Information security now!
This week, we’ll talk about risks posed by information-stealing malware and remind everyone of the importance of information security also during holiday seasons and give tips how to improve the information security in the Microsoft 365 environment.
Risks posed by information-stealing malware
The NCSC-FI processes many reports that are related to information-stealing malware (“infostealer”). Various types of malware have increased and widened in recent years. The purpose of spreading malware is to collect information about targets and enable new attacks. You can protect from their impact by taking care of the security in your own devices and by restricting access to sensitive information.
Information-stealing malware - what are they?
Information-stealing malware steal sensitive information from users’ devices. Such information includes, for example, login credentials saved on the device, payment card details, browser sessions, autofill details and crypto wallets. Malware go often unnoticed but the collected data is systematically used. The data is sold to criminal networks or used to directly breach company systems.
The risk increases in situations where an employee uses a personally purchased device for work purposes. A personal device may have weak protection and is not monitored with the security features defined by the company. When data-stealing malware is activated, a personal device can be used to exfiltrate both the employee’s personal data and the company’s confidential information.
How does data theft affect organizations?
A successful malware deployment can lead to further data breaches or financial damage. Gaining access to corporate data via malware enables:
- Compromise of data: Stolen login credentials, financial data, and personal information can lead to unauthorized fund transfers, data breaches, and reputational damage.
- Financial losses: Information-stealing malware can serve as an entry point for ransomware attacks that have the potential to disrupt business operations and cause substantial financial damage.
- Targeting of attacks: Stolen data can be used in targeted attacks, where companies are approached using legitimate information—such as through customer service or IT support channels.
How can you protect yourself against data-stealing malware?
Regarding your organisation:
- Strong identification: Use multi-factor authentication broadly (e.g. passkeys, physical key).
- Separate the operating environments: Allow access to work systems only from monitored or managed devices.
- Keep systems updated and protected: Keep operating systems, programmes and firmware up to date
- Network segmentation and monitoring: Segment the network and monitor anomalous traffic through logging and surveillance.
- Training and guidance: Provide employees with training to identify threats and adopt safe practices.
For an individual employee:
- Do not save passwords in the browser: Do not use autofill or store work credentials on a personal device.
- Avoid untrusted sources: Do not download software or extensions from unknown sources. Follow your organization’s guidelines.
- Keep your device up to date: Always update operating systems and software whenever updates are available.
- Be cautious with emails and links: Recognize phishing attempts; do not click on suspicious attachments or links. Report any suspicious activity to the system administrators.
- Use only authorized devices for work: Do not use personal devices to access work systems without explicit permission and proper security measures.
Ongoing summer holiday season - remember information security also in the summer!
Summer brings relaxation, holidays, and time at the cottage—but also cybersecurity threats, especially when the normal operations of organizations slow down and regular staff are replaced by substitutes. Fraud and scams concerning the financial transactions in companies tend to become more common during the summer holiday season. Information security and data protection must also be taken into account when working remotely, for example from a summer cottage. Organizations must ensure that security updates are applied and secure working conditions are maintained even during the holiday season.
For example, CEO fraud attempts may become more common during the holiday season. In these frauds, criminals impersonate members of an organisation's management, issuing urgent financial requests such as invoice payments. Such action-demanding messages may arrive via phone calls, emails, or text messages. From the victim’s perspective, the messages may appear to come from a familiar person and seem genuine. Such messages often appeal to urgency, emphasizing that the matter must be handled immediately. The objective of the attackers is to pressure the target into ignoring regular security checks. Payroll and HR staff are also frequent targets. A scammer might pose as an employee and ask to update their bank account details for payroll purposes. Scammers know that during the holiday season, the organization's leadership may be on vacation and therefore unavailable. Internal processes may be more relaxed and unclear to summer substitutes, who might not be familiar with standard procedures or recognize unusual requests as suspicious.
The best protection against scams is vigilance: If you are not sure about authenticity of the request you can verify it by calling the sender. Remember also to follow the organisation’s internal instructions, confirmation practices and processes. It is advisable for employers to regularly remind all employees to follow guidelines and processes. In addition, summer employees and substitutes should be properly oriented to secure working practices and granted only the access rights necessary for their tasks.
During the holiday season, remote work from, for example, a leisure property may become more common. In this case, also ensure the cybersecurity of the devices you use there by installing the latest updates. Also make sure to follow the employer’s instructions for secure remote work. It is important to ensure that the premises are also suitable for remote work from a data protection perspective. The National Cyber Security Centre has provided guidelines for secure remote work for both employees and organizations.
Remember at least the following things:
- Prefer long passwords and use multi-factor authentication
- Beware of phishing messages – think before clicking a link or opening attachments
- Keep your devices and applications updated
- Back up important files
- Follow remote work guidelines and use the devices provided by your employer for work tasks
- Only use networks you can trust in terms of security. Instead of an unfamiliar network, you can use, for example, your phone’s internet connection
Organisations should also remember these
- Maintain your ability to install critical information security updates also during the holiday season
- Orient new employees and remind them to follow the guidelines
- Ensure that substitutes are aware of the processes and approval procedures
- Back up critical data
Improve your Microsoft 365 environment with Admin Consent Workflow and Unified Audit Log
Improving information security in organisations in Microsoft Entra ID and Microsoft 365 requires controlled processes for application access rights and monitoring user activity. Two key tools for this are Admin Consent Workflow and Unified Audit Log.
The importance of the Admin Consent Workflow
The Admin Consent Workflow provides centralized control over when users can grant permissions to applications. When a user attempts to access an application that requires administrator approval, they can send an automated request form to the administrators. Designated administrators receive a notification by email and can approve or deny the request.
Using this feature reduces the risk that a user unintentionally grants overly broad permissions to an application, such as allowing a third-party app to read emails. For example, the email applications used in M365 account compromises request extensive permissions to the compromised mailbox. With the Admin Consent Workflow, you can restrict the granting of application permissions to require approval from reviewers or administrators only.
The feature supports the principle of least privilege, as the Admin Consent Workflow allows reviewers to approve user permission requests without needing the Global Administrator role. In addition, all decisions are recorded in the system, which facilitates auditing and reporting.
Improve your Microsoft 365 environment with Admin Consent Workflow and Unified Audit Log (External link), (in Finnish)
- You do have Unified Audit Log enabled already, right?
The Unified Audit Log (UAL) is a cornerstone of security in Microsoft 365. It logs the actions of users and administrators within the M365 environment, such as in Outlook, SharePoint, and Teams. Log data is a fundamental requirement for monitoring your own environment and helps in investigating data breaches, tracking file usage, and fulfilling obligations such as those under the GDPR.
Especially in environments created before the beginning of 2019, UAL logging is not enabled by default. It is important to check the status in the Microsoft Purview portal and enable logging, as logs will only start collecting after activation.
These functions provide your organization with better visibility into application permissions and user activity. This strengthens security, reduces risks, and makes it easier to demonstrate compliance.
You do have Unified Audit Log enabled already, right?
The Unified Audit Log (UAL) is a cornerstone of security in Microsoft 365. It logs the actions of users and administrators within the M365 environment, such as in Outlook, SharePoint, and Teams. Log data is a fundamental requirement for monitoring your own environment and helps in investigating data breaches, tracking file usage, and fulfilling obligations such as those under the GDPR.
Especially in environments created before the beginning of 2019, UAL logging is not enabled by default. It is important to check the status in the Microsoft Purview portal and enable logging, as logs will only start collecting after activation.
These functions provide your organization with better visibility into application permissions and user activity. This strengthens security, reduces risks, and makes it easier to demonstrate compliance.
Recently reported scams
In this summary, we provide information about scams reported to the NCSC-FI during the past week.
WHAT TO DO IF YOU GET SCAMMED
- Immediately contact your bank if you have made a payment based on a scam or a criminal has gained access to your online banking service or payment card information.
- File a police report. You can file a police report online. (External link)
- You can also report the incident to the NCSC-FI.
- Instructions for victims of data leaks (External link)
Recognise online scams and protect yourself from them
Vulnerabilities
ABOUT THE WEEKLY REVIEW
Tämä on Kyberturvallisuuskeskuksen viikkokatsaus (raportointijakso XX.XX.-XX.XX.XXXX). Viikkokatsauksessa jaamme tietoa ajankohtaisista kyberilmiöistä. Viikkokatsaus on tarkoitettu laajalle yleisölle kyberturvallisuuden ammattilaisista tavallisiin kansalaisiin.