iPhone Hack Serves as a Wake-Up Call for Users

Last week, Google’s counterespionage group Threat Analysis Group (TAG) published findings of malware attack that targeted iPhones for “at least two years.” The hack consisted of what is known as a watering-hole attack, where hackers install malware onto specific websites and visitors of those sites unknowingly download the malware to their device. Once installed, hackers were able to monitor user activity and export sensitive information such as passwords, contacts, messages (including encrypted conversation through apps like WhatsApp), and location data.  

Google’s TAG team discovered the attack this past January. They notified Apple of the issue on the 1st of February and Apple released a security update seven days later that brought an end to the vulnerability. However, while the updated removed the malware from infected iPhones, any information taken by the attackers remains in their hands.  

Despite the in-depth look at the attack that Google released, information on who was behind the attack, what websites were infected, and whose data was stolen have not been verified by either Google or Apple. However, since Google’s report, a number of news sources have started to fill in the pieces. Because of the highly sophisticated nature of the attack, many quickly speculated the attack was nation-state backed. Then, over the weekend TechCrunch released an article with sources claiming the attack infected websites designed to target China’s Uyghur minority. A day later Forbes confirmed TechCrunchreportalso reporting the attack targeted Android and Windows users too. Google and Apple, for their part, have not confirmed these reports.  

Unanswered Questions 

News of the attack has raised a lot of questions. Among them, why are we just learning about all this now? While Apple did make note of the exploits in their February update announcement, the language used was such that the scope of the attack was completely unknown until now. While it is always important to apply updates to any device as quickly as possible, it’s possible that without understanding the severity of the attack, many users could have left themselves exposed by putting off the update for another day. 

Another reason this news is so important is that Apple is often considered to have some of the most advanced cybersecurity defenses out there. Because of the perception that Apple products — and iPhones in particular — are safe from attack, user’s may not properly understand the risks posed. As Ian Beer, author of the Google report, says, “real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. 

While this news doesn’t mean iPhone users should go throw their phones away, it does serve as a wake-up call. No matter the device, all users need to take steps to ensure their information is remaining protected, the least of which by updating devices quickly. Because, as Beer states, for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”  

Context Matters

When it comes to threat detection, there are plenty of security controls out there that can help detect attacks within your network. And while these security controls are certainly useful, they don’t really give you the big picture of what happened. 

Context matters. This is why proper event logging is such an important component of any organization’s cybersecurity posture. Simply stated, event logs create an audit trail of all activity across your networks: from firewall activity, to software updates, to remote access. These logs provide the data necessary to properly analyze your network, and, if an incident occurs, be able to understand the overall context of what happened, how and why  

How Logs Can Help

Threat Identification and Prevent  

In order to know what your network looks like when something goes wrong, you first need to understand what your network looks like when everything is working normally. Using event logs help create a profile of normal network activity in order to keep a baselineOnce you know what normal activity within your network looks like, logging can then help identify any activity outside of this norm. 

By being able to identify unusual activity, event logs can be an invaluable tool in preventing attacks before they actually occurWhen properly utilized, event logs are able to provide early warning signs of an attack and allow organization to respond before the intruders can cause damage.   

Post-Breach Recover and Forensics 

If, despite best efforts, a data breach does occur, event logs continue to be an important resource. After an attack, logs can first and foremost, help organization determine the scope of an attack, assess the damage and isolate the incidentensuring it doesn’t spread to other parts of your network.  

Logs also provide the information necessary to understand how an attack occurred in the first place. By providing the overall context of an incident, event logs help organization understand not only what happened, but how they can prevent similar attacks from happening in the future.  

Managing Logs

Despite the value event logs provide, many organizations neglect to use them. Because logs will create a trail about everything that happens on your network, they can be difficult to store and daunting to manage. While logs don’t need to be kept forever, its important have enough space to maintain log trails for a certain period of timeLogs can take up a lot of space, but if you overwrite them too much, you may lose critical information. 

This is where Security Information and Event Management (SIEM) systems come in. While business should decide on log filtering and storage policies that work for them, SIEM systems can help automate this process to ensure that policy is effectively managed. SIEM systems also help analysis the often overwhelming amount of information event logs provide and even create alerts when it notices a potential problem. 

Combining event logs and SIEM systems goes a long way toward providing organizations the necessary context to understand threats to their networks. Logs can provide tailor-made insight into an organization’s vulnerabilities. What’s more, logs can even help mitigate the regulatory consequences of a breach, by providing evidence that an attack wasn’t a result of company negligence. At the end of the day, when event logs are properly managed, there is no more valuable resource.  


The Hole in the Firewall Gang

In our mythology of the American past, towns were terrorized by roving gangs who would rob one town then head to the next.  Welcome to 2019.  New technology.  Old tricks.

Recently, we wrote about a rising trend in ransomware attacks targeting local governments. Since then, news broke that 22 towns in Texas have become the latest victim of these attacks. Investigations are still underway, so information on the exactly causes has yet to be released to the public. However, according to NPR, a mayor of one affected town said the attackers are asking for $2.5 million to unlock government files.  

What sets this apart from the recent onslaught of ransomware news is the highly coordinated nature of these attacks. Texas officials believe the attack to be caused by “one single threat actor,” targeting specific agencies rather than entire government systems.  

Texas governor Greg Abbot classified the attack as a Level 2 Escalated Response — the second-highest level of alert in the state’s emergency response system — indicating that the scope of the incident is beyond what local responders can manageCybersecurity experts from the F.B.I., the Federal Management Agency, and the Teas Military have all been called in to respond.  

One pattern many have noticed is the relatively small size of the towns attacked. Of the 22 towns affected, four of them have a total of 31,000 residents. In many cases, small governments have underfunded IT departments, making it difficult to maintain effective cybersecurity practices. Frequently, ransomware attacks are will target systems based on opportunity. Instead of wasting the effort of cracking systems with strong security systems, attackers will go after those with easy access. Local government’s like those these Texas towns are therefore prime targets for these types of attacks.  

News of thattacks not only show that government ransomware attacks are on the rise, but also an increase in the level of sophisticationIn an article in the New York Times, Allan Liska, the author of a recently report on government ransomware attackssaid that if this turns out to be a new phase — because bad guys love to copycat each other — we’re going to see a continued acceleration of these kinds of attacks.” 

If this news teaches us anything, it’s that public and private business should not waitbut put it place processes now to prevent being the next victim of a ransomware attack. All organizations should make sure that they are testing their backups regularlypatching their systems, and engaging their staff in cyber awareness training.

And rustle up a posse.  Because they are coming.

Calling for Backup

It’s common knowledge that we should all be backing up our data. It’s important not only in case of system errors, but also in the event of stolen data and other security breaches. But what isn’t talked about as often is testing these backups.  

This is something that Arizona Beverages found out the hard way. Earlier this year, the company found themselves victim to a ransomware attack that wiped information on more than 200 servers and networked computers. But the real trouble began when IT staff realized that their backup systems where misconfigured, effectively making it impossible to recover their data without outside help. Because of the mistake, the company spent hundreds of thousands of dollars on new hardware, software, and recovery services.  

While there is nothing good about suffering a ransomware attack, having backups of your data can severely limit the consequences of the attack — as long those backups actually work. This is why it’s essential to regularly test your backup systems. 

In order to ensure their systems are backed up frequently, organizations will often automate this process. And while this can be useful, it’s important to not just assume that everything is working as expected.  

And there is more to backing up your data then the actual backup process. You want to make sure that not only that you properly backedup targeted data, but that it can be successfully restored. This includes ensuring that no file corruption occurs in the process of backing up and restoring that data. There’s no worse feeling than restoring your data only to find it completely useless.  

How frequently you test your backups should be decided by each organization depending on regulatory constraints, risk-assessment, and business strategy. However, whatever is decided should be incorporated into your cybersecurity policy and carried out consistently 

Nothing keeps IT professionals up at night like the thought of irredeemably losing system data. Not only could months or years’ worth of work vanish in an instant, but it could end up costing tons in regulatory fines and recovery services. 

Simply put: test your backups, sleep easy.  


Identity Management 101

Identity management should be considered an essential part of any business’s cybersecurity policy. No, it’s not the process of deleting your old college party photos from Facebook (although that’s not a bad idea). Instead, it’s a way to manage who has access to what information and when 

Misuse of credentials—either intentionally or unintentionally—is a prime vector for security issues. It would certainly be a lot easier to just give every employee access to all of your systems and files but having this sort of “open door policy” exposes your organization to serious risk. The Ponemon Institute’s Cost of Insider Threats report show that privilege misuse is an increasing cause of data breaches and costs organizations an average of $8.76 million. 

To help prevent this, it’s important that any identity management policy a business uses should incorporate the concept of least privilege. This means exactly what it sounds like: every user should be given the least amount of privileges to applications and systems necessary to complete their work. And managing access privileges is not a one-time thingIf a user only needs access to certain information for a short period of time, you want to ensure to restrict that access once they no longer need it.  

Low-Hanging Fruit

Along with employing a least-privilege policy, there are a few more simple steps every business should take when developing identity management practices:  

  1. Make sure that only those who need it have administrator privileges. On top of this, those with administrative privileges should have a separate account to access systems and software which does not require privilege, such as email or, yes, Facebook.
  2. Require users with a greater risk-level to use multi-factor authentication (MFA). This includes those with administrative privileges and users who log-in remotely.  
  3. Remove credentials for anyone who no longer needs access, such as ex-employees and short-term contractors and vendors.  
  4. Require users to create long, complex and unique passwords. There is no need to reset passwords unless they’re forgotten or you suspect they’ve been compromised. Check out NIST’s password guidelines for more information on this.  

Next Steps

While using various technologies throughout an organization streamlines activity, it also creates a more complex user environment, which poses its own security risks. To help mitigate these risks, there are a number of additional steps you can take, such as utilizing Single SignOn (SSO) and Identity Management Systems. 

Single Sign-On allows employees to use one set of credentials to access multiple applications. This may seem counter intuitive but limiting the number of credentials can actually improve security. Often, when users are required to keep multiple passwords, the overall strength of each password goes down, making it easier for credentials to be compromised. Focusing instead on maintain one strong password will help keep your systems more security.  

Lastly, there are identity and access management systems which can help automate this process. Along with managing user access, these systems can monitor user activity and enforce organizational policy on data use and sharing across the board.  


An Inside Job

A story came out a few years ago showing that a former employee of an engineering firm continued to access the company’s systems long after leaving. The employee left the firm in 2013 to start his own company, but for two more years he used his old credentials to access and download project proposals, designs and budgetary documents — all with an estimated worth of $425,000. 

This is just one example of a growing threat to businesses: malicious insider attacks. We recently covered the threat of accidental disclosure by employees, but that doesn’t mean there aren’t other inside threats to be concerned about. There are a variety of reasons an employee might intentionally threaten company information. Often, it’s done for personal financial gain but in other cases it can simply be a case of a disgruntled employee.  

According to Ponemon’s 2018 Cost of Insider Threats, criminal or malicious attacks make up for 23% of all inside cybersecurity incidents — a number that continues to rise every year. And, as the above example shows, these attacks can be costly. The report also found that malicious insider attacks cost organizations an average of $607,745 per incident.  

A key contributor to that cost is not just the value of information stolen, but also the amount of time it takes to detect. Because these attacks often use seemingly legitimate access to systems and databases, it can be difficult to discern whether someone is using credentials to access records for work purposes or with ill intent. According to the Ponemon record, it takes an average of 73 days to detect and contain an inside incident.  

Mitigating the Threat

There are, however, a number of steps organizations can take to both prevent insider threats and detect them if they do happen.  

Evaluate Access Controls 

One of the best line of defenses is to constantly evaluate employee permissions and access. Not all employees will need access to all systems, so placing access restrictions depending on the employee’s need is a must.  

And this isn’t something you should do just once. It’s important to regularly update your access controls. An employee might need access to certain databases for a short-term project, or, like in the example above, has left the company. Regularly going through employee permissions and access will ensure that only those who absolutely need your information can access it.  

Implement Data Loss Prevention Software 

Using data loss prevention (DLP) software is an essential way to detect potential malicious activity. DLP tools will classify your data by risk level and organization policy. If the software identifies policy violations (such as moving data off network), it can automatically encrypt effected information, and alert security teams. 

Employee education  

A report conducted by Opinion Matters found that some employees might be taking or sharing information because they believe they own the data they work on. According to the report, only 40% of employees interviewed agreed that data is exclusively owned by the organization and not by teams, departments or individuals.  

Through clear policy and regular training, business need to make a point of educating employees on data ownership. Employees need to be  made aware of their responsibility when it comes to protecting company information.