Email security

Join us in this insightful episode of Breakfast Bytes with Felicia King, along with our guest Kyle Wentworth of the Wentworth Group. We delve into a balanced exploration of business needs vs IT security needs, demonstrating the magnitude of this issue with a case study of a massive spam operation hijacking over 8000 trusted brand domains.
https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html
In this detailed conversation, our experts elucidate steps towards prevention and emphasize the significance of effective domain ownership and control. Kyle highlights the central role of Technology Management departments in mitigating IT risks and stresses the importance of a comprehensive understanding of orderly processes for DNS management, timely publishing of DNS records, and the related cost implications.
This episode underscores the need for operational maturity in businesses, and how maintaining domain infrastructures and adhering to robust protocols can protect your business from digital threats. Listen to gain invaluable insights into how businesses of all sizes can level up their understanding of the intersections of business and IT security systems.
The episode also draws attention to the potential vulnerabilities of newly registered domain names and the common pitfalls relating to outsourcing these functions. We underscore the necessity to take caution or face serious losses and discuss the ramifications of transferring control of key business aspects to external vendors.
With a candid look at the dangers of ill-considered network security and the hazards of transferring all risks to an external IT service provider, we make a strong case for integral security measures. Listen in to gain an understanding of the importance of viewing technology as a business partner rather than an expense and to learn how focusing on strengthening your network security can pave the way for business success.

Why it is critical to have an email security expert managing and monitoring email security configurations and delivery of email on an ongoing basis.
Instructions from marketing automation platforms are not adequate.
It matters A LOT what you are trying to do with email. Getting these items configured is an art form.
Vendors are continually failing vendor risk management analysis and losing business over their email not being properly configured.
 
New website resource:   https://kb.qpcsecurity.org

Ken Dwight is “The Virus Doctor” – Business consultant and advisor to IT service providers and internal IT at many businesses who have come to him for his training, has his own direct clients. Ken conducts a monthly community meetings for alumni. He provides a list of curated items of current interest for discussion and resources, and has a featured topic which often includes another speaker to provide breadth of perspective. He has been doing this community service for 83 months!
I asked Ken to cover with me some topics that from his perspective don’t get talked about enough.
Business Email Compromise
Also known as CEO fraud. Impersonating a CEO for purposes of wire fraud. We are focused on the technological solutions. There is no technological solution for eliminating BEC.
CEOs must be part of the solution.
Example: Subcontractor to Airbus. Used to dealing with multi-million-dollar wire transfers.
BEC is a large Fortune 500 issue, it scales down to one user environments.
Title companies are a big target.
Retention policies and standards for WHERE to store what kinds of data to make sure that email is not a file server thereby increasing the risk of what data is compromised as part of BEC.
Perfect example of the beginning of an incident response plan or a tabletop exercise. Orgs must define the cost of compromise. That plan needs to be in place long before. It makes a recovery so much more straightforward.
Attackers analyze their victims in tiers. Potential victims $10 - $50mm revenue organizations. Reputational damage, but not big enough to have an adequate cybersecurity budget.
ShadowIT is a problem, which is why you must address it with a CFO-enforced procurement policy.
Proactive management of M365 tenant security configuration is so critical
The security of your tenant is not included in the fee for biz premium or the overall licensing.
How much activity there is, changes, products, services, vendors. Ideal stack, layers, point solutions within that. Revisit that in a period of time like a year.
This is a nice resource for M365 security and BEC.
https://www.blumira.com/office-365-security-issues
Direct advice from Ken
One topic I believe falls directly into this category is the issue of Business Email Compromise, as opposed to actual malware / hacking / ransomware attacks. As you know, the losses to BEC still represent a greater dollar value than ransomware, according to the FBI statistics. But BEC isn’t even a technology problem, it’s pure social engineering – and no additional layers of hardware or software “solutions” will prevent it or reduce the cost to its victims. In my opinion, that’s why you hear so little on the subject from the cybersecurity vendors.
Another topic I find interesting, but haven’t really heard any vendors or industry pundits talk about, is the whole new ecosystem and infrastructure produced by modern threat actors. The whole business model of these sophisticated criminals has created occupations, titles, and job descriptions that didn’t exist a few years ago. Some of these are a result of the specialization, compartmentalization, and outsourcing by these organizations; here are a few that come to mind:
Breach attorney
Ransomware Negotiator
Initial Access Broker
Cloud Access Security Broker
Multiple “As-a-Service” offerings:
Ransomware as a Service
Phishing as a Service
C2 as a Service
Another area that is mentioned fairly frequently, but typically fueled by more heat than light – and raised as a point of frustration by MSPs and IT Solution Providers in general – is the users who still believe they don’t have to worry about cybersecurity, hackers, malware, or ransomware, because they “don’t have anything the criminals would want,” or words to that effect. I believe those users need to comprehend how real and serious the threats are to their business.
By defining the multiple tiers of threat actors, the threat vectors they may employ, their potential victims, the assets owned and managed by those victims, and the attacker’s strategy for monetizing those assets, I believe it becomes obvious that every organization and every individual is the intended target of some subset of those threat actors.
Visit this resource for help making argumentation. Ken is working on some additional materials for end user cybersecurity awareness training.
https://qpcsecurity.podbean.com/e/the-real-reason-you-cannot-afford-to-have-a-cybersecurity-incident/