Logo for The Security Title Guarantee Corporation of Baltimore

One in every 99 emails is a phishing attack, according to Avanan’s phishing statistics. This amounts to 4.8 emails per employee in a five-day work week. Considering close to a third or 30 percent of phishing emails make it past default security, the threat is very much present.

The success rate of these attacks has emboldened scammers to launch more of them. Avanan reports an increase of 65 percent in phishing attacks from 2016 to 2017. And this is a global phenomenon affecting every region and economy.

In 2018, 83 percent of people received phishing attacks worldwide resulting in a range of disruptions and damages. This includes decreased productivity (67 percent), loss of propriety data (54 percent) and damage to reputation (50 percent). When it comes to the attacks, two in three phishing attempts use a malicious link and over half contain malware.

Malware—or malicious software—describes any program or code that is harmful to systems. Malware seeks to invade, damage, or disable computers, computer systems, networks, tablets, and mobile devices, often by taking partial control over a device’s operations. Once infected with malware, scammers gain access to a wide variety of functions, including taking computer screenshots, sending, downloading and deleting files, and stealing passwords.

Alarmingly, more than 75 percent of title professionals don’t conduct simulated phishing tests, according to a survey conducted by ALTA’s Data & Analytics Work Group. Additionally, only 11 percent of respondents conducted monthly testing and only 6 percent performed annual tests. Nearly 700 agents nationwide participated in the survey.

Phishing occurs when a scammer uses fraudulent emails, texts or copycat websites to get someone to share valuable personal information such as account numbers, Social Security numbers, login IDs or passwords. Scammers use this information to steal someone’s money or identity, or both. In real estate transactions, this is a precursor to what the FBI refers to as business email compromise (BEC) often resulting in wire transfer fraud. The FBI reported 11,300 people suffered losses of nearly $150 million due to wire fraud in 2018.

Simulated phishing tests are orchestrated fake phishing emails sent by companies to their own employees to heighten employee awareness reduce the likelihood of an employee falling victim to an actual malicious attack. According to ALTA’s Data & Analytics Work Group, these tests measure a company’s vulnerability, and can present trends and offer some measure of improvement.

Phishing tests also can present a training opportunity for those employees that did not catch the phishing attempt and increases awareness regarding phishing. It should be noted that simulated phishing tests should complement any training strategy and not be used as a replacement for employee training. These tests can be adapted for the latest schemes.

Ken Kirkner, director of global operations and senior vice president for Trident Land Transfer Co., says his company’s information security department sends out tests on a weekly basis.

“We get a report back on how each division and department fared,” he said.

Many vendors provide tools that integrate with email systems. These systems support linking an employee to rewards for finding the email, a training web page for those that missed it, and provide measurement and tracking. Several technology providers make free phishing testing available and links are provided on ALTA’s website. Many companies in ALTA’s Marketplace also provide information security services, including phishing testing.

Ditch the Complex Password?

If a company fails to properly educate and make employees aware of the dangers of phishing, the most complex password requirements won’t matter. Studies show that poor password security instead of password complexity is often a major cybersecurity weakness for most organizations and employees that leads to criminals accessing non-public personal information. The latest password guidelines issued by National Institute of Standards and Technology (NIST) recommend significant changes to the way companies and people approach the complexity and usage of passwords.

Among the changes, NIST recommends the removal of periodic password change requirements, dropping the algorithmic complexity that often resulted in passwords that are easily cracked with password cracking tools, and the use of long passphrases instead of developing complex passwords.

Make Passwords Easy to Remember, Hard to Guess

In what may seem like a 180-degree turn, NIST moved away from what’s been promoted for more than decade, recommending long passphrases in lieu of complex passwords. These new security guidelines are more focused on creating unique passphrases that users will remember easily, using whatever characters they want, instead of using convoluted and complex passwords that make no sense to the user.

Special Characters Not So Special

NIST still recommends using special characters, but the organization no longer requires their use when it comes to memorized secrets. Although the use of any special characters is recommended, the NIST password guidelines no longer require their use when it comes to memorized secrets. Concerning the use of characters in general, the password guidelines in SP 800-63B stipulate:

“All printing ASCII [RFC 20] characters as well as the space character SHOULD be acceptable in memorized secrets. Unicode [ISO/ISC 10646] characters SHOULD be accepted as well. To make allowances for likely mistyping, verifiers MAY replace multiple consecutive space characters with a single space character prior to verification, provided that the result is at least 8 characters in length. Truncation of the secret SHALL NOT be performed. For purposes of the above length requirements, each Unicode code point SHALL be counted as a single character.”

More Is More

The NIST password guidelines update requires users to create passwords that consist of a minimum of eight characters. However, it also allows the password form fields to include the use of up to 64 characters. This change was made to help support the use of passphrases. According to the Verizon 2018 Data Breach Investigations Report, length and complexity of passwords are not enough on their own. “No matter who administers your technology environment (whether in-house or outsourced) they should be required to use two-factor authentication,” the report advises. In an upcoming article, we’ll provide tips to easily implement two-factor authentication.

“Users should use long password phrases consisting of three or more words that normally don’t go together but are easily remembered and be at least 15 characters long,” suggested Paul Noga, director of information technology and cybersecurity for Southern Title. “Passwords should be screened against lists of commonly used or compromised passwords. Users should only change their passwords when they suspect there could be a potential compromise.”

Requiring Password Time Periods Has Expired

The new password guidelines no longer require users to create new passwords after a certain period. Studies have shown the requirement of frequent changes to be counterproductive to good password security. Instead, it specifies that new passwords are mandated only in the event of a password breach. According to NIST, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Copy and Paste Functionality

Another change in the NIST password guidelines is the enablement of being able to use a “paste” feature in the password field. NIST says this facilitates the use of password managers, which increase the likelihood that users will choose stronger memorized secrets.

What Title Agents Are Doing

Noga said his company’s minimum password length is set to 15 characters and it still requires character complexity (special characters, upper and lowercase). He added that Southern Title will soon revisit its policies and likely switch to passphrases with a minimum of 15 characters and maximum of 64.

“A passphrase of five words would take a hacker eight years to crack,” Noga said. “We are going to set the password expiration to one year and only have user’s change their password if we suspect suspicious activity or compromise. Passphrases are easier for users to remember and allowing them to make a long enough passphrase that will be hard to crack with in the password age we set.”

Remembering complex passwords or long passphrases can be difficult, so many use password managers. Southern Title is looking to purchase the business plan for the password manager Keeper. This will give staff the ability to access the program from multiple devices so the company can centrally manage accounts and allow for recovery.

“Password manager’s allow users to use a different password for every application and website they access,” Noga said. “All they need to remember is their password to their vault and they can have the manager randomly generate long complex passwords for everything else. The manager allows them to log on form the vault and it automatically fills in the credentials. This makes their lives much easier and more secure.”

Ken Kirkner, director of global operations and senior vice president for Trident Land Transfer Co., agrees that password managers simplify the process. His company uses Lastpass, which provides an extension for Chrome, Safari, Firefox and other browsers.

“It is easy to use and a good route to go,” he added.

Core Principles

While the types of attacks cyber criminals deploy may evolve over time, the principles companies can implement generally stays the same. The overriding point to understand is that incidents will occur at some time and the responsibility of security is everyone on staff—not just the IT department. According to Online Trust Alliance, here are some core principles to help organizations remain vigilant against attacks:

1. Responsibility for incident protection and readiness is organization wide. Data stewardship, security and associated privacy practices are the responsibility of the board, executives, all employees and all departments (not just IT).

2. Data is an organization’s most valuable asset. Identify what you have, where it is, why and how you use it and the potential risks to your organization and individuals should it be inappropriately accessed, held hostage, released or erased.

3. Only collect and retain data that has a business purpose for as long as it is needed. Secure it while it’s held; delete it when it’s no longer needed. Criminals cannot steal or hold hostage data you don’t have, and such minimization may be a regulatory requirement for your organization.

4. The level of data security you apply must be commensurate with the data held. The security in place should reflect the risk of damage to consumers and the organization should that information be inappropriately accessed. Organizations should develop a data minimization strategy including a classification matrix that guides how various types of data should be protected, stored and discarded across an organization.

5. Protection involves not only the specific incident (data loss, ransom paid), but also the costs of business interruption. This includes locked data, network and system interruption and connected device takeover

Genady Vishnevetsky, Stewart’s chief information security officer, says an additional security measure a title professional should employ is multifactor authentication for everything that supports it.

In June, ALTA’s Board of Governors in June approved recommendations to update and modify various portions of ALTA’s Title Insurance and Settlement Company Best Practices. One of the approved changes is the recommendation that companies use multifactor authentication for all remotely hosted accessible systems storing, transmitting or transferring non-public personal information. The proposed change is under a 60-day comment period that closes Sept. 15. Once finalized, changes will go into effect Jan. 2, 2020. Email comments to bestpractices@alta.org.

Vishnevetsky added that user email protection services can help title agents protect against phishing attacks.

“Microsoft and Google both offer a solution as additional service,” he said. “There are standalone services such as Mimecast or Proofpoint that provide the same capabilities.”

As a security practitioner, Noga believes layered security is the best advice for businesses. Complete protection against attacks isn’t a reality. Noga said the best that can be achieved is to reduce the risk by putting in controls that will protect, detect and respond to incidents.

“The goal is to protect but be able to detect and respond when a protection fails,” he said. “The faster you can detect and respond the faster you can reduce the impact.”

In addition to multifactor, examples of layers include firewall, intrusion detection and prevention system (IDS/IPS), data loss prevention, encryption (at rest and in transit), VPN access for remote users, next-gen endpoint protection (which replaces most antivirus programs that use only signature-based detection), security information and event management (to get visibility into your network and systems through log and event aggregation and correlation), patch management (updating firmware, operating systems, software, etc.) and security awareness training.

“These are just a few of the controls that work together in a layered defense, but security awareness training is really the best bet to combat this,” Noga said. “Spam and malware filters only catch about 10 to 15 percent of phishing emails. Educating users on spotting the red flags is truly the best route for combatting social engineering attacks and scams.”