Business email compromise has been getting worse

October is cybersecurity Awareness Month, which means this is a good time to renew our efforts to push end users’ security awareness training, specialized security training based on job role and to revisit our incident response escalation.

In the past, this month generally has focused on how end users need to be better, and should avoid clicking on every link. However, this year the Cybersecurity and Infrastructure Security Agency, a unit of U.S. Department of Homeland Security, is focusing on four major concepts.

I would like to point out that only one of these concepts truly is in the hands of the end user. I love that IT and senior leadership fully control the last three of these.

CISA’s focus is as follows:

I would take these four a step further. Be sure your employees have a phish button to easily report phishing, so they don’t feel the need to forward suspected malware.

Go ahead and run phishing campaigns for your employees monthly, so they understand how to spot a scam.

Business email compromise has been getting worse the past few years, so be sure that anyone who can wire money or pay bills isn’t using email as the only confirmation method.

Enabling multi-factor authentication, or MFA, is a given at this point. The one-time passcode that involves actively entering the digits as prompted is the standard.

The push authentication is falling out of favor because your end-users will simply hit “accept” even if they are not logging in.

The text message based on SMS is the least favored method as SIM cards can be spoofed. MFA genuinely is one of the best controls you can implement to increase security, and something is better than nothing.

Strong passwords -- pass phrases -- long have been important, but the most central concept to reiterate is that entropy comes from length. Yes, upwards of 12 to 16 characters.

Stop with the complexity song and dance as that makes your end-users reuse or iterate their passwords. I’ve talked about it before, but using a password vault is the best way to discourage your end-users from reusing passwords.

Another fantastic control to implement is to run a “dictionary check” on passwords at the moment of creation. When your users create a password that contains a known bad password from a compromised list -- such as rockyou -- the system asks them to use something better.

You even can add your own list of prohibited stings, such as your company name.

Consider the predictability of the password of AcmeFall22! The user picks the company name to separate it from their private accounts, then they use the season because you make them change it every 90 days, then they use the year because you force them to use a number, and to fulfill the character requirement they slap on an exclamation point.

This pattern is widely known by hackers, and by most in the security community. It looks like a strong password because it fulfills the security requirements.

It is not.

Updating your software also is important, and that includes your operating systems, and third-party software outside of Windows. Hardening includes ports and protocols, but it all stems from not doing updates in a timely manner.

This bullet point is difficult to get right if you have technical debt or are beholden to legacy software, but risk remains the same. Patches, updates and known vulnerabilities must be addressed in a timely manner.

Brandon Blankenship is a cybersecurity consultant at ProCircular and a board member of SecMidwest, a Cedar Rapids based not-for-profit focused on cybersecurity education. Visit SecMidwest.org for more information on attending our free monthly meetings.