for data transfer and decision making – there are potentially life-threatening consequences to an attack.
The first step is to understand what the new technologies are and then to look at the potential risks and consequences. After this is it possible to plan to mitigate the risk. When it comes to CNI, it might be thought that the Government would put in place, and rapidly change, regulations guarding its safety. However, this is not the case – for many reasons, including competitive advantage and the need to synchronize regulations with the EU and or the rest of the world. Threats change at a much greater pace than governments can react. So, the onus is put on organizations to ensure that the adoption of new technologies is done in a secure manner. Whether this is the MoD or an electricity company, or the supplier of a widget to a CNI organization.
Unfortunately, there is no silver bullet when it comes to cyber-security, but there are three areas which need to be addressed:
Education is everything in the fast-changing nature of technology. Organizations must ensure they understand the risks of any new technology they install as this will be key to properly securing it. This is not just the IT team, everyone working with critical data and new technologies need to understand the risks and how to mitigate them as well. Regularly read up on the risks of new technologies and have the security team hold sessions that explain how an attack could occur and what to do if one is suspected. The goal is to develop a culture that encourages innovation but is also aware of the risks new technology can bring in order to keep information safe.
Establish clear processes for implementing new technologies. For example, make it mandatory for the security team to be involved in every discussion about investing in technology so they are aware of what they need to do in order to prepare to secure the devices and the data at the point of installation. Ensure there are processes in place for if there is a problem – who to contact, what’s the chain of events to minimize the impact.
Technology is there as the last line of defense, to help enforce policies and ultimately to keep people and information safe. Use established security technology to protect data at every point. For example, traditional email and web security solutions – such as Clearswift’s SECURE Gateways – can be integrated into new scenarios to ensure there is some level of security for new technologies. For systems connecting to the Internet through the network, traffic and the destination can be monitored. Clearswift’s Deep Content Inspection and Adaptive Data Loss Prevention (A-DLP) solution has capabilities that go far beyond traditional DLP and network security. For example, features such as anti-steganography can guarantee that images are not used to convey malware or to leak sensitive information, while OCR can ensure that information is not leaked using images from multi-function printers and screen grabs.
Adoption of new technologies is the way forward; we can’t stay static to stay safe, but it is vital that organizations handling critical data, such as that within CNI organizations, are certain that their security measures are good enough to battle against the risks opened up by emerging technologies.
Cybersecurity is probably the most rapidly changing area of IT, and cyber-criminals are becoming increasingly more sophisticated in their bid to breach an organization's security and steal their crown jewels - their information. Traditional Data Loss Prevention (DLP) technology provides protection against the traditional threat of someone trying to send a file to an unauthorized individual, but it required a step change to enable Adaptive Data Loss Prevention with Deep Content Inspection (DCI) to address threats such as ransomware that is delivered embedded in innocuous-looking documents.
Clearswift delivered our first version of Adaptive Redaction in 2013 and have continuously improved the technology in every release since then. It was developed to modify the content of files on-the-fly to ensure continuous collaboration is achieved without the danger of critical information being shared with unauthorized individuals, or malicious content being received. However, new threats are emerging which need to be addressed, and image-based threats are at the forefront.
We often don’t give images a second thought. We download them every day and use them in presentations and documents all the time. But in today’s world of digital collaboration, what sorts of risks can they pose and how can those threats be mitigated?
These days the multi-function printer inside most organizations enables remote printing, standard photocopying and scanning to send as an attachment in an email. This last feature is the one which creates one of the latest risks currently being exploited. When the device scans the document, it typically creates a PDF – but each page in the document is actually an image. These images are not picked up and analyzed by most security or traditional DLP solutions, meaning those PDFs become a data loss risk. Any sensitive or confidential document can be readily copied into a PDF and sent out of the organization without being detected.
Optical Character Recognition (OCR) is a technique for analyzing images and extracting the text so that it can then be processed in the same way as a normal electronic document using DLP functionality. This issue with images is not restricted to scanned documents. Other techniques such as ‘screenshots’ can also be used to turn critical information into an image such as a JPEG, then shared via email or a Cloud collaboration application without being detected. OCR enables images to be analyzed and DLP will prevent data leaks. OCR is available as an option for the Clearswift SECURE Email Gateway today, and for the Clearswift SECURE Web Gateway and Clearswift Endpoint DLP solution later this year.
A further enhancement to OCR analysis enables redaction of text in images, removing only the information which breaks policy by drawing a black box across the words. This is equivalent to the Clearswift Data Redaction option, but has now been extended to cover text in an image. With our DCI engine recursing by default to 50 levels deep, the image can be embedded in an Excel spreadsheet, which is embedded in a Word document, which is scanned to PDF, then shared via a ZIP archive attached to an email – Clearswift will detect the image, analyse it and redact any sensitive information, allowing the ‘safe’ file to continue to the recipient.
Images can also be used to ‘hide’ information in different ways. Some of this can be found in the document properties, for example, geographical co-ordinates as to where the picture was taken. This information can be used to identify locations and there have been a number of incidents with military personnel inadvertently leaking information through this means, or poachers using location data to track big game.
Document properties can also be subverted by a malicious insider to convey sensitive information outside the organization without suspicion. Document Sanitization is a technique to remove document properties to prevent that mechanism of data loss. Policy granularity means that only those properties which have been authorized are allowed to be used, the others are removed.
A technique called steganography can also be used to hide information in images. This is where tools can be used to subtly change the image by encoding and embedding the data, such that, to the naked eye, there is no visible difference and then it can be sent out, exfiltrating the information. A standard size image can easily hide several thousand customer contacts or account numbers. In this case, OCR will not help remove the risk as it isn’t a picture of the text. Steganography is an interesting technique as it is virtually impossible to tell if data has been hidden in an image. However, Clearswift’s anti-steganography functionality disrupts the image, such that no data can be extracted – but the image, to the naked eye, remains the same.
Furthermore, steganography is also used in botnets to communicate on the inbound traffic flow and download of malicious payloads to general purpose malware. The same anti-steganography techniques can be used to disrupt that communication channel to keep the organization safe.
Images are often overlooked, however, a new generation of threats is emerging which uses them. Clearswift’s Advanced threat protection and DLP functionality can mitigate the threat, helping the organization stay safe.
Regardless of your thoughts on Brexit, it can’t be denied that the drawn-out process has created mass confusion as firms rush to prepare for an unpredictable future. Because of this, we decided to survey IT decision-makers in UK enterprise organizations to determine the effects of an uncertain Brexit had on cybersecurity spending habits.
Our data shows that 53% of firms are increasing their cybersecurity budgets in preparation for a rise in threats once we leave the EU. Businesses anticipate that Cybercriminals will seek to use confusion to their advantage, whether that is through malware attacks or targeted phishing campaigns to coerce critical data or financial gain from organizations.
So, what are the top 5 post-Brexit threats identified by businesses?
Malware is a broad term encapsulating the myriad of techniques cybercriminals use for gaining access to critical data – whether it may be a Trojan horse, spyware or one of the many other forms of malicious code. While the means may vary, the objective remains the same: to gain access to the corporate network to steal data. The warning signs of a compromised network (missing files, changed login credentials, etc.) can be detected by a trained eye, but these signifiers may be misinterpreted as ‘business as usual’ amongst firms rushing to adapt to the changes Brexit brings.
To mitigate this risk, organizations must have advanced email and web security solutions deployed to ensure malware does not disrupt business, as well as threat detection systems to assist in the identification and quarantine of malware. Advanced email and web solutions can mitigate the risk, as they have the ability to automatically remove malicious links detected in email and attachments, or from documents downloaded from the web, before the threat executes within the corporate network. This protects the organization from staff mistakenly clicking on malicious links which is the most common reason behind cyber-attacks being successful.
Phishing attacks epitomize the ‘cast a wide net’ approach to cybercrime. An example of this is ‘spear-phishing’ attacks on targeted firms. This involves an email being sent to employees at a firm – ostensibly from the CEO or CFO – asking employees to share sensitive bank account information or requesting funds be transferred into a spoofed bank account. Whilst these are significantly less effective (on a 1:1 scale) than some of the more insidious forms of hacking, what they lack in refinement, they make up for in scale.
It only requires a single worker to fall for the ruse. To offset this, employees need to be educated on the signs to look out for in a phishing email as part of an ongoing cyber training program. In addition, employing technology such as Adaptive Redaction will ensure that any employees who might take the ‘bait’, are incapable of sharing critical information or credentials as the technology will automatically redact sensitive information being sent to a recipient that not authorized to receive it. The technology is automated and a failsafe to ensure that no sensitive data can be leaked from within the network, either intentionally or otherwise.
As one of the fastest growing forms of cyber-attack, ransomware poses a serious threat to firms post-Brexit. Ransomware is malicious code loaded onto a network to isolate critical data, which the hackers then demand a hefty ransom to either release back to the firm, or in some cases destroy it (as opposed to sharing it with competitors). Cybercriminals will frequently pose as clients or partners via email and will seek to obfuscate and confuse employees into opening a file containing the malicious code. As Brexit looms, one method of attack could involve would-be hackers posing as ‘official’ comms or Brexit-orientated advisors, in an attempt to gain entry to a corporate network.
These attacks can be prevented through employee education sessions on how to identify these dangerous emails, as well as having an advanced threat protection solution installed to detect and strip malicious code before it penetrates the network.
As the world has changed, so has its battlefields. Once, nations duked it out through their conventional militaries, but in the 21st century, many nations’ resources have shifted from tangible materials to the more ethereal. Intellectual property, industrial secrets, cyber-currency and critical data are all targets for nation-state sponsored cyber-attacks, often intended to disrupt national infrastructure, weaken economies and generally cause trouble for opposing states. Firms with globalist ambitions or foreign rivals are particularly susceptible to attack from these threats, but that’s not to say that no other businesses can be affected.
As nation-state attacks can vary broadly in their methodology, organizations must ensure that every aspect of their corporate network is secured against an attack. Many firms may not realize they are part of a nation’s critical national infrastructure but act as an important facet of the overall supply chain, making them a target for nation-state attacks. A key example would be the Norsk Hydro owned aluminium plants, which were forced to shut down for a number of days following a hack that left them unable to continue production safely. Whilst the hack later turned out to be a ransomware attack, the inability of these factories to produce key supplies is indicative of the potential disruption a state-sponsored cyber-attack can bring.
Although not commonly thought of as an aspect of cybersecurity, compliance with ever-changing regulations is a critical facet of a strong cyber defense. Firms may be charged with incredibly damaging – indeed, even business-destroying – fines if they are found to not be complying with the latest regulations. As the fines levied in the wake of GDPR has shown, even seemingly inconsequential actions such as sending an email to the wrong recipient could have staggeringly devastating consequences, with fines of up to €20m or 4% in annual turnover.
This is subsequently seeing the increased take-up of advanced data loss prevention technology that can support organizations to automatically protect sensitive information from being shared outside of the corporate network, including detecting if an email is being sent to an unauthorized recipient, thus negating the possibility of a breach in data regulation legislation.
As Brexit confusion increases and Britain’s future remains uncertain, firms must ensure that they are prepared for a rise in cyber-crime from opportunists seeking to exploit the chaos and confusion leading up to the UK’s withdrawal from the EU.
Dans notre dernier billet de blog, nous avions évoqué le risque lié à la réception de données sensibles non souhaitées par courrier électronique et au partage en interne d'informations sensibles entre différents départements de l'entreprise et donc le besoin de fonctionnalités avancées de protection des données aussi bien pour les systèmes de messagerie sur site que pour les environnements Microsoft Office 365 (O365) afin d'atténuer ces risques. Cependant, en matière de sécurité de l'information, ce n'est pas seulement le risque de recevoir des données sensibles non souhaitées ou par accident dont les entreprises devraient se méfier. En effet, Microsoft Office 365 a été rapidement adoptée par tant de secteurs et d'entreprises de toute taille que cette plateforme est devenue la cible de prédilection des cybercriminels.
Le Centre national de cybersécurité britannique (NCSC) a récemment publié un rapport consultatif qui fait le point sur les moyens utilisés par les cybercriminels pour compromettre la plateforme O365 et utiliser des comptes O365 compromis pour en tirer un profit financier. Ce rapport révèle que les attaques contre les messageries d'entreprise, dont O365, ont coûté plus de 5,3 milliards de dollars de pertes aux entreprises entre 2013 et 2016.
Les travaux menés par Clearswift ont permis de découvrir que les emails de harponnage sont considérés comme la menace la plus dangereuse pour les entreprises, toutes plateformes de messagerie confondues. En fait, le stratagème le plus souvent déployé par les pirates pour accéder à des comptes O365 consiste à lancer des attaques par hameçonnage ciblé, autrement dit en recourant à du harponnage ou à de l'ingénierie sociale.
Pour mener une attaque par harponnage, un cybercriminel envoie un ou plusieurs courriers électroniques à des employés. En apparence crédibles, ces courriers souvent envoyés par des supérieurs hiérarchiques et des fournisseurs qui invitent à cliquer sur un lien qui est en fait malveillant... Après avoir cliqué sur le lien, l'employé est redirigé vers une page de connexion usurpée qui permet au pirate de collecter des informations sensibles, notamment les identifiants de connexion que l'employé a fournis sans prendre garde. Fort de ces informations, l'attaquant peut ensuite dérober des informations sensibles stockées dans le Cloud, se faire passer pour le détenteur du compte, diffuser d'autres emails de harponnage depuis un compte légitime ou encore envoyer une charge active de ransomware via le réseau. Ces types d'attaque sont souvent détectés tardivement si bien que le pirate a le temps de dérober les informations qui lui permettront de causer des dégâts majeurs à n'importe quelle entreprise.
Pirater un compte à l'aide d'une séquence de mots de passe évidents est un autre moyen couramment utilisé par les cybercriminels pour accéder à l'environnement O365. Même si l'un des atouts de la plateforme Cloud O365 est son accessibilité généralisée pour les collaborateurs, cela peut néanmoins représenter une menace pour la sécurité car, du coup, les cybercriminels bénéficient du même type d'accès. En effet, si un pirate collecte le mot de passe d'un employé, il pourra accéder instantanément à son compte puis à l'ensemble de l'environnement O365.
Cette plateforme étant conçue pour faciliter l'accès à distance, l'identification des accès non autorisés à des comptes n'est pas instantanée, ce qui facilite grandement la tâche des pirates qui peuvent ainsi multiplier les tentatives de connexion afin d'accéder à un compte. De plus, cibler un seul employé à la fois, plutôt que chaque employé d'une entreprise, réduit encore le risque de détection, si bien qu'après avoir accédé à un compte, un cybercriminel peut très facilement progresser dans le système de l'entreprise.
Accéder au compte d'un employé spécifique permettra à un individu malveillant de consulter des documents et des bases de données puis de dérober des informations sensibles stockées sur la plateforme et dans les courriers électroniques. Ce pirate pourra également configurer des règles de réacheminement afin que le compte compromis envoie des copies des emails reçus et envoyés à une adresse de messagerie tierce sans que cela puisse être détecté...
Nombreux étant les employés qui utilisent un mot de passe pour accéder à de multiples plateformes et services, il suffit aux pirates de dérober ou de deviner un mot de passe pour accéder à tout un ensemble d'informations. L'authentification multifactorielle (MFA) ajoute une couche de protection supplémentaire à la plateforme O365 en exigeant un deuxième voire, dans certains cas et lorsque les informations sont très sensibles, un troisième mot de passe qui empêchera un pirate de pouvoir accéder à un compte même s’il a réussi la première phase d'identification. Un deuxième facteur est ensuite utilisé pour vérifier la légitimité des connexions. Il peut s'agir d'un autre mot de passe ou bien de caractères provenant d'une phrase de passe, d'un jeton de sécurité ou bien d'une application avec un numéro qui change sans cesse, d'une empreinte digitale, de reconnaissance faciale ou même d'un scan de l'iris.
Former les employés aux signes qui indiquent une activité malveillante menée via la messagerie électronique réduira le risque qu'ils cliquent sur des liens malveillants qui faciliteront des attaques par hameçonnage. Des déjeuners de travail, des webinaires ainsi que des guides sur les menaces destinés au personnel sont des moyens efficaces de sensibiliser et de cultiver le personnel. Associer des sessions de prévention des menaces à un traitement des données sensibles basé sur les bonnes pratiques contribuera à renforcer la sécurité globale de l'entreprise. Animer une session sur la cybersécurité avec l'équipe informatique lors de l'accueil de nouveaux collaborateurs permettra de mieux les préparer à comprendre et se conformer aux politiques et aux procédures de sécurité de l'entreprise.
L'intégration de fonctionnalités avancées de prévention des menaces et de protection des données à O365 permet d'améliorer les fonctionnalités de sécurité existantes de la plateforme. La solution complémentaire de Clearswift pour O365 peut être facilement déployée pour inspecter en profondeur tout le contenu du trafic entrant, sortant ou interne de la messagerie qui transite via la plateforme, aussi bien dans les messages électroniques que leurs pièces jointes. Cette solution détecte et anonymise automatiquement et en temps réel les URL malveillantes ainsi que les données sensibles (les informations IPI, PCI, etc.). Elle facilite la livraison de communications épurées de tout danger plutôt que de les bloquer brutalement à des fins d'audit et de contrôle. La fonctionnalité d'anonymisation contextuelle supprime les codes malveillants intégrés ou les informations sensibles avant que le courrier électronique arrive dans la boîte de réception de l'employé. Il y a ainsi moins de risques de cliquer sur un lien malveillant inséré dans un courrier électronique d’hameçonnage ou d'envoyer/recevoir des informations sensibles par erreur pouvant provoquer une fuite de données au niveau de l'entreprise.
Profiter de la possibilité d'ajouter des applications tierces pour renforcer la sécurité d'une plateforme O365 améliorera la protection des données critiques stockées dans le Cloud tout en permettant aux employés de faire leur travail sans perturbations.
Ces dernières années, Microsoft Office 365 (O365) s'est imposée face à la concurrence comme le service Cloud aux entreprises le plus largement utilisé et les derniers sondages indiquent que l'adoption de la plateforme O365 va crescendo.
Affichant non seulement un taux d'adoption impressionnant, la plateforme Microsoft a également contribué à l'évolution de la technologie au service des entreprises si bien que ces dernières sont aujourd'hui tributaires de la technologie Cloud pour fonctionner. Cependant, même si la migration vers le Cloud assouplit et rationalise la collaboration métier, dans l'absolu, aucune donnée sensible stockée dans le Cloud ne peut être considérée comme protégée face aux risques de cybersécurité.
Même si la plateforme O365 intègre des fonctionnalités de sécurité de base qui protègent contre les spams, les codes malveillants et les fuites de données, différentes lacunes d'O365 en matière de sécurité de l'information peuvent potentiellement nuire à l'entreprise si elles venaient à être exploitées par des cybercriminels ou par des employés.
Que ce soit par inadvertance ou par malveillance, les collaborateurs qui reçoivent des données sensibles, voire qui partagent des informations sur les clients entre différents départements de l'entreprise, peuvent compromettre l'activité de cette dernière. C'est pourquoi il est important que les entreprises disposent d'une protection à la fois entrante et sortante et qu’elles déploient des mesures de sécurité internes pour réduire la menace liée à la réception de données sensibles non souhaitées via la plateforme O365.
Fort heureusement, O365 a été conçue pour que des solutions tierces, notamment la solution de prévention contextuelle des fuites de données (A-DLP) de Clearswift, puissent enrichir la plateforme et fournir ainsi des fonctionnalités avancées de sécurité de l'information désormais impératives à l'ère de la collaboration métier numérique.
Les fonctionnalités de sécurité d'O365 ne sont pas en mesure d'aller aussi loin que la situation l’exige dans le monde de l'information d’aujourd’hui. Même si ces fonctionnalités de sécurité peuvent empêcher que des données critiques contenues dans un courrier électronique quittent ou entrent sur la plateforme, cela reste insuffisant en termes de profondeur d'inspection de toutes les pièces jointes pouvant également contenir des données sensibles sur les clients (notamment des informations IPI et PCI ou sur des comptes bancaires, des dossiers médicaux, etc.). De plus, la plateforme O365 s'appuie sur la méthode classique d'arrêt et de blocage des courriers électroniques contenant des informations sensibles, ce qui entrave le flux des communications et donc le bon fonctionnement de l'activité de l'entreprise.
En intégrant la solution A-DLP de Clearswift à une plateforme O365, les entreprises ont la garantie qu'aucune donnée sensible ne sera partagée, sans pour autant empêcher les communications d'atteindre leur destination. Le puissant moteur d'inspection approfondie du contenu et la technologie d'anonymisation contextuelle unique de Clearswift inspectent tous les messages et les pièces jointes dans le cadre de la prévention contextuelle des fuites de données (A-DLP). Ces fonctionnalités vérifient la présence de données sensibles, de codes actifs et de métadonnées cachées dans les messages qui entrent dans l'environnement O365, suppriment uniquement les informations sensibles ou non fiables puis autorisent le reste de la communication à poursuivre sa route. Ainsi, tout message envoyé ou reçu sera sécurisé et ne pourra pas compromettre la conformité de l'entreprise.
Pour partager des données au sein de l'entreprise, faire une capture d'écran d'une feuille de calcul ou d'un autre document et l'envoyer sous forme d'image est une procédure désormais courante. Les informations sensibles contenues dans ces fichiers images échappent souvent à la détection de la plupart des systèmes de sécurité si bien que des informations sensibles présentes dans ces formats peuvent quitter l'entreprise et être divulguées sans autorisation. La fonctionnalité de reconnaissance optique de caractères (OCR) fournie par Clearswift détecte les informations sensibles contenues dans des images aux formats JPG, TIFF, BMP, PDF, etc. et empêche la diffusion de ces données sensibles sans autorisation. Qui plus est, la fonction anti-stéganographie de Clearswift peut inspecter le contenu caché dans une image et supprimer du fichier toute information sensible qui lui est attachée, ce qui isole les données sensibles non souhaitées ou le code malveillant, peu importe où ils se trouvent.
Même si O365 a joué un rôle prépondérant dans la dématérialisation de l'activité des entreprises, des fonctionnalités avancées de sécurité de l'information restent indispensables pour sécuriser les entreprises dans un environnement métier aujourd'hui basé sur les données. Les entreprises devraient profiter de pouvoir renforcer la sécurité de leur capital information sur leur plateforme O365 en y ajoutant des solutions tierces qui garantiront la sécurité des informations qui importent le plus pour elles.
The need for a stronger defense against security threats is greater than ever, as the threat of data-driven crimes such as identity theft and corporate espionage grow each year. The recent data breaches against giants such as British Airways and Facebook emphasize the danger facing data-storing companies and emphasizes the need for a more comprehensive attitude towards data security.
One aspect that is becoming increasingly popular within businesses as a security method is ‘multi-factor authentication’ (MFA). MFA comes in many forms, both hardware; like a fingerprint ID, retinal scan or even just a fob, and software; for instance, using identifying characters from a different passcode or employing a code generating app. With a wide range of options to choose from, companies need to decide - based on their product/service, market and threatscape – which of these solutions best suits their needs.
In theory, multi-factor authentication acts as a strong second line of defense against potential hacking, however, the system is as only as secure as the person using it. Often, people search for a quicker and more convenient solution to the issue of quickly using MFA. For example, a worker may choose to use the same passcode for both their login and authentication. Consequently, any breach that exposes the employee’s login details will also nullify their MFA security.
Another potential issue when using MFA is that the authentication system is only as secure as the technology supporting it. In the case of the Reddit data breach, the authentication system required that employees log in with both a passcode and a generated code. The flaw in this system, however, was that the authentication code was transmitted over the SMS network which is prone to connectivity issues and can be easily intercepted by third parties. In this case, the breached security allowed hackers to access an older, discontinued form of the website’s data storage vault containing messages, email addresses and login credentials, all of which could be used to access private information, including banking information. Not only is multi-factor authentication merely as strong as the operator using it; it is only as strong as the technology upon which it is based.
However, despite this bleak outlook on the effectiveness of multi-factor authentication, it should not be assumed that MFA is ineffective. No security system is entirely foolproof, but you can make your data far more secure by implementing tiered security systems - wherein MFA acts as one line of defense but does not constitute your entire security solution. A strong security system should contain: a series of firewalls to limit the ease with which malicious software can enter your network, a multi-factor authentication system, and a data protection system such as Clearswift’s Adaptive Data Loss Prevention solution that, using the unique Adaptive Redaction feature, can automatically detect and remove any sensitive data attempted to be shared outside of the corporate network - through email, web and business collaboration applications – but let the rest of the communication take place. In addition to this, Clearswift also has the capability to remove malicious links (active code) embedded in email attachments or website document/file downloads, meaning any attempt to steal log-in credentials via a phishing attack or to deliver a Ransomware payload is thwarted at the boundary. Most importantly, employers should educate their employees in the dangers of cybersecurity and data breaches; as, left to their own devices, many employees will attempt to maximize their own efficiency by creating deliberately easy to access methods of authentication.
There is no comprehensive ‘silver bullet’ solution to the current-day realities of cybersecurity. Multi-factor authentication is a valuable tool, but, as we have seen, is only as strong as the technology it is built upon, and as secure as the employees who use it. Consequently, companies must face the difficult task of balancing security with employee efficiency based on their own interpretation of the dangers facing their data. The strongest systems will employ a tiered system constructed from multiple layers of security protocols, wherein multi-factor authentication acts as a link in a chain, as opposed to being the sole line of defense.
In our last blog, we explored the risk of receiving sensitive data unauthorized via email, the sharing sensitive information internally across departments, and the need for advanced data protection features within both on-premise email systems and Microsoft Office 365 (MO365) environments to mitigate these risks. However, it is not just the threat of unwanted or accidental sensitive data acquisition that organizations should be wary of when it comes to information security. Because Microsoft Office 365 has been rapidly adopted across so many sectors and organizations of all sizes, it has become a prime target for cybercriminals.
The National Cyber Security Centre (NCSC) has recently published an advisory report that explores the ways MO365 can be compromised by malicious parties, explaining how cybercriminals can use compromised MO365 accounts to obtain financial profit. It reports that attacks on business email, including MO365, cost businesses over $5.3 billion dollars in losses between 2013 and 2016.
Research conducted by Clearswift found that phishing emails are seen as the most dangerous threat to businesses across all email platforms. In fact, the most common way hackers gain access to MO365 accounts is through targeted phishing attacks – also known as spear phishing.
In order to execute a spear phishing attack, a cybercriminal sends an email (or emails) to employees, seemingly from a trusted source – often C-suite and suppliers – requesting them to click on a malicious link. Once the employee clicks on the link, it redirects them to a spoofed login page where the hacker is then able to harvest sensitive information including log-in credentials that the unsuspecting employee provides. Having access to log-in details enables cybercriminals to steal sensitive information held in the cloud, impersonate an account holder, distribute further spear phishing emails from a legitimate account or deliver a Ransomware payload into the network. These kinds of attacks often go undetected long enough to allow the hacker to steal the information they need to cause major disruption to any business.
Another common way of accessing a MO365 environment is for cybercriminals to force their way into accounts using a sequence of obvious passwords. While one of the benefits of the MO365 cloud platform is its widespread accessibility for employees, this can also pose a threat to security, offering this same access to cybercriminals. If a hacker harvests an employee’s password, they will have instant access to the account and broader environment.
Because MO365 is designed for remote access, identification of unauthorized access to accounts is not instantly detected, making it much easier for hackers to attempt multiple log-ins and be granted access. In addition, targeting one employee at a time – rather than everyone within an organization – reduces the chance of detection further and once a cybercriminal has access to one account, it makes it extremely easy to infiltrate from the inside.
Access to one individual’s account could allow a maliciously motivated individual to gain access to documents and databases and steal sensitive information that resides in the platform and within emails. Hackers could also set up auto-forwarding rules so that the compromised account sends copies of emails to another email address without detection.
With many employees using a password across multiple platforms and services, hackers have a much better chance of stealing or guessing one password and gaining access to a whole host of information. Multi-factor Authentication (MFA) adds an extra layer of protection to a MO365 platform by implementing a second, or – in some cases where the information is of greater sensitivity – a third password, to ensure that even if a hacker gains one authentication method, they still won’t gain access to an account. A second factor is then used to help further authenticate that logins are genuine. This could be another password, or characters from a pass-phrase, a fob or an app with an ever-changing number, a fingerprint, facial recognition or even an iris scan.
Training employees on the signs of malicious activity through email will reduce the risk of employees clicking on malicious links that lead to phishing attacks. Lunch and learn sessions, webinars and Threat Guides for staff are great ways to educate and upskill staff. Combining threat prevention sessions with best practice sensitive data handling will help improve an organization’s overall security posture. Building in a cyber-security session with the IT Team into new employee inductions will mean that all new staff members who join an organization will be off to a great start in terms of understanding and complying with company security policies and procedures.
Integrating advanced threat prevention and data protection features to a MO365 platform can enhance the existing security capabilities it offers. Clearswift’s bolt-on solution for MO365 be seamlessly implemented to enable deep content inspection of all email traffic through the platform – inbound, outbound and internal – in both email messages and attachments. The solution automatically detects and redacts malicious URLs in real-time, as well as sensitive data (eg. PII, PCI etc), allowing a safe version of the communication to be delivered (rather than being ‘stopped or blocked’). The Adaptive Redaction functionality removes embedded malware or sensitive information before it’s delivered into an employee’s inbox, mitigating the risk of employees clicking on a link in a phishing email or sending/receiving sensitive information in error, that could cause an organizational data breach.
Taking advantage of the ability to plug in third-party applications to improve the security of a MO365 platform will enhance the protection of critical data being stored across the cloud service while allowing employees to go about their day-to-day business without disruption.
Securing Microsoft Office 365
Enhancing Information Security in Microsoft Office 365 (Video)
Case Study: Enhancing Information Security in Microsoft Office 365
Clearswift SECURE Email Gateway
ARgon for Email
Clearswift Adaptive Data Loss Prevention
In the last few years, Microsoft Office 365 (MO365) has eclipsed all other cloud providers to emerge as the most widely used enterprise cloud service and the latest survey data shows that adoption of MO365 is still increasing.
It is not just impressive in its adoption rates, Microsoft has also been incremental evolving business technology; organizations now rely on cloud technology to function. However, while this shift to the cloud means business collaboration is more agile and streamlined, no sensitive data stored in the cloud should be considered safe from cybersecurity risks.
While the MO365 platform provides organizations with basic security features to protect against spam, malware, and data loss prevention, there are a number of information security functionality shortcomings that can be potentially damaging to an organization should they be exploited by cybercriminals or employees.
Whether inadvertently or maliciously, employees receiving sensitive data, or even sharing customer information internally across departments, can be compromising to a business. Therefore, it is important that organizations have both inbound/outbound protection as well as internal security measures in place to reduce the threat of unwanted sensitive data acquisition through the MO365 platform.
Fortunately, MO365 was developed to allow third-party solutions, such as Clearswift’s Adaptive Data Loss Prevention (A-DLP), to integrate with the platform to enable advanced information security functionality required in today’s age of digital business collaboration.
The depth of MO365’s security capabilities cannot go as deep as necessary in today’s information-driven world. While the security features can stop critical data in the body of an email from entering or leaving the platform, it does not go as far as to deeply inspect all attachments that can also carry sensitive customer details (eg. PII, PCI, Bank Accounts, Medical Records etc.). In addition to this, MO365 applies the traditional ‘stop and block’ method to emails containing sensitive information, this has historically caused hindrance to business operation by preventing continuous communication flow.
By integrating Clearswift’s A-DLP solution with an M0365 platform, organizations are able to ensure no sensitive data is being shared without having to stop communications from reaching their destination. Clearswift’s robust deep content inspection engine and unique Adaptive Redaction technology, as part of A-DLP, inspects all messages and attachments for sensitive data, active code and hidden metadata as it enters the MO365 environment, removes only the sensitive or ‘unsafe’ information, then allows the rest of the communication to be delivered. This ensures that any messages being sent or received are secure and will not compromise the business’ compliance.
A common way of sharing data within an organization is to screenshot a spreadsheet or document and send this as an image. The sensitive information contained within the image files often evade detection from most security systems, meaning sensitive information in these formats are able to slip through and be exposed unauthorized. Clearswift’s Optical Character Recognition (OCR) however, can detect sensitive information in images (.jpgs, .TIFF, .BMP, PDF’s etc) and prevent sensitive information from being exposed unauthorized. Furthermore, Clearswift can enable Anti-steganography functionality to inspect the hidden code within an image and sanitize the file of sensitive information attached to it, so unwanted sensitive data or malicious code is kept secure, no matter where it resides.
While MO365 has been incremental in the digitalization of business, it is yet to provide the advanced information security features to secure organizations in today’s data-driven environment. Businesses should leverage the opportunity to increase information security within the MO365 platform by plugging in third-party solutions to ensure the information of most value to the organization is kept secure.
Downloading a document from websites and cloud collaboration applications is a common practice for many businesses. The finance department downloads an invoice, the HR department, a CV, and Business Development an RFP. While it’s often as common as replying to an email, employees often forget there is active content and hidden metadata embedded in everyday documents that have the potential to cause major data breaches.
Whether the document is shared via email or downloaded from the web, it contains automatically created sensitive information. This could be the author’s name, revision history, application software name, document version numbers, file location maps, track changes and quite often, super sensitive information that was accidentally embedded that shouldn’t have been and available for ‘everyone’ to see. Even metadata can be compromising if shared with people outside the organization – not just for those sharing the document, but those receiving it too. Therefore, it is important that employees know the security risks involved with downloading documents.
When downloading a document from the web, employees are at risk of unwanted data acquisition, the act of unintentionally receiving and storing critical information. Whether the critical information is obvious or not – personal or other sensitive details highlighted within the body of the document vs hidden metadata automatically attached to it – can result in a number of security issues.
The first security risk to consider is the role of data protection regulations in protecting sensitive data. With the threat of business crippling fines looming over the heads of organizations across the globe, good information governance within the network is critical.
Take for example company A and company B work together as third party suppliers and they share customer invoices via a web portal regularly to ensure the work is completed. If a customer of company A submits a ‘right to be forgotten’ (RTBF) request, having unwanted data on this individual hosted on company B’s network puts both organizations at risk of being non-compliant. If company B isn’t even aware it has received this customer’s data, then they can’t find or delete it when the request comes through making it even more challenging for company A to complete the RTBF request. Under GDPR, the entire supply chain is responsible for proper data handling and so both organizations are at risk of receiving a hefty fine.
Unwanted data acquisition goes both ways. A company does not want to receive sensitive data hidden in documents as this puts them at risk of a fine, but they also need to be aware that any documents they have on their own website could be used maliciously.
Metadata that seems of no importance to many can be invaluable to cybercriminals. For example, a document might contain information about what software it has been created in meaning a cybercriminal can attack the known vulnerabilities in that software. In addition, the document Author Name metadata attached to a document means cybercriminals can easily search for an employee’s email address – by Googling or on Linkedin for example – allowing them to easily launch a phishing campaign against the company to steal more critical information or infect the corporate network with malware.
While it is not always considered in relation to cyber security, competitor organizations are a major threat when it comes to unwanted data acquisition. Competitor companies can also use hidden metadata and sensitive data acquisition via website documents to gain an advantage.
The first instance of this occurring is similar to how a cybercriminal would go about using metadata. Take as an example, a company uploads a customer testimonial onto their website in the form of a document. Within the hidden metadata, there is author data that provides details of the customer that wrote the testimonial. If a competitor has access to this, they now have the majority of information they need to contact the company directly and steal the business.
Then there’s the inadvertent embedding of sensitive information into documents such as spreadsheets that contain financial data that are mistakenly uploaded/shared and available for all to view or download until the error is noticed. Mistakes will always happen, but in today’s day in age, mistakes that involve the unauthorized exposure of sensitive data can literally put organizations at risk of non-compliance with data protection regulations.
Alternatively, a competitor company could share a document that has hidden metadata and use this to cause a compliance issue for the business. Under GDPR, any critical data must be stored properly, but if an organization is unaware of the critical data lying within the downloaded document, they cannot delete or secure the information. When it comes to auditing or even a right to be forgotten request (RTBF) under the GDPR, the business is liable for a huge fine that damages both revenue and reputation.
Detect and preventing unwanted sensitive data acquisition
While ensuring employees are aware of the threat of unwanted data acquisition will be a vital step in mitigating this risk, having technology in place to automatically ensure documents are sanitized is key to reducing unwanted data acquisition.
Clearswift’s SECURE Web Gateway (SWG) has the ability to inspect all content being downloaded from, and uploaded to, the web. By using lexical analysis capabilities together with Clearswift’s redaction and sanitization technology, hidden sensitive information and metadata can be automatically detected and removed from documents while being uploaded (and downloaded). Either by searching file uploads for key watermarks within the documents that indicate sensitive data or by understanding the content, the data leak can be identified, stopped and proper repercussive actions taken, so a sanitized and safe document is uploaded and published. For organizations who already have a web solution in place, but don’t have advanced redaction and sanitization features, Clearswift’s SECURE ICAP Gateway can integrate seamlessly with existing web infrastructure to bolt-on these advanced features and enhance the solution that’s already in place.
Depending on the content with the document, Clearswift’s web solutions can mobilize Data Redaction (AR) which, if required, automatically detects and redacts unwanted sensitive information before it is brought into (‘acquired by’) the corporate network, or uploaded to websites and collaboration applications. The Document Sanitization feature within Clearswift’s unique Adaptive Redaction technology ensures all details such as revision changes, author information and software versions are automatically removed from documents to ensure organizations are always adhering to information security regulations and are protected against unwanted data acquisition.
So, if you’re looking to enhance data protection and mitigate data loss risks, chat to our team and ask for a demonstration of Clearswift technology.
Clearswift SECURE Web Gateway
Clearswift SECURE ICAP Gateway