The Hole in the Firewall Gang

In our mythology of the American past, towns were terrorized by roving gangs who would rob one town then head to the next.  Welcome to 2019.  New technology.  Old tricks.

Recently, we wrote about a rising trend in ransomware attacks targeting local governments. Since then, news broke that 22 towns in Texas have become the latest victim of these attacks. Investigations are still underway, so information on the exactly causes has yet to be released to the public. However, according to NPR, a mayor of one affected town said the attackers are asking for $2.5 million to unlock government files.  

What sets this apart from the recent onslaught of ransomware news is the highly coordinated nature of these attacks. Texas officials believe the attack to be caused by “one single threat actor,” targeting specific agencies rather than entire government systems.  

Texas governor Greg Abbot classified the attack as a Level 2 Escalated Response — the second-highest level of alert in the state’s emergency response system — indicating that the scope of the incident is beyond what local responders can manageCybersecurity experts from the F.B.I., the Federal Management Agency, and the Teas Military have all been called in to respond.  

One pattern many have noticed is the relatively small size of the towns attacked. Of the 22 towns affected, four of them have a total of 31,000 residents. In many cases, small governments have underfunded IT departments, making it difficult to maintain effective cybersecurity practices. Frequently, ransomware attacks are will target systems based on opportunity. Instead of wasting the effort of cracking systems with strong security systems, attackers will go after those with easy access. Local government’s like those these Texas towns are therefore prime targets for these types of attacks.  

News of thattacks not only show that government ransomware attacks are on the rise, but also an increase in the level of sophisticationIn an article in the New York Times, Allan Liska, the author of a recently report on government ransomware attackssaid that if this turns out to be a new phase — because bad guys love to copycat each other — we’re going to see a continued acceleration of these kinds of attacks.” 

If this news teaches us anything, it’s that public and private business should not waitbut put it place processes now to prevent being the next victim of a ransomware attack. All organizations should make sure that they are testing their backups regularlypatching their systems, and engaging their staff in cyber awareness training.

And rustle up a posse.  Because they are coming.
 

Preparing for the CCPA

Time is running out. The California Consumer Privacy Act (CCPA) goes into effect January 1st 2020, and businesses need to be taking the steps necessary to comply. The new law is widely considered to be the most comprehensive privacy regulation in the U.S. to date and won’t just affect businesses operating within the state of California. Instead, any organization that collects the personal information of California residents might be subject to the new regulation. It’s important that every business reviews the regulation to understand whether they will be required to comply.  

And while the CCPA has many similarities to the E.U.’s General Data Protection Regulation (GDPR)organizations should not assume that compliance with one automatically means compliance with the other. It’s therefore essential that any business potentially affected by California’s new law understand what compliance entails and take steps to put any necessary new systems in place.  

Compliance: The Essentials

Inventory California Data

Really, it’s always a good idea to conduct an inventory of the data collected and processed, but it’s going to be especially important for compliance with the CCPA. Because the regulation gives consumers the right to request information about how their data is used, the first step will be to conduct and maintain a comprehensive inventory of your data. This should include not only what data you’re collecting, but also how it’s collected, where it’s stored, and who it’s shared with.  

It’s important to note that “personal information” covers more than just names and addresses. It also includes, among others, biometric data, geolocations, and internet activityReally, any information that can be linked back to an individual will fall under the scope of the CCPA.  

Develop Systems to Process Consumer Requests

After conducting a throughout inventory of this data, organizations will need to put in place procedures to quickly and accurately processing consumer requests to access this information. Under the CCPA, consumers have the right to request information on what data is being collected and who that information is being shared with. 

The regulation requires organizations to provide at least two methods for requesting this information, including at minimum a toll-free number and a webpage designated for requests. Once a request is made, businesses need to be able to quickly process and fulfill them. The CPPA requires all requested information to be delivered to the consumer within 45 days of the request.  

For most businesses, this will be the toughest aspect of the regulation to put in place. To help, there are a number of automated tools that can assist with processing. We also recommend having someone on staff certified in privacy through the IAPP or have someone on retainer who can assist with the process.  

Introduce an Opt Out Link on the Homepage

Under the CCPA, businesses will need to include a link on their homepage allowing users to opt out of the sale of any personal information. The regulation requires that this link needs to be “clear and conspicuous” and be titled “Do Not Sell My Personal Information.” Consumers also need to be able complete the opt out request without having to create an account.  

Update Privacy Policy

The CCPA will require businesses to update their privacy policy. According to the regulation, privacy policies will now need to include a description of consumer rights under the CCPA as well as a list of the types of personal information the company collects, shares, and sells with other entities. The privacy policy should also include the link to the “Do Not Sell My Personal Information” page. 

Review Overall Cybersecurity Policies and Practices

On a more general level, businesses should also take the time to ensure their cybersecurity policies and procedures are up to snuff. According to the CCPA, if an organization experiences a data breach, they will be considered responsible and be subject to fines if the state deems the organization to have failed to implement and maintain reasonable security procedures and practices.” There will likely be more clarification on what “reasonable security procedures and practices” entails once the regulation goes into effect, but organizations should play it safe and ensure they have a strong cybersecurity system in place to safeguard against potential liability 

Calling for Backup

It’s common knowledge that we should all be backing up our data. It’s important not only in case of system errors, but also in the event of stolen data and other security breaches. But what isn’t talked about as often is testing these backups.  

This is something that Arizona Beverages found out the hard way. Earlier this year, the company found themselves victim to a ransomware attack that wiped information on more than 200 servers and networked computers. But the real trouble began when IT staff realized that their backup systems where misconfigured, effectively making it impossible to recover their data without outside help. Because of the mistake, the company spent hundreds of thousands of dollars on new hardware, software, and recovery services.  

While there is nothing good about suffering a ransomware attack, having backups of your data can severely limit the consequences of the attack — as long those backups actually work. This is why it’s essential to regularly test your backup systems. 

In order to ensure their systems are backed up frequently, organizations will often automate this process. And while this can be useful, it’s important to not just assume that everything is working as expected.  

And there is more to backing up your data then the actual backup process. You want to make sure that not only that you properly backedup targeted data, but that it can be successfully restored. This includes ensuring that no file corruption occurs in the process of backing up and restoring that data. There’s no worse feeling than restoring your data only to find it completely useless.  

How frequently you test your backups should be decided by each organization depending on regulatory constraints, risk-assessment, and business strategy. However, whatever is decided should be incorporated into your cybersecurity policy and carried out consistently 

Nothing keeps IT professionals up at night like the thought of irredeemably losing system data. Not only could months or years’ worth of work vanish in an instant, but it could end up costing tons in regulatory fines and recovery services. 

Simply put: test your backups, sleep easy.  

 

Identity Management 101

Identity management should be considered an essential part of any business’s cybersecurity policy. No, it’s not the process of deleting your old college party photos from Facebook (although that’s not a bad idea). Instead, it’s a way to manage who has access to what information and when 

Misuse of credentials—either intentionally or unintentionally—is a prime vector for security issues. It would certainly be a lot easier to just give every employee access to all of your systems and files but having this sort of “open door policy” exposes your organization to serious risk. The Ponemon Institute’s Cost of Insider Threats report show that privilege misuse is an increasing cause of data breaches and costs organizations an average of $8.76 million. 

To help prevent this, it’s important that any identity management policy a business uses should incorporate the concept of least privilege. This means exactly what it sounds like: every user should be given the least amount of privileges to applications and systems necessary to complete their work. And managing access privileges is not a one-time thingIf a user only needs access to certain information for a short period of time, you want to ensure to restrict that access once they no longer need it.  

Low-Hanging Fruit

Along with employing a least-privilege policy, there are a few more simple steps every business should take when developing identity management practices:  

  1. Make sure that only those who need it have administrator privileges. On top of this, those with administrative privileges should have a separate account to access systems and software which does not require privilege, such as email or, yes, Facebook.
  2. Require users with a greater risk-level to use multi-factor authentication (MFA). This includes those with administrative privileges and users who log-in remotely.  
  3. Remove credentials for anyone who no longer needs access, such as ex-employees and short-term contractors and vendors.  
  4. Require users to create long, complex and unique passwords. There is no need to reset passwords unless they’re forgotten or you suspect they’ve been compromised. Check out NIST’s password guidelines for more information on this.  

Next Steps

While using various technologies throughout an organization streamlines activity, it also creates a more complex user environment, which poses its own security risks. To help mitigate these risks, there are a number of additional steps you can take, such as utilizing Single SignOn (SSO) and Identity Management Systems. 

Single Sign-On allows employees to use one set of credentials to access multiple applications. This may seem counter intuitive but limiting the number of credentials can actually improve security. Often, when users are required to keep multiple passwords, the overall strength of each password goes down, making it easier for credentials to be compromised. Focusing instead on maintain one strong password will help keep your systems more security.  

Lastly, there are identity and access management systems which can help automate this process. Along with managing user access, these systems can monitor user activity and enforce organizational policy on data use and sharing across the board.  

 

Robocalls Might Be in Trouble

You may have forgotten just how terrible looking at your email inbox used to be. Not too long ago, email spam cluttered our inboxes, making it next to impossible to wade through all of our emails and figure out which ones were legitimate and which ones to delete. And while with email this is largely a thing of the past, the problem has carried over into a new medium: our cellphones.  

Pesky phone calls aren’t anything new, but in the last few years the situation has become rather drastic. According to one report, there was a total of 26.3 billion robocalls placed in the U.S. in 2018 — a staggering 46% increase in just one year. And while almost all of these calls are technically illegal, technology has accelerated to such a degree that it’s become extremely difficult for lawmakers and regulatory agencies to keep up.  

Why This is Happening 

It’s an old cliché: technology can be used for good and for bad. But recent advancements in calling services certainly prove this to be true. One of the main causes of the increase in robocalls is what’s called Voice over Internet Protocol (VoIP). Services offered by Skype and Google utilize this technology to help users communicate with one another at low costs. However, bad actors have learned to automate this technology in order to place thousands of calls to anywhere in the world at a rapid pace.  

Alongside VoIP, spammers have also harnessed a technique called “spoofing,” which allows callers to use a fake number when placing a call. You’ve probably learned by now that if you receive a call from a number that looks similar to your own, it’s going to be a robocall. This is because spammers are using spoofing technology to carry out “neighbor spoofs,” a method that replicates your area code and sometimes your exchange number to trick you into picking up.  

And while it’s not too difficult to learn to spot these tricks, spoofing can be used in even more nefarious ways. Because of the ease with which someone can mimic any phone number, spammers can have a call look like it’s coming from a local business or even the IRS. Or worse, if a spammer has gained access to your contact list, they can spoof calls to look like they’re coming from someone you know personally.  

A Reason for Hope? 

According to the FCC, 60% of all complaints filed are related to robocalls. And, given how pervasive the issue is, it can be extremely frustrating that not more is being done to tackle the problem. This month, however, there has finally been some movement from both the FCC and phone carriers to do something about it. 

Earlier this monththe FCC unanimously voted to prohibit foreign callers from spoofing U.S. numbers, telling phone carriers that they have until the end of the year to implement technology to determine the legitimacy of calls. 

The technology they are referring to is called STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs). In essence, STIR/SHAKEN attaches a certificate of authentication to phone numbers that is then verified by phone companies when a call is placed. Phone carriers can use this technology to add check marks next to verified calls and warn you when a number is unverified. 

AT&T and T-Mobile have since announced plans to implement this technology within the coming months. If you have either carrier you might already be seeing warning such as “SPAM RISK” or “FRAUD ALERT” appear on your screen when you get certain calls.  

Of course, this technology doesn’t actually stop you from receiving robocalls. But maybe — just maybe — we’re moving in the right direction. After all, the decline of spam emails wasn’t because email providers outright blocked spam. As an article in NY Magazine points out, “The key insight that defeated email spam was that it would be nearly impossible to stop email spammers…But it was possible to make it so that the average person never saw that spam.” 

The hope, therefore, is that call verification technology will make the business of robocalls less lucrative, and, overtime, the number of such calls will naturally decrease. Only time will tell how successful this will be, but this certainly seems to be a step in the right direction. When it comes to cybersecurity, there haven’t been a lot of hopeful stories recently, so we’ll take what we can get.