Tech Tidbit – Who Do You Trust?

September 10th, 2024

"Trust but verify."

-President Ronald Reagan, December 8th, 1987, at the Intermediate-Range Nuclear Forces (INF) Treaty Signing

I watched a presentation the other day by the head of Threat Operations for a major Security Operations Center (SOC) that provides 24/7 security oversight over networks like yours. The presenter pointed out that one of the leading attack targets is Lawyers.

How many Superintendent's or School Business Officials, would click on a document from the district's legal counsel? From SED? From the Comptroller's Office? From CSI?

A popular and highly successful attack strategy is sending a malicious DocuSign document to sign. The presenter went on to say that the majority of recipients clicked on the malicious document because they trusted the sender.

This is one way a business email compromise attack is commonly launched:

Incredibly, besides simply sending the malicious document, there might be a follow-up phone call from the attacker posing as your legal counsel, vendor, or the state. They might reference the real names of the people you routinely communicate with. If they are reading your email, they might reference actual projects and topics you are discussing.

If you received an unexpected document and were skeptical but then received a phone call claiming to be from your lawyer or a vendor and specifically referencing real people or real information, would that be enough to trick you into clicking on the email?

The reality is that for many, the answer is yes.

Sadly, that, yes, will often lead to the compromise of your machine and even your district, with all the bad things that come with that.

There are ways to fight back.

Here are my recommendations:

  • Make Business Email Compromise discussions part of your ongoing Security Awareness Training (SAT).
  • If you are not expecting documents to be signed, verify "out of band." That means reaching out via phone call. Don't just email the sender back to ask them your questions.
  • If someone is on the phone claiming to be someone you trust or their associate, hang up the phone, call the person you trust back on the number you have for them, and validate the transaction.
  • Put a strong spam filter, such as Barracuda Email Protection, in front of your Microsoft M365 or Google Workspace GMAIL to test all the documents and links you are sent before you are allowed to click on them.
  • Put a DNS filter like Cisco Umbrella in front of your network so all known malicious links trying to download malware will not work in your district to deliver their payloads.
  • Use a strong web filter like Lightspeed to block further inappropriate content that might provide malicious content.
  • Ensure your business and district office endpoints are protected by a strong Endpoint Detection and Response (EDR) product such as CSEDR powered by SentinelOne.
  • Ensure the endpoint is protected by a 24x7x365 Security Operations Center (SOC) that will play centerfield and monitor, block, and kill anything malicious that tries to get into your network.

By combining user education with a few strategic products and strategies, we can counter the growing number of threats to your school district.

If you need help sorting all of this out, please give us a call.

-Scott Quimby, CISSP