More and more customers are embracing cloud services. The benefits are clear: less capital expense, simplified management, access to important data across devices and without the hassle of VPN. However, some of these benefits can expose your business to unnecessary risks if extra security precautions are not taken into consideration.
That was the case with a customer who recently experienced a data breach.
They're a small professional services business using Office 365 for email, file sharing, file storage, instant messaging, and collaboration. The firm’s physical servers and on-premises infrastructure were properly secured with a firewall, strong passwords, and patched systems. The cloud infrastructure was also secured with strong passwords.
How the Attack Happened
A hacker used publicly available information to perform a reverse lookup on their email domain (eg: acme.com) and could determine that the firm was using Office 365 for email. Then, using publicly available information on LinkedIn.com, the hacker performed a ‘map’ of the organization to accurately determine the CEO, VP of Finance, Controller, and other key positions held in the organization.
Searching information on the ‘dark web’, the hacker could find the email ID of the CEO and a password that the CEO had used on other websites. Since the CEO used a similar password for Office 365, the hacker gained access to the CEO’s email account and could log into the account.
Now that the hacker had access to the email account and understood the key ‘players’ in the organization, the hacker went to work. The first thing he did was set up an email rule so that any inbound email from the key players would be diverted from the CEO’s inbox a special folder set up in Outlook. Any emails sent from these players would not show up in the CEO’s inbox (and thus, not on mobile devices, either); but instead to the folder that he just created and would monitor.
Sending an email to the CFO, the hacker instructed the CFO to wire $25,000 to an account. While email phishing like this is not uncommon, usually the email address is ‘spoofed’, so when the reply is sent it is sent to a noncommercial account (such as Yahoo! or Gmail). In this case, however, the email was originating from the CEO’s email account – so the CFO had no reason to believe that this was not a legitimate request.
How the Attack was Discovered and Stopped
Luckily, the customer had set up controls in place that stated that no wire transfers could be initiated over email. They required a voice conversation with a code word for money to be transferred out of the company’s bank account. Ultimately, this is what saved the customer – they had trained their employees to be vigilant.
Using the built-in Office 365 Audit Logs, we could reconstruct the attack and see how this played out. While the voice confirmation is what prevented the loss of funds, there could have been other ramifications. The hacker had access to the CEO’s account and could have traversed the user’s OneDrive for Business account or SharePoint Online account to gather other information. (In this case, this did not happen.) Or, the hacker could have used Skype for Business to request the wire transfer to take place. In most cases, employees would assume that a Skype instant message is legitimate.
Lessons to Learn: Preventing Future Attacks
There are several steps that can be taken to prevent an attack like this from occurring:
1. Implement multi-factor authentication (MFA): This is a free service from Office 365 that requires both the password and an app to log into core Office 365 services. Had MFA been enabled, the hacker would have never been able to log into the CEO’s account, even though he had the correct password. Since he did not have access to the app to log into the service, the sign in would have been blocked.
2. Implement the Cloud App Security portal. This is an add-on service that uses machine learning (or artificial intelligence) to monitor activity across Office 365 services. Had Cloud App Security portal been in place, it would have noticed that the CEO was logging in from both the US and the Middle East, which is physically impossible. Cloud App Security portal could then suspend the account and block log-ins until the account could be reviewed further by IT.
3. Implement Enterprise Mobility + Security. This is an add-on service to Office 365 that will block log-ins to core Office 365 services from non-managed devices. In this case, the hacker would have been using a web browser from a non-managed device and the log in would have been blocked.
4. Continue to train your employees as threats evolve. Ultimately, the customer had laid the correct foundation for any security solution: effective employee training. Because the customer had effectively trained staff on what to look for and put in processes for verification for financial transactions, this attack was successfully blocked.
Implementing the solutions outlined above require some effort, minor inconveniences to staff, and a shift in processes. The exact cost will vary based on the size of your organization – but for a typical office of approximately 25 employees the annual cost would be $4,500 per year with an implementation cost of less than $10,000.
These costs may seem high or unnecessary, until they are weighed against the cost of a breach. Forrester Research, via Information Week, estimates that security breaches cost between $90-$305 per lost record. Reuters estimates that the average cost of a data breach is $3.8 million dollars.
In the case of this customer, the customer would have lost $25,000; plus the time and costs involved with reporting the breach, securing other accounts, and recovering from the data breach (not to mention lost revenue from any customer who may have left due to the breach).
Cyber-crime is a business and it’s not going away any time soon. As cyber criminals continue to target small and mid-size businesses, having a solid data security plan and well trained employees is critical to keeping your business safe.
