Over the last six months we've had the opportunity to be a part of a team that has handled a few incidents involving email account takeover. Specifically, with Office 365, which is a platform a lot of banks and credit unions are moving to. And why wouldn't they?
Office 365 is an amazing tool. The only problem is, if you're moving from a conventional Exchange environment, you may not realize that your email is now accessible from the internet, anywhere on the planet, by default.
And it's that way for a reason: convenience.
But just like any other situation, we have to balance that convenience with security. For example, if your mortgage originator can get to his email from anywhere, hackers in Western Africa can do the same.
These attacks are starting from emails telling the users that they have a file to download. When a user goes to do that, it asks for their email credentials. They enter their credentials into a website and now the hackers have them.
From there, the hackers are logging into that account, setting up rules to try to hide their presence, and searching through the contents of that inbox for any valuable information. Once they have what they want out of the account, they usually attempt to propagate the attack by emailing the entire contact list and anyone that that person has ever sent or received an email from. Thus, making their presence known.
And the process continues.
It doesn't take a genius to know that with the type of information users are sending in email, and the volume of email that's being kept in an inbox these days, you're going to have a reportable incident, if this happens to you.
I can promise you that if it does happen, it won't be fun.
And it will be costly to your financial institution.
So how do we prevent this?
As much as we'd all like to say that user training fixes all of this the reality of it is training reduces the exposure, but it will never make it go away entirely. It takes a layered approach.
Multifactor Authentication stops this type of attack, dead in its tracks. Office 365 even has it built in for you.
I know what you're saying, “That'll be inconvenient. No one will want to use it. People will get frustrated if every single time they need to get into email they have to enter a code in.”
And the good news is that's not how it works.
Microsoft does a really good job of recognizing your registered devices. It only challenges you with multifactor authentication when it determines you're coming from a new location, i.e. new device or new IP address. That way when the gangs of West Africa try to log into one of your email accounts, they can't.
I urge you, if you have Office 365 or any other web mail, check today if multifactor authentication is turned on. And if it's not, put a plan in place to implement it right away.
If you're planning a migration to Office 365 from an Exchange Server, make sure it goes in as you're doing your build out.
If you don't know if you have web mail access turned on or if you think it's only in your protected network, you need to figure this out as well.
Our simple rule is, if you can access your email from the computer in the lobby at the Holiday Inn Express, it is accessible at a global level.
It's also worth mentioning that multifactor authentication shouldn't just stop at email. Any internet facing system with sensitive information on it should have multi factor authentication.
Period.
Anybody in security knows that there's no silver bullet and I'm not saying that multifactor authentication is. But it's getting easy enough that it should be in place wherever possible.
If you have any questions on how you do that at your organization, please contact us at support@bedelsecurity.com.