by Ryan Miller
Summary
Non-profit organizations have emerged as prime targets for cybercriminals due to several compelling factors. The 2023 UK Cyber Breach Survey reveals that 24% of charities fell victim to breaches or attacks in 2022. This article takes an in-depth look at outbound email threats by attackers, briefly touched upon in a prior article. These threats are closely linked with [7.4.1 Attacks using account take-over] and [7.4.2 Unauthorized email server access] as outlined in ITU-T X.1236 standards. Effectively countering diverse cyber attacks aimed at non-profit entities requires a profound understanding of attack types and compliance with proactive security measures derived from comprehensive security requirements. The guidelines for such measures are meticulously outlined in the International Telecommunication Union (ITU)'s international email security standards.
1. Overview
Non-profit organizations, traditionally associated with noble causes and efforts to create a more equal and just world, find themselves not immune to cyber threats. They share vulnerabilities in cybersecurity, including constrained budgets, potential lack of cybersecurity awareness, and an increasing reliance on digital platforms. Despite their commitment to worthy causes, non-profits are exposed to cyber risks due to various factors. Limited financial resources leave minimal room to allocate funds for cybersecurity infrastructure, exacerbating their vulnerabilities. These organizations often handle sensitive data like donor records, beneficiary information, and financial data, making them attractive targets for cybercriminals seeking access to critical data to disrupt operations. Such attacks are often driven by financial motives, data theft, or disruption of operations.
Cyber attacks on non-profits can have significant impacts and are on the rise. According to the 2023 UK government cyber breach survey, 24% of charities experienced breaches or attacks in the past year. Protecting organizations from hacking involves not only security systems but also specialized awareness of hacking and regular checks to ensure compliance with related security requirements. This article explores the multifaceted problems faced by non-profits regarding cybersecurity and investigates real cases of email-based cyber attacks targeting them, proposing preventative solutions to strengthen digital defenses.
2. Attack Case Analysis - Attack Type
To identify fraudulent emails, understanding the tactics and intentions of hackers, along with proactive security requirements, is crucial, as outlined in the ITU's international email security standards. This section analyzes real cyber attack cases on non-profits, following these international standards, delving into identifying attack types and proposing proactive solutions.
Case Example: Outbound Email Attack on a Non-Profit - (Attacks using account take-over, Unauthorized email server access)
A non-profit's Office 365 tenant was breached by an attacker using global administrator credentials. (For security reasons, the original text does not reveal the specific name of the nonprofit.) The attacker infiltrated the organization through the account of the organization controller operating with global admin rights. Once inside, they granted themselves full access to mailboxes belonging to various organizational leaders, subsequently posing as the financial director to request and promptly approve a wire transfer. Additionally, they gained full access to two other mailboxes owned by the executive director.
Email security standards define such hacking under [7.4 Outbound email threats by attackers]. These attacks typically commence with account takeovers, where stole accounts are utilized to send subsequent emails exploiting personal information found in the user's inbound and outbound emails. This corresponds to the "Attacks using account take-over" type. Moreover, "Unauthorized email server access" occurs when attackers illicitly access a user's company email account with stolen credentials.
Standards define [7.4.1 Attacks using account take-over] and [7.4.2 Unauthorized email server access] as follows:
7.4.1 Attacks using account take-over: Outbound email attacks often initiate with the theft of a user's account. The attacker then randomly sends subsequent emails exploiting personal information from the victim's emails. The compromised account may lead to secondary victims and be reused in potential phishing attacks.
7.4.2 Unauthorized email server access: This method involves attackers gaining control over email servers to obtain unauthorized access. For instance, if an email server is compromised, attackers can retrieve user passwords, granting them access to other hosts on the organization's network.
3. Cyber Attack Case Analysis - Solution
To effectively respond to phishing emails, analyzing sender information in advance and warning users are necessary for proactive responses to attacks. Compliance with ITU-T X.1236 Standards Clauses 8 and 9, [Security requirements for countering targeted email attacks] and [Countermeasures for targeted email attacks], can lead to effective solutions and proactive measures, serving as a comprehensive roadmap.
To counter account takeover attacks among outbound attack types, compliance with the standard [8.4.1 Security requirements for countering attacks using account take-over].
Step 1. It is advisable to allow security administrators and users to set specific IP addresses and countries that can access email accounts.
Step 2. It is advisable to implement malware detection when sending emails, in the same manner as the inbound email security requirements in Clause 8.1. (*Refer to separate outbound standard definition post)
These security requirements can be reflected in the [9.4.1 Countermeasures for attacks using account take-over] solution for a proactive response to account takeover attacks.
● Through IP permission settings, security administrators and email users can register specific IP addresses and countries that are accessible for 'Register Security IPs' or 'Register Permitted Countries' to receive emails and block email attacks.
To counter unauthorized email server access attacks among outbound attack types, compliance with the [8.4.2 Security requirements for countering unauthorized email server access attacks].
Step 1. Block national access to unregistered SMTP and webmail services.
Step 2. To judge unauthorized email server attacks, it's necessary to understand the details of access, and information on email server access requests caused by unauthorized email server attacks should not be transmitted to the email server.
Step 3. If the sender's SMTP information does not match the recipient's SMTP information, email delivery should be blocked.
These security requirements can be reflected in the [9.4.2 Countermeasures for unauthorized email server access] solution for a proactive response to unauthorized email server access attacks.
● Through email server/IP access control, security administrators can restrict access to webmail and mail clients, exerting control over the transmission of secure email links. Webmail can be blocked through registered IPs, and communication access, based on client-server protocol (POP3)/SMTP, can be controlled to block mail client communications. Emails can be sent from registered IP addresses and countries, and email server access restriction logs, including IP addresses and dates, are provided.
● Email server access logs can be utilized to verify whether a user's access rights have been approved.
4. Conclusion
In the digital age, your data is as valuable as physical assets. As hacking techniques evolve into more sophisticated forms, fostering awareness and maintaining vigilance becomes paramount for preventing potential damages caused by cyber threats. Security requirements and solutions are central components of this preventive stance. Non-profit organizations, often attractive targets for cybercriminals due to linked budgets aned valuable data, must fortify themselves against hacking attacks. This involves combining efficient security policies with education on international email security standards to prevent financial losses and ensure the secure protection of sensitive data. The ITU-T X.1236 standards “Security requirements and countermeasures for targeted email attacks” furnish a comprehensive framework for security requirements and solutions tailored for various email attack scenarios. Being aware of these standards and continuously assessing email security based on them embodies a proactive approach to sophisticated hacking techniques. The journey towards compliance with international email security standards can commence with diagnosing compliance with mail security standards through Mail Inspector.
References
<Security requirements and countermeasures for targeted email attacks>
https://www.itu.int/ITU-T/recommendations/rec.aspx?rec=15710&lang=en
<Email-based Attacks Against Nonprofits Are On The Rise. Is Your Organization Vulnerable?>
<Ransomware Attacks on Nonprofits: Rarity or Regularly Hidden?>
<Nonprofit Cyber Attack Case Studies and Solutions>
https://blog.techimpact.org/nonprofit-cyber-attack-case-studies-and-solutions
<How Nonprofit Cyber Attacks Really Happen>
https://blog.techimpact.org/how-nonprofit-cyber-attacks-really-happen
<Nonprofits and Cyberattacks: Key Stats That Boards Need to Know>
https://www.boardeffect.com/en-gb/blog/nonprofits-cyberattacks-key-stats/
<BASIC CYBERSECURITY HYGIENE MEASURES COULD HAVE PREVENTED RANSOMWARE ATTACK, SAYS EDINBURGH FRINGE FESTIVAL BOSS>
<Philabundance falls victim to cyberattack, loses almost $1 million>
https://www.phillyvoice.com/philabundance-cyberattack-theft-1-million-dollars/
<Non-Profit Out $923,000 After Business Email Compromise Scam>
https://www.happierit.com/knowledge-center/breaches/philabundance-bec-scam
![[Ransomware] Ransomware Demanding 'Ransom' - Risks and Survival Strategies](https://blogger.googleusercontent.com/img/a/AVvXsEhN6X-WYH1opNvLFgZlc3w7bcQoAkX8D2ehPg34_B9TVKMQmiOEiYGO1XGCfVT-Q1rMjvcWXILg7lMXslt1CysrnUk0D7qDpybt5kw8FOuroyB0Cr1_jarO1jaLhxj0p_aSLHoMbJqXYXlCVFz0OS6Qj865aQU2UjBKgxKJhRcaAlCzxrygjC3jiKjGx8g=w72-h72-p-k-no-nu)
![[Zero-day] Understanding zero-day attacks](https://blogger.googleusercontent.com/img/a/AVvXsEh2lWUhaQgbBMUsEIaEMq4-_EG0s_bz-VKacjDbO8N4TrTF1saQogoT6V2gDz7U8qaEJA-SMj3ngkstaZXyhjhGOrVIo8dJbrCnZptivX0XefGYiwoIr36kcsPMY6IQ_1J_3FyOOa0BKyVwXVOT48_5tUaK9RJRWxFiIgUM6mLm7YMA8EXUg3r3SA9I26U=w72-h72-p-k-no-nu)
![[DDoS] DDoS Attacks and Email Security](https://blogger.googleusercontent.com/img/a/AVvXsEilLO12WT5qpmRXH13cNNkfoLY0wBwZrEiFpdq2xSyTJCPFi6C80t-H5Hs6YUiZRZKNSpuQXfiin3GHa0vtU46NXv2fzyLMDRtYJ1JmAWGdgRYP84yMTtAaihWZbxUAhoKjRAsYgtDwClX8nQnvUgllsbGZ4WKHP-xY4Z2CUpSTpaGM2l2BmQlCLENg-cI=w72-h72-p-k-no-nu)
0 Comments