Matthew Eshleman: I think we’ve covered a lot of the cybersecurity attacks.
I will say, I think phishing is more dangerous. That’s email that’s sent to the organization, and I typically am categorizing that as email that has some sort of obfuscated sender that’s hiding the identity. So it’s different from spam. Spam is just junk messages. It’s pretty easy. We don’t want this, right?
But phishing, again, is obfuscating the sender of the message. It’s including some links, something to click. It’s kind of that first step in what we’ll look at here, which could potentially be an attacker in the middle, where they’re going to be looking at stealing credentials and your MFA token as well.
We need to be aware of these as in-person and including a physical element into some of the attacks, as Carolyn shared. We’ve certainly seen that lots of these pop-ups leading to social engineering attacks are still quite common, and the rise of QR codes. It’s getting outside of the controls of your protected corporate IT environment to softer targets, maybe your home computer, your personal cell phone, that kind of thing. Text based attacks, all this building credibility to ultimately try to get some financial gain.
MFA enabled accounts can now be compromised by attacker in the middle attacks. I think this is the biggest significant change that we’ve seen in the past year, and it’s resolved some weaknesses in some authentication processes that exist with the authenticator app method.
With the attacker in the middle attack, it starts as a lot of attacks do: with email. In this case, we have an email message. It could come from an obfuscated sender. We’ve also seen this happen. If a partner organization has an account compromised, the adversary will then use that trusted account in order to send messages that include a link to be clicked on.
If we can help it, avoid just automatically approving and accepting messages from partner organizations because that could open up us to additional attacks if that attacker manages to compromise an account.
Microsoft has a really great overview of how this works in great technical detail. Starting off with an email from a legitimate source or perhaps an obfuscated source, but the idea is that we’re going to click on this link to open up the document that was shared with us.
Now this is where we actually see the attack. Instead of going to the actual address, in the address bar is some variant. This is the actual proxy attack that the hacker has set up so that instead of going directly to your Office 365 login page, you’re going through a proxy. The proxy is in between your account and Office 365. What makes this so difficult to protect against is that everything that you are then going to see actually looks like your Office 365 sign in page.
If you have a customized sign in page with maybe your logo or some pictures, you would see that, but you have to be paying attention in this address bar, which is sometimes hard to do. And so, again, we have this proxy. It’s actually taking us to the real sign in page. So there’s just that brief moment where we need to acknowledge or look at the proxy as we pass through it. But from this point on, anything that the targeted user fills in is able to be stolen by the threat actor.
What we often will then see is the hacker will steal the session; they’ll log in or appear to log in as the user. They will add their own MFA method in order to be MFA compliant, and then they will lurk. Typically, at this point, they’ll work to build up into some sort of financial attack, monitor emails, and build the attack from there. But it all really starts with that malicious message, clicking on a link, taking them through a proxy where their session can be stolen.
So that’s the new thing that we’ve really seen and the impact has been significant.
If we look at the incidents that we have seen at Community IT, we have about 180 nonprofit clients. We’re supporting about 7,000 users, all over the U.S. We’ve categorized threats in a couple different areas, high risk threats, medium risk, and low.
You may be surprised by things down here: low, like viruses, malware, those pop-ups, and spam, again, can be ignored. And if we look at the relative rate, 12 viruses over 7,000 computers in a whole year. It just doesn’t happen that often.
But the things that do have a pretty significant impact when they occur are things like brute force attacks. These are attacks that are typically targeted towards on-premises network physical infrastructure. If you have any type of server with any type of access that is coming in from the Internet, that system will be attacked if there’s any misconfiguration in your firewall. That’s something that we see all the time. Whenever we’re onboarding new organizations, our system is especially tuned to look for this. It lights up all the time. That’s a cue for us to update firewalls or reconfigure things. So again, that remote desktop server tends to be targeted quite often.
Compromised accounts. We had 44 cases of compromised accounts at our clients. These were all accounts that didn’t have multifactor authentication. I think in 2023, that was not the case. We’ve done a really good job and had a big focus on enabling MFA. But because of this attacker in the middle approach and the ability to steal session tokens, those MFA controls can be subverted now and hackers are using that with pretty good success, I would say. I think that’s the big number that really jumped out at me for 2023.
Carolyn Woodard: The next slide has the increases, which I just was really stunned to see.
Matthew Eshleman: As we’ve been doing this for six years, I think the thing that really stuck out to me when I was looking at the data is the increase, particularly in compromised accounts. In 2022, we only had 17 compromised accounts. I guess we were feeling good, with the effects of implementing MFA widely. But now we’re up over 150% because of these new attack types being able to subvert that multi-factor authentication control.
In the same way, the brute force attacks are just an indication of how sophisticated and automated these attacks are. There’s just this massive online scanning. And as soon as there’s a vulnerability or a misconfiguration, that begins to be targeted. In previous years, it was only open RDP ports. Now it’s any open port to the Internet.
They’re finding new ways to target and launch large scale attacks to try to find and use credentials against the organization.
With the exception of some malware, in which we classify those browser pop-ups and unwanted things, they’re annoying, but not going to impact your computer and then spread to the computer next to you, like a virus would, the numbers are up overall.
Things that we would traditionally think of as really big cybersecurity issues, like viruses or ransomware, are still very, very low compared to attacks that are coming through email, and then ultimately following up and being realized as wire fraud and financial based attacks.
The other piece with a little bit more detail is the spam and the amount of spam and business email compromise or spear phishing that we can see over time. We want our staff to report things and our clients to report things whenever stuff looks strange. These are all client submitted issues. This doesn’t even include the thousands upon thousands of messages that the anti-spam systems are blocking. But at the volumes of email that we’re seeing, even if 0.1% of things were getting through, it still makes a big impact.
Again, just seeing the amount of spam and spear phishing messages that make it through and get reported highlights the scale of operations we’re dealing with and trying to fight against.
Carolyn Woodard: We’re all feeling it, right? We’re seeing more emails getting through to our inbox, and different ways to get you that are getting through, like the QR code or in-person.
How to Take Action to Protect Your Nonprofit
Matthew Eshleman: It’s not all doom and gloom. Again, I’m a big policy person.
Every organization really should make sure that they have these things in place:
- An IT acceptable use policy, that just frames the general usage of how IT is handled at your organization. Include things like, do you use MFA and a list of your information systems. Do you have any sensitive information in them? Who has access? Just a basic operating framework that forms the foundation of many other decisions. https://communityit.com/webinar-making-it-governance-work-for-your-nonprofit/
- An incident response plan. When something bad does happen, how are you going to respond? https://communityit.com/how-to-create-a-nonprofit-incident-response-plan/
- Disaster recovery that’s more of like a data loss,
- Circling back up to the new one this year, which is AI acceptable use. AI is a tremendously powerful tool that we have, but it’s also important that it’s adopted with great responsibility. As stewards of sensitive information, it’s really important to have a clear understanding amongst the staff, how we are going to use and adopt these tools. https://communityit.com/template-acceptable-use-of-ai-tools-in-the-nonprofit-workplace/
- Security awareness training continues to be a really important piece. I keep harping on it. We’ve talked about it in a number of different ways, but it’s true. Stuff is making it through even well protected networks that have lots of good anti-spam protections in place. The volume of this continues to increase. And so educating staff around how to identify these attacks. How we’d identify these spoof messages that are going through these proxies. https://communityit.com/webinar-nonprofit-it-staff-training-how-to-and-why/
https://communityit.com/webinar-security-training-for-nonprofit-grantees/
What are our policies and how do we handle financial transactions? So if you get a link or an email that says, please update my payroll, staff know the appropriate policy or procedure for updating payment information. Or if you change banks, how do you talk to HR about it? https://communityit.com/webinar-preventing-financial-fraud-at-your-nonprofit/
The final piece I would say is this: update and upgrade MFA. MFA is still important and I could only imagine what our stats would look like if we hadn’t had that big initiative on multi-factor authentication. https://communityit.com/nonprofits-should-require-multi-factor-authentication-mfa-three-reasons/
But we are now updating our best practice recommendations to include the recommendation to use physical security keys, which are as Microsoft says, phish-resistant: YubiKey or FIDO. These are keys that combine authentication that ties your login to your physical device that has this key.
That means even if you go through a proxy, the hacker cannot take that token because your authentication is now tied to the device that you are logging in from. So that’s the big recommendation. It can be a big change management exercise for organizations to go through. There is an additional cost. It’s not a free app that you can put on your phone. It might be a $20 security key depending on your organization type. There are vendors that will give donations of these physical security keys. But that really is important, I would say, especially for high risk positions.
Your IT, your executive team, your finance team, your operations, HR, those roles are really targeted. The bad guys are using their tools to figure out who’s in the HR position? Who’s in the finance department? Who are the accounts payable people? Let’s target them. And so those are the positions and roles that really should be looking at adopting physical MFA keys as part of their security protection approach, because if we can reduce risk in that area, then that helps the organization at large.
Carolyn Woodard: You can find more about what Community IT does around cybersecurity on our website; communityit.com/cybersecurity has all of our offerings there. And I did mention that there is a Playbook that you can download. We have just a ton of webinars on cybersecurity, training advice, AI. We’ve done a couple on those. So, there’s a lot of resources there that I hope you’ll look into.
Q and A
Carolyn Woodard: What should you do if you think you did click on something suspicious? I think we’ve probably all been in that boat.
Matthew Eshleman: The first thing to do is talk to your IT provider if that’s in-house or you work with an MSP.
They should be able to look through the logs, and then see what’s going on. It’s really important and something that we do as part of our incident investigation, to establish the facts of what has happened. We may take a different approach depending on the situation, but ultimately, you may end up resetting your password, re-enrolling MFA methods, but it’s important to be really thorough. Your IT team or your MSP partner should have really good processes and procedures in place to identify if an account has been compromised and then remediate it.
It needs to be really thorough because the threat actors are finding all kinds of different ways to maintain persistence into cloud accounts. And so, just resetting your password or just enrolling in new MFA may not be enough if they’ve registered other applications or performed other actions. So talk to the IT team, and then do some logging and you’ll be able to identify what happened.
Carolyn Woodard: TELL SOMEONE. Tell someone right away. Don’t think that you can do it yourself. I actually have a friend who works in finance, and they had a wire fraud. People got fired not because they had clicked on the link and sent the money; they got fired because they had covered it up. So for about a week, they tried to fix it themselves without letting anyone know that the money had gone to the wrong account. You don’t want to be in that situation. Tell someone right away.
Is it dangerous to click on unsubscribe links? So when you get an email and it says you can unsubscribe from that mailing list, is that okay?
Matthew Eshleman: Yeah. In general, yes, it is okay, and it’s a good idea to unsubscribe from messages. For people who are running newsletters, the bar now is pretty high in terms of having good processes and good procedures to add people onto your list and giving them a way to unsubscribe. And so I think, yeah. If you’re getting emails from Macy’s and you don’t want to get emails from Macy’s anymore, yes, hitting unsubscribe is probably effective.
Now if there’s some dubious things and it looks pretty scammy, maybe you just end up blocking them.
Carolyn Woodard: If it’s like Macy’s with two y’s in the email, then you should block. But I think if it looks legit, you should be able to unsubscribe from it.
Matthew Eshleman: In general, if you can do that, that is preferred, as opposed to just blocking it yourself or forwarding to the IT team to block this. Then you get into a situation where somebody else in your organization may want to continue to get those emails from Macy’s. And if you block it, then nobody else can get it. So legit messages that are just unwanted, you should feel okay unsubscribing. Things that are of dubious origin use your judgment.
Carolyn Woodard: Matt, could you put up your link to make an appointment with you? You can also find that on our website, communityit.com/cybersecurity. It says schedule a free assessment. And that basically is a link that helps you get in touch with Matt so you can ask him your questions about your specific situation.
I want to make sure to mention our learning objectives. I feel like we covered this all pretty well.
- Basic approach to cybersecurity,
- learning the trends and attacks and organization protections,
- understanding this evolving security best practices, that MFA used to be enough, but now you need to take this extra step of having a physical key,
- learning the role of governance policies and training and protecting your nonprofit from common scams.
If you don’t have a policy, your staff aren’t going to know who they are supposed to talk to if they clicked on the wrong thing.
It’s always important to have those basic policies. If you don’t have those policies, you don’t know where to start, you want to make sure you revise them. Do you need to involve HR? Do they need to be in the employee handbook? How do you train your employees on those policies if they are new? So we’re going to be diving into all of that. We always say, you need to have policies. If you’re asking, but how? We’re going to talk about it next month. So I hope you’ll return for that.
Matt, I want to thank you so much for answering so many of our questions and just sharing your expertise and all this analysis with us today. It was just a pleasure to talk to you. It was very informative and very helpful.
Matthew Eshleman: Great. Well, thank you. I always look forward to being able to talk about this topic, because I think it’s so important. And the more education we can share about this, the better we’ll all be as a sector.