Top Threats 2018

Cyber Threats & Technology Tips That Your Business Can’t Ignore

2018 has seen a number of new threats introduced into the cyberscape as well as an evolution of traditional threats. This means businesses need to be more prepared than ever for a data breach and have the latest tools in place to mitigate risks.  

In the current landscape, outlined below are today’s top cyber threats that your business must be prepared for as well as technology tips that can help prevent them striking.

Data Breach under the GDPR

GDPR is transforming the way businesses store, process and secure sensitive data. With fines of up to €20 million and the risk of crippling reputation damage due to the media attention being received around breaches, it’s no wonder the new regulation has had such an impact across the globe since being enforced in May this year.

Technology Tip:  The first step to a GDPR compliance strategy is understanding what sensitive data you work with, where it’s stored and how it’s flowing in and out of your network.  Following Clearswift’s Discover, Secure & Govern approach can bring you into compliance with regulations and ensure you remain compliant into the future. 

Leveraging an Adaptive Data Loss Prevention (A-DLP) solution, organizations can automatically mitigate sensitive data loss risks across all digital collaboration channels - such as email, Cloud collaboration applications, and endpoint devices - preventing data leaks, sensitive data acquisition to ensure you comply with data protection regulations.

Insider Threat    

The insider threat is in fact, the most common cyber threat of all – with 65% of security incidents being related to employees. In most cases, inside threat incidents are caused by employees making mistakes, making it clear that there needs to be a reform in the way employees think about data handling. By changing the way employees think about data – and GDPR has been integral in starting this – there will be less risk of them sharing sensitive information accidentally.

Technology Tip:  Clearswift’s Adaptive Data Loss Prevention technology and its associated redaction and sanitization features offer the greatest chance to mitigate data leaks and emails sent in error. The redaction feature ensures any sensitive information contained in the contents of an email, or a document being uploaded to the web, is automatically redacted, meaning those that do make a mistake do not compromise the compliance or security of the organization.


Phishing is one of the most common forms of hacking, for both consumers and businesses. Therefore, all employees, including the C-suite, need to know the signs to spot a phishing email – such as email addresses and tone of voice – to ensure that the risk is minimized and cybercriminals don’t gain access to the sensitive information they’re ‘phishing’ for that often results in financial loss.

Technology Tip:  In addition to educating employees about anomalies to look out for, technology is integral to mitigating Phishing threats. As well as today’s expected standard of security features such as Dual Anti-Virus, anti-malware and active-code detection, Clearswift’s email security solution includes advanced features such as Message Sanitization and Structural Sanitization (active code removal) which disable URL’s and other active code from email and attachments, to ensure phishing attacks are thwarted at your organization’s doorstep.


Similar to phishing, spoofing, which is also referred to as Business Email Compromise (BEC), is when an email appears to come from the CEO or CFO asking about transactions of money. Because the email appears to come from the top of the organization, employees are more likely to act without questioning meaning sensitive information such as bank details are shared without anyone internally noticing until it’s too late.

Technology Tip:  Organizations should make sure their email security solution has SPF, DKIM and DMARC features (that can detect a spoof email) and also allows for custom rules to be applied to protect employees from BEC. Clearswift next-generation email security solution includes these special features along with Redaction functionality which works automatically to remove sensitive data in email and attachments, and protects it from being shared outside of the organization, redacting sensitive data that employees might have otherwise shared with a cybercriminal.


As we saw in 2017 with the WannaCry attack on the NHS, ransomware is extremely dangerous and has the ability to take any business back to ‘pen and paper’ as IT has to be shut down. Embedding malicious code and scripts within emails and documents is the most common way of being hit by ransomware.

Technology Tip:  Weaponized emails, document, and files can be made safe with Clearswift’s Adaptive Redaction technology built into its email and web security solutions. Working together with the deep content inspection engine, the Message Sanitization and Structural Sanitization features enable the automated detection and removal of hidden active code within email messages and attached files, or documents downloaded from the internet, so any malware embedded by hackers is eliminated before it has the chance to infect a network.

Social Media

There are two sides to social media as a threat to companies. An attacker can ‘phish’ the company via social media, for example, an employee may be sent a Tweet or direct message via LinkedIn containing a link that then activates harmful software. Or, social media best practices are not followed, either by employees on the corporate network or C-suites on their personal accounts, causing damage to corporate reputation.

Technology Tip:  Your web security solution should have the capability to prevent both a social media phishing attack and to prevent anything damaging being posted on social media. Clearswift’s SECURE Web Gateway has the ability to monitor content as it is being shared on social media from inside the organization and then decline or change anything that is not appropriate for posting.


A major threat to companies will always be out of date software applications. Security vendors release patches all the time and organizations need to keep up-to-date with these to ensure there are no easily-fixed vulnerabilities being exposed. Patching processes should be streamlined to make sure security flaws are caught and amended very quickly; otherwise, it’s an open door for cyber attackers to come in.

Technology Tip:  Deploying technology in that helps an organization monitor its environment to keep track of where patches have and haven’t been applied to corporate devices is a useful way to assess the company’s attack surface at any given time. This will also ensure that the IT department is on top of any known vulnerabilities and can act faster to get a patch in place.

Minimizing the risks

Having a thorough understanding of today’s cyber threats and how they can impact an organization is the first step in mitigating the risk. Making sure staff understand today’s cyber risks and how to spot them will take the pressure off IT departments constantly monitoring for (and fighting) threats as well as reducing the chance of inadvertent data breaches from happening.

Organizations also need to implement policies and processes to ensure if a data breach or cyber-attack does occur, employees know what to do. Processes around  “who do I talk to if I think I’ve clicked on a malicious link” or “what do I do if I think I have opened a suspicious attachment?” will be integral to ensuring incidents are handled in a timely and effective manner.

While technology is not a silver bullet for tackling today’s cyber threats, it provides a safety net for when mistakes happen and a defense wall for when malicious content tries to get in.


Additional Information

Read our Clearswift Insider Threat Index 2018

View more information on our Adaptive Data Loss Prevention solution

Download the Adaptive Redaction datasheet

View our Email Security solutions

See more information about our Endpoint DLP solutions

Read about our SECURE Email Gateway

Learn more about our SECURE Web Gateway

Phishing with Invisible Ink

Phishing with Invisible Ink

By Dr. Guy Bunker

You might remember as a child, there was a revelation…invisible ink. Whether it was lemon juice, or the more modern (and frankly less messy) pen with UV light, there was suddenly something interesting in science lessons.  Furthermore, you could write messages to your friends which no-one else could see. What fun.

Stepping forward to today, there is now a new type of phishing which uses invisible ink, or as it’s also called, ‘zero font’, as a means to beat the spam and phishing filters. Anti-spam / phishing filters work in several different ways; they look for specific words or phrases and there is then a statistical element. If there are 100,000 instances of the same message, it’s probably spam. When it comes to phishing, protection technology will look for words like ‘bank’, ‘account’, ‘change’, ‘update’ and where the email seems to have come from eg. is the address spoofed?  Are there URL’s which point to known cyber-crime sites?  All this information comes together to create a score and therefore an action. However, in a bid to beat the protection which is deployed, new techniques are used, or old ones are resurrected with a new twist.  Zero font is just one of those.

The idea is relatively simple… “what you see is not what you get.” Email messages are composed using HTML, and in between the actual message are other characters, but with a font size of zero.  From an analysis side, the text is there, but when it’s displayed, it isn’t as it is in effect hidden. The cyber-criminals use this to break up words which would otherwise be caught by the filters.  So, “account” could become “actually count”, with the “tually “ being in a zero point font.  This can also be used in URLs, in fact, any text. Cyber-criminals can then change the ‘hidden’ words so that no two emails are the same.

Of course, as new methods to beat the protection systems come out, so too do new methods to defeat the new methods.

At Clearswift, we are dedicated to protecting you against new threats, and suffice to say, we already protect our customers from Invisible Ink / Zero Font types of exploit.

Learn more about the Clearswift SECURE Email Gateway and its multitude of threat prevention and data loss prevention tools that provide a holistic solution for your organization to collaborate safely and securely via email.

Email phishing: #1 Cyber security threat

#1 Cyber security threat: Protecting your organization against email based attacks

On Friday 12th May last year, a global ransomware attack, aptly named WannaCry, infected over 200,000 computers in at least 100 countries. It began with an email at roughly 8:30am London time. By midday, employees at Spain’s mobile operating giant Telefónica were being shut out of their work terminals and in the UK, emergency services were being pulled and hospital facilities were being shut down. At organizations around the world, similar events were being reported.

WannaCry is just one example of the scale of damage cybercriminals can inflict upon an organization by using email as a means of delivery. In the face of such a severe threat, the need to protect email channels has never been greater. We recently surveyed 600 business decision makers and 1200 employees across the UK, US, Germany, and Australia who, echoing this sentiment, ranked phishing emails as the top threat when asked what they saw as the biggest cybersecurity danger to their organization.  

In the UK alone, 59% of business decision makers highlighted the phishing email as a chief concern for their business. Coming in far and above any other threat listed, its position at number one reflects the scale of impact a single malicious email can have on an organization. Ranking second on the list came a lax attitude by employees to sharing passwords, with one-third (33%) of UK businesses listing this as one of the biggest threats. The next offender on the list and taking third place came USB’s, with 31% of respondents highlighting these devices as a major threat. Worryingly, ahead of the GDPR deadline on May 25th, 30% felt that employees not following data protection policies could also be one of the biggest threats to their organization.

Evolving your approach to email security

With email still being the primary business communication tool for business collaboration, it’s unsurprising that it’s shown itself to be a key vulnerability in UK cyber defenses. If businesses are to fully secure themselves, they need to change the way they mitigate the risks. Below is outlined a three-pronged approach to improving email security:


  • Performing mock phishing exercises and physical penetration tests might show you where vulnerabilities exist, however, this approach to catching staff out doesn’t necessarily solve the root of the problem. Educating employees about how to recognize a phishing email and other malicious email based tactics used by cybercriminals will ultimately help to ensure the business stays safe. Implementing regular communications and training sessions around the top cybersecurity threats facing a business, such as the dangers of opening a suspicious email or the consequences of sharing a password with a colleague, will help instill a culture of cyber awareness that can truly fortify you organization against cyber-attacks and data leaks.


  • Developing clear lines of conduct around email communication is key to reducing the chance of malicious emails entering and spreading through your organization. Policies can be created around the senders and receivers of messages. These permit whether an email is allowed be sent to specific individuals or not and is a sure way of limiting the opportunities cybercriminals have to successfully penetrate your organization with a phishing attack. Our SECURE Email Gateway provides users with the option of setting up flexible policies and context-aware content inspection to ensure communications are not restricted and employees can work unimpeded.


  • There is no single bullet to cyber defense. Taking a layered approach and investing in a cross-section of security technologies ensures your business collaboration channels are protected from every angle. With email being a primary route for cybercriminals to infiltrate an organization, security for this communication channel is critical. Many organizations just focus on inbound threat protection, but this is just one element of email security. Clearswift email security solutions offer a multi-layered protection system. Ongoing anti-malware and active code detection ensures that no malware comes in, or goes out, via email, whilst advance features such as Structural Sanitization remove macro’s, scripts and Active/X can be removed from messages and attachments. What’s more, Clearswift’s Message Sanitization is able to remove URLs, Attachments, and HTML from email to ensure phishing attacks are thwarted at your organization’s doorstep.

Contact the Clearswift team for a discussion about how we can support your organization’s email security options.

Additional Information


Related Articles 

Email Security

Next Generation Email Security

Today’s ever-morphing malware, the resurgence of ransomware and the increase of phishing spam demands a new level of email security. Clearswift offers the industry’s most effective layer of real-time signature-less inspection to detect and completely sanitize evasive threats, delivering highly secure email without delay, whether it's on-premise or in the cloud e.g. Office 365.


Stop Cyber Attacks before they start: Data Harvesting and Targeting

The Greek philosopher Plato wrote that “the beginning is the most important part of the work.” The great American statesman, scientist, and philosopher Benjamin Franklin similarly emphasized the importance of planning when he stated that “by failing to prepare, you are preparing to fail.”

It is unfortunate that many cybercriminals heed their advice today. The number of threats continues to increase exponentially; malware infections have ballooned from less than a quarter million per month a little more than two years ago to nearly a half million today. Hacktivism, social and government disruption, and espionage rank at the top of list of reasons, as cybercriminals sell information on the Dark Web and encrypt data and systems for extortion.

The days when cybercriminals predominantly targeted credit cards are past; medical information now is worth 10 times more. Cybercriminals use ransomware to infiltrate critical services such as healthcare systems that rely on real-time information. Their stealth activities span everything from reprogrammed USBs, to new malware that morphs so quickly that antivirus cannot match signatures and evades sandboxing, to activity hijacking that uses mirror versions of legitimate apps or reputable websites.

Think these are restricted only to high-profile industries and large enterprises? You’re mistaken. This new world of cyberthreats knows no boundaries and company size is irrelevant.  

 On-Demand Webinar: Through the Eyes of a Cybercriminal – Attack Planning and Data Harvesting

Reconnaissance: The First Step

Reconnaissance is the first step most cybercriminals take when planning an attack or intrusion, and it also is one of the most frequently used. In this scenario, cybercriminals employ a variety of techniques—actively and passively—to gain information about the vulnerabilities of a network. Metadata from social media, email attachments, and documents published on corporate websites containing data such as system names, login usernames and passwords, departments, and other details are prime targets. This information is leveraged to set the stage for phishing and other social engineering activities.

The following are some of the ways cybercriminals conduct metadata reconnaissance:

  • Information harvesting. Seeks enough information to become credible and trustworthy. Typically, a name isn’t enough; a name needs to be overlaid with a company name or a location.
  • Vulnerabilities. Culls machine IDs, system names, application versions, and directory structures to mount an attack through known and unknown vulnerabilities.
  • Social media. Social networks are proving to be rich repositories for cybercriminals seeking personal information that can be exploited.

It’s in the Document

Documents contain “hidden” information that can be harvested; this includes metadata such as usernames and system names. Word documents alone contain various types of hidden data and personal information: 

  • Comments and revision marks from tracked changes, versions, and ink annotations
  • Document properties and personal information
  • Headers, footers, and watermarks
  • Hidden text
  • Document server properties
  • Custom SML data 

Surprisingly, documents contain myriad types of information and can be found in emails, intranets, and even external websites. There are several approaches that organizations can leverage to help break the attack chain at the reconnaissance stage, thwarting cybercriminals before they get started: 

  • Deep content inspection. Deep content inspection enables organizations to detect embedded metadata, revision history, and fast save data. This includes recursive decomposition, true binary detection—even for embedded objects—and subcomponent detection (e.g., header, footer, properties).
  • Documentation sanitization. The gateway serves to detect and remove metadata and other embedded data, automatically and consistently (viz., set and forget), across email, the cloud, and social media.
  •  Adaptive data loss prevention. Use of a common policy engine that automatically removes sensitive data and malicious content as it passes in and out of your network; only removes exact content that violates policy, enabling the communication to continue.
  • Intrusion prevention. Intrusion prevention system technology can pinpoint scanning during an attack and shut it down before the attacker can gain too much knowledge of an organization’s network.

By Dr. Guy Bunker, SVP of Products and Marketing - Clearswift  @guybunker

Additional Information

Related Articles

The hidden dangers lurking inside public sector documents

hidden metadata in documents

Recently, President Obama reiterated a national commitment to securing Americans’ data under the Cyber Security National Action plan, acknowledging that while connecting online has given us all enormous opportunities, it has also made our personal data available for downloading and storing, making it vulnerable to accidental loss and malicious abuse.

Today, we live in an age where the ability to collaborate and share – with our colleagues, our family and our friends – has become critical to the public’s ability to operate as a whole. There has never been so much access to data and so many ways to share it, facilitating cooperation and collaboration between not only between citizens of the U.S., but also abroad.

While the private sector has led the way in embracing collaborative tools and services, the public sector is catching up fast, recognizing that by sharing information, results and ideas with citizens, national, state and local organizations can streamline processes, boost efficiency, and build support by being transparent. Communicating with the public has always been an important part of public service, and by keeping the public abreast of opportunities, successes and new information about policies and initiatives, all levels of government can ensure greater efficacy and understanding.

Official public reporting is a key part of engaging with citizens, and has become literally a “popular” process involving the widespread online distribution and availability of national, state and local government documentation. Although this approach has been celebrated by government and public alike, it has also dramatically increased the level of risk to the extent that public sector reporting now represents a major potential source of critical data loss.

This issue may sound complex, but think of all the sensitive information that goes into public reports; addresses and birth dates, Social Security Numbers, criminal records, health and medical data, child protection information, voter records, and so on. Once the reports are complete, however, data must be scrubbed and anonymized or included as examples of broader trends, and must not contain the specific personal details of any individuals.

The idea that personal identifying data would be included in a final report sounds crazy, and the inclusion of such details would not only be embarrassing and dangerous, it would also open any public agency up to a host of legal issues and criticism from the public and the media. A report with these personal details, whether on purpose or by accident, should never get through the approval process, and yet this has happened by mistake on many occasions in the past and will likely do so again without taking the proper measures to secure data.

Despite our best intentions, sensitive data can sometimes be hidden within documents, in places where most users don’t know to look. This can be as simple as hidden columns, rows or sheets in spreadsheets, or data such as revision history and comments, which are often retained within a document’s metadata. Information in metadata is frequently used in phishing and hacking attempts.

The vast majority of people are unaware of these risks, and therefore they don’t think about how they might be exploited. But for those who are aware of these risks and who have malicious intent, it’s easy to find things that someone thought they'd deleted or didn’t know were present in the first place.

Let’s imagine a worst-case scenario. A state child protective services agency puts out a report about children under their care. The unwitting compiler pastes tables with names and addresses of children into the document for ease of reference, saving as they go. Once they finish, they delete the tables, but those tables still exist in revision history or “fast-save” information. The report is published online, and someone with the IT skills searches the document and finds the “deleted” tables. They turn around and A) blackmail parents or even someone at the agency; B) sell the data on the dark web; or C) send it to the press with the hopes of embarrassing the agency. Or D) all of the above!

Nations learning from Nations

“Hidden” metadata has already caused embarrassments for governments and public agencies around the world. In August 2014, it was discovered that the Australian Federal Police mistakenly published highly sensitive information on criminal investigations. The police provided documents to the Senate, which were then made publicly available online. Years later it transpired that the documents contained information about the subjects of criminal investigations and telecoms interception activities which were “hidden behind electronic redactions within the document” and “could, under certain circumstances, be accessed”.

The information included the address of a target of surveillance, the types of criminal investigations and offenses being investigated, the names of several officers and other identifying information of individuals connected to investigations.

In April 2015, prior to the UK general election, a letter appeared in the media signed by a number of businesses lending their support to the British Conservative Party. This apparently independent endorsement seemed like a coup for the party, but later turned into an embarrassment when the document metadata revealed the letter had actually originated from the Conservative Party Headquarters.

While these incidents have been embarrassing they have not yet been disastrous. But with the increase in information flow between government and citizens, it is only a matter of time before a more catastrophic incident occurs.

Moreover, in today’s collaborative environment, with the extended enterprise being so key, departments don’t only have their own users to worry about. Let’s say 'Big Agency' works with a few smaller organizations, 'Small Non-Profit' and 'Small Service Provider'. These small organizations perhaps have a less complete approach to the protection of critical information, and because they are frequently sharing documents and data with Big Agency, someone with malicious intent could easily use the metadata of Big Agency to infiltrate it, despite not attacking Big Agency directly.

Prevention is key

Fortunately, there is a solution that easily and rapidly reduces this sort of risk. Generally, the best approach is to remove all metadata (sanitize) from documents before they are issued. It’s rare that metadata is useful to people outside the organization, and when it is, it’s more likely to have a damaging effect than a useful one; so unless you really know what you’re doing, the best thing is to strip it out completely.

While this can be done manually, for example using Microsoft Office and other document publishing software, this is only effective if users are aware of the functionality and remember to use it before they send every document. This is not a robust solution – it’s open to human error, and reliant on policies being understood and diligently implemented. The other approach is to implement a technological solution that automatically strips out metadata (document sanitization) and revision history information when documents leave the organization, allowing the visible aspects of the document to continue unaffected.

At Clearswift, we have recently seen a spike in government interest in this particular issue and we hope that this is reflective of growing recognition of the challenges faced by federal, state and local departments. All too often there is a problem without an effective solution – this time it’s different, where a problem can be addressed at source, rather than waiting for a major disaster to drive the need for a solution.

Dr. Guy Bunker, SVP Products at Clearswift

Additional Information:

Related Articles:

March Madness Challenge for Cybersecurity Professionals

March Madness

Let the madness begin! The NCAA Basketball “madness” is different for everyone. Some experience the madness after a gut-wrenching triple overtime victory by their alma mater, while others after a buzzer beater shot from half-court by a 16th ranked Cinderella underdog that instantly knocks-out one of your final four selections. However, to me there is nothing more maddening, in the delightful sense of the term, to watch the facial expression of a die-hard college basketball fan —who leveraged their propriety big data analysis and game theory modeling to artfully compose their “bracket” masterpiece— when they realized they just got absolutely crushed in the office pool by the always cheerful and innocent co-worker who made their selections by comparing the team’s mascots. (Oh, and this happens more times than you think!). 

For corporations and organizations, the madness tends to focus around the balance of embracing the positive team building benefits and supporting the cultural festivities with the lost productivity, misuse of resources and potential security risks. In fact, the global outplacement consultancy Challenger, Gray & Christmas, Inc. is projecting that close to 51 million workers could participate in office pools this year with costs of $3.9 billion in lost wages paid to unproductive workers (completing brackets, streaming games, and checking scores) in the first week of the tournament alone.

While the reported participation and cost numbers seem shocking, the guidance quickly shifted towards the fact that organizations should not look to suppress but embrace the madness due to the long-term damage to employee morale, loyalty and engagement.

Embrace the madness...

Therefore, in the spirit of embracing the madness, we believe Cybersecurity professionals should take this opportunity to not only test their own wit and skills, but to gamify the measurement of the impact to their own organization.

March Madness Challenge

The March Madness Challenge is a multi-cybersecurity analyst simulation experience designed to measure an organization readiness to detect critical “March Madness” activity and potential threats.

The challenge starts by setting your SECURE Email and SECURE Web Gateways, Information Governance or Adaptive DLP solution in monitor mode with “March Madness” policies to track and trace all related activity, potential threats and information sharing that occurs in and out of the corporate network.

Score your ability to detect the following “March Madness” classified events:

  • 500 Points - NCAA Tournament Bracket form accessed from a major sports website.
  • 500 Points - NCAA Tournament Bracket form detected entering or leaving your network 
  • 300 Points - Hidden information in attachment including individual, user name and organization that created or updated the document in the metadata that could be harvested or used for a phishing attack.
  • 300 Points - Active-content hidden in inbound brackets or scorecards simulating malware or ransomware triggers
  • 200 Points - Channel type used for Bracket distribution– email or webmail, social media, or cloud app
  • 100 Points - Each 15 minutes of video streaming of live or on-demand games
  • 100 Points - Social media March Madness “smack talking” posts and score according to appropriateness 
  • 50 Points - Viewing of popular online sports news or betting websites


Tips and Tricks

Champion scoring - To score the most points, be sure to intercept all data and analyze it for “March Madness” information levering full and partial fingerprints of the data and one-way hashing algorithms so the data cannot be reverse engineered from its original formats.

Go Undetected - In the spirit of the game, and to avoid the appearance of “big brother,” you can give your score keeper similar access to a Compliance Officer or IT Auditor in a traditional information governance implementation with access to oversee and keep score of activities and information that are detected in traffic flows without having the ability to read the content specifically.

Collect Your Prize

Finally, to be declared the “March Madness Challenge Champion” you have to perform a final after-the-fact’ analysis of all activity and shared information flows to detect all sources and exposure of critical “March Madness” information.

Game Over Summary

As fun as this might be, we don’t actually expect any Cybersecurity professional to participate in such a challenge on their corporate network. However, we do believe all organizations should have similar visibility to track and trace critical information and the capability to prevent it from leaving their organization. The question is, do you?

Additional Information:

Related Articles:

Malware in attachments - stop them striking your organization

Looking at you

Recently, we have been hearing from our customers and partners of a concerning increase in the number of sophisticated malware attacks which are striking organizations. These are not simple attacks, but involve compromising reputable web servers in order to deliver malware infected content. The good news is that there is a solution to this – but why are traditional methods simply not working?

What about anti-virus and sandboxing – why aren’t these the solution?

In the past anti-virus (AV) solutions were a great solution to combat malware, however today they have become less effective. This is due to the advance of targeted malware which is ‘unique’ or has very few instances for any AV solution to detect. AV is based upon seeing multiple instances of the same malware, often a million times over, and then creating a signature to detect and therefore block it. Without the quantity it becomes difficult to spot. But don’t remove your AV solution (!) – it is still very effective against millions of other viruses. However, with AV being ineffective against new targeted malware a different approach was needed – introducing the sandbox.

The sandbox is an isolated execution environment where unknown executables can be ‘tried’ and then their behaviour analyzed. This could be an application, but increasingly this is malware which has been embedded in innocuous looking documents utilizing their ability to support active-content. Active-content can be legitimate, for example macros, but the control it offers means that it is readily subverted for malware. If the analyzed behaviour is suspicious, such as calling out to a known ‘bad’ website, uploading or downloading additional content, then the document or executable can be assumed infected and therefore blocked. The challenge comes with the amount of time that it takes to run the sandbox. This can create a delay, often of more than 15 minutes, to receiving a document - which is seen as unacceptable in today’s agile business; add to this, that the latest generation of embedded malware can even detect if it is running in a sandbox.

And so, to combat todays’ sophisticated threats hidden within active content, hidden within seemingly legitimate files, while maintaining the speed of communication required by business – there needs to be a different approach.

Structural Sanitization is the answer, inherent in the latest adaptive security solutions which automatically remove active content from documents, including Microsoft Office, Open Office and PDFs, preventing infection at source. A blanket policy, i.e. applying it to all incoming documents (in emails or downloaded from the web) is a straightforward and effective solution to the problem. The content of an email can be delivered immediately without the fear of malware. The original, with attachment can be sent to a sandbox for offline analysis if required.

Targeted attacks - but how do they know who to target?

We often hear about cyber-criminals using social media as a means of gathering information on employees and so there is now an understanding on what should and what shouldn’t be posted. Within some organizations, there is a corporate policy that employees must not post details about who they work for and where they work, and / or pictures of their workplace or colleagues. However, there is another rich source of information – the corporate website. This is not about the obvious details found on the website, but the information which can be harvested from the meta-data in the documents posted there.

When documents are created, information is stored in the meta-data in the document. This often contains the author’s name, and sometimes the corporate login name. Further information can be found relating to departments and even system names. All this information is useful to the external cyber-attacker. System names and login names can be useful in creating an attack, while names and departments can be used to help craft a phishing attack. There are a number of open-source utilities which can automatically download documents from a public facing website and then extract and analyse the meta-data they contain.

Within document creation tools, such as Microsoft Office, there are options to be able to remove meta-data, but it relies upon the user to know about the functionality and how to use it as well as remembering to use it before publishing a document to the website. Fortunately the next generation of adaptive security solutions can enable a policy to be set so that this can be done automatically – and consistently. We call this Document Sanitization, as it removes the information which could create a leak. Granularity on the policy ensures that, if required, certain pieces of meta-data remain untouched, for example classification information.

In using both structural and document sanitization organizations are able to negate the ability of cyber criminals to target an attack, but should one transpire remove the malicious part of active content from inbound communications whilst allowing the business critical communication to continue, safely, to the required recipient.

As threats become increasingly sophisticated so too do the solutions that can mitigate them. Understanding how cyber-criminals are adapting their approach to attacks, means that you can secure your organization against them with advanced adaptive solutions – tomorrow’s game changing technology, here today.

Next steps:

Related Articles:

Top Ten Recipes for Phish

Top 10 ways you could be phished

Last week I gave thought as to why even the smartest people fall for phishing, and promised I would provide some additional thoughts on how to prevent yourself from being phished.

Here goes…

The key is to remain vigilant… and to look out for the various tell-tale signs that will, without doubt, be in the phishing email.

For those that play poker, there is something called a ‘tell’ – this is a sign which is given subconsciously which is then used by the other players to guess what you are doing… is the call being made real or is it a bluff? 

The same is true for phishing emails, there are things you can look out for to see if they are genuine, below are the top ten:
1 Is the sender someone you know?  You will frequently get emails from people you don’t know – and that’s the first indicator. Were you expecting an email from that particular organization?
Is the sender’s email address which is shown on the screen, the actual email address you see when you hover over it with your mouse? Why would someone like to ‘forge’ the email address they are sending from? May well be a phisher… especially if the email is then signed-off by someone completely different.
Does the sender’s email address look odd? Is it a set of letters and numbers and / or comes from an email domain which is similarly odd? There are some domains, such as .cn or .ru which should immediately set alarm bells ringing (unless you happen to live in or work with companies in China or Russia.)
4 Who is the email to? Is it you? (well it arrived in your inbox, so under the covers it will be), but is it addressed to you in the message, or are there lots of similar looking names? 
5 Is the language used in the email correct?  Or are there spelling and grammar mistakes etc. (This used to be the biggest giveaway – badly written emails - but today it’s not so obvious)
6 Look closely at the URL links, does the text for the link look the same as when you hover the mouse over it, or does it look odd?  See #3… for web URLs, they shouldn’t be a list of numbers, but rather something more meaningful. One of the challenges with shortened URLs, such as those which start with ‘’ or ‘’ is knowing where they are actually pointing to… there are ways to safely find out, but they are awkward to use – compared to just clicking on the link, which is why phishers often use shortened URLs.
7 Is the content asking *anything* to do with your bank account or credit card details, such as logging on to check them, reconfirm them etc.?  These days it can also be superstore loyalty cards as well. Never click on a link which then directly asks you to confirm such information. Any personal information which can be used to build trust (in a follow-up phishing email) is of value to the cyber-criminal.
8 If you click on a link and it then asks you to download or install something… Back out quickly, this is probably malware that wants to install itself on your system. (Keeping anti-virus and other anti-malware systems up to date on your device will help mitigate this problem should you fall prey – but it is not 100% guaranteed, so better not to click in the first place.)
9 If you are buying something from the Internet Check the URL address starts with ‘https://’ and there is a padlock icon on the screen – you can click the icon to see the security. This will help assure you that the site is genuine.
10 Does it ‘feel’ wrong…  This is the escape clause at the end of the list, and is really hard to quantify. But sometimes, there is something odd about an email (or a website), but you just can’t put your finger on it – an offer which appears too good to be true, an email from someone purporting to be an official agency, but you don’t know why they are sending it to you, threats or excuses as to why you need to do something, etc. If your gut feel says it’s wrong, trust your instincts!

In any case, if in doubt… delete it. Call the sender directly to see if it really was from them. Sometimes it turns out that their email account has been compromised, so calling them and letting them know allows it to be sorted out – and they can then send out an email to all their contacts to apologise. When calling people (or companies) look up the number from a different source, use directory enquiries or if you have a previous browser bookmark, use that – don’t use a link from the communication, or any telephone numbers that they provided, as the phishers are now sophisticated enough to have numbers and sites which work, or look like the original.

Of course, it’s easy to say you need to think about all these things for each email you look at – but it’s not always practical. However… over a period of time, the secondary checks you make, will become second nature, and while you might not do all of them, all of the time, it will be sufficient to spot the fraudsters and the scams – whether at work, or at home.

By Dr. Guy Bunker @guybunker