What COVID is teaching us about our cyber vulnerabilities

What COVID is teaching us about our cyber vulnerabilities

Regardless of your business or your personal situation, it is hard to imagine that you have not been impacted by COVID.  Among other things, it has exposed how vulnerable we are personally.  How vulnerable our company is.  How vulnerable our communities are.

And these vulnerabilities can create a sense of anxiety, which can build on itself, leaving feeling us helpless.

Perhaps the single most important thing we can do when we are vulnerable is to connect.  To communicate.  To reach out to others.  If we do nothing but isolate, the vulnerabilities expose and consume us.

Cybersecurity professionals deal with vulnerabilities all the time.  Often these individuals work as a group separately or perhaps communicating with other IT members.  Unfortunately, apart from compliance audit reports or token security awareness programming, cybersecurity is rarely communicated and integrated into the overall culture of the business.  How many times do security professionals say of corporate users and leadership, “They just don’t understand” and c-suite, marketing or other department users say with regards to cybersecurity, “They just don’t understand.”  Imagine the understanding that could occur if everyone began to lean in and communicate about these issues as one team.

Just as during these times, a key way to address vulnerabilities in your systems is by connecting and communicating across channels.  The more the IT and cybersecurity team is engaging with business leaders and staff and other stakeholders, the stronger the organizational culture will be to mitigate vulnerabilities and build resilience.

Don’t Keep the Light On

A while back a motel chain used the catch-phrase “We’ll keep the lights on for you.”  Unfortunately, many businesses do the same things when it comes to keeping the access to their systems available via what are called open ports.  Too many “lights” expand the number of ways a hacker can get into your system.  Even a light which should be on can be exposing a vulnerability.

Ports are the channels through which internet communications travel.  Each IP address has up to 65,535 ports.  And ports open up to a service (which runs a routine such as web browsers or file sharing or remote access). Obviously, we use the internet to communicate, so you need to have open ports.  The problem is when you either have ports which are open for everyone when they should be restricted only to those who need them or when the services themselves are not kept up to date or are improperly configured.

During this time of crisis, bad guys are ramping up to find vulnerabilities because they feel everyone is distracted.  Take the time to double check (or have your team double check) your ports, patch your systems and services as needed.  Run a vulnerability scan and address any findings it discovers.

Sometimes, improving your cybersecurity can be as easy as flicking a switch.

Hacker Fails

Hacker Fails

Recently, we’ve written a series of articles looking the at various ways the coronavirus intersects with cybersecurity concerns. And while we don’t want to downplay the importance of maintaining cybersecurity practices throughout the crisis, we could all use a little distraction from time to time. So, we decided to have some fun today. And what is more fun than hearing stories about hackers who completely and totally messed up? So, without further ado, we present three major hacker fails to keep your mind off the news for a few minutes.

Hacker Fail #1: The Spy Who Hacked Me (Then Posted it on YouTube)

This should go without saying, but if you’re going to install malware on hospital computers, you probably shouldn’t upload a video of yourself doing it. As it happens, that is exactly what Jesse William McGraw did. McGraw was a night security guard at Northern Central Medical Plaza in Dallas. One night he decided to film a video of himself pretending to be a spy who was infiltrating the premises (with James Bond music and all). Of course, as a security guard, he had access to the entire building and wasn’t actually doing anything illegal. That is, until he started installing malware on a dozen of the hospital’s computers.

Authorities quickly arrested McGraw and discovered he was actually the leader of a hacking group called the Electronik Tribulation Army. For his part, McGraw was sentenced to 9 years in prison and ordered to pay over $30,000 in restitution.

Hacker Fail #2: VPN FML

This story involves one of the most news-worthy cyber-attacks in the past few years: and hack and leak of emails from the Democratic National Committee. The documents were leaked online over the course of few months by a hacker calling himself Guccifer 2.0. While leaking the documents, Guccifer portrayed himself as a lone hacker conducted the attack for the fun of it.

Of course, we know now that this hack was instead conducted by the Russian government, specifically the GRU, Russia’s intelligence agency. As it turned out, tracing the hack back to the GRU didn’t take much work because Guccifer made a very simple mistake: he forgot to turn on his VPN. VPN’s help users stay anonymous online by connecting to the internet using shared IP addresses. Guccifer routinely used a VPN to cover his tracks online, but at one point simply forgot to turn it on before logging onto a social media site. The mistake allowed authorities to trace the hackers location directly back to GRU headquarters.

And the rest, they say, is quite literally history.

Hacker Fail #3: Hoist with his own petard

We saved the stupidest for last. For a while now, a transcript of a chat between hackers has been passed around the internet. In the chat, two rivals hackers were arguing with one another and threatening to attack the other. One of the hackers claimed to be using a program that allowed him to remotely delete a hard drive by simply entering in the target’s IP address. Calling his bluff, the other hacker shared his IP in the chat. However, instead of giving his actually IP, he gave him a loopback address that pointed right back at the would-be hacker’s own computer. So, when he ran the IP address through the program, he ended up wiping out his own hard drive instead of his rival’s.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Beyond Compliance

Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them.  At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.

After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.

Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels.  “If you do something that upsets your customers from a privacy standpoint and then you tell them  ‘Well I’ve done everything correct under the law’ will they be any more satisfied?  Probably not.  That’s privacy risk in a nutshell.”

When focusing on cybersecurity or data privacy, the key is to understand what your risks are.  In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.

“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase.  If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.

 

Targeted Ransomware Attacks on the Rise

At the end of February, security experts at RSA 2020, a leading cybersecurity conference, warned that an increase in targeted ransomware is likely. These concerns echo a statement released by the FBI in October that ransomware attacks are becoming “more targeted, sophisticated, and costly.”

Ransomware is a form of cyber-attack that hackers use to encrypt information on victims’ systems then demand a ransom before giving the victim back access to their files. In the past, these attacks were aimed primarily at individual consumers. However, in the past 2 years ransomware attacks have dramatically shifted focus toward businesses and institutions, including government agencies. According to a report by Malwarebytes, there was a 263% increase in ransomware targeting organizations in the second quarter of 2019.

Easy Money

So what exactly has led to the increase in ransomware attacks against businesses? Well, while there are a number of factors contributing to this trend, the main answer is money. According to the Malwarebytes report, attackers found that focusing on businesses provides a larger and more consistent return on investment. Not only do hackers expect businesses to have more money than indyuvial consumers, the loss of data can prove more harmful and costly for organizations than a single person. This gives businesses a larger incentive to pay up. What’s more, ProPublica has written a series of articles detailing how insurance companies and other firms offering ransomware solutions often opt to simply pay the ransom rather than work to unlock encrypted files by other means. Hackers are therefore becoming more and more confident their victims will cough up the money.

However, ransomware attackers are also learning they don’t even need the ransom to make money off their attacks. Ransomware-as-a-service (RaaS) is a growing business model on the dark web, where groups will build and sell ransomware kits to those without the technical know-how to carry out an attack on their own. RaaS has therefore made ransomware a more accessible method of attack, contributing to the rise in attacks we have seen in the past few years.

Protect and Prepare

Given the dramatic rise in ransomware attacks against organizations, every business needs to invest time and energy in protecting against and preparing for the possibility of a ransomware attack.

Protecting yourself from a ransomware attack largely involves getting back to the basics of cybersecurity. Upgrading and patching outdated operating systems and software regularly, using anti-virus and malware protection, and restricting access privileges only to those who need them will all help to decrease the risk of an attack. Regular penetration test and vulnerability scans will show the areas in your systems that need the most protection. Routinely backing up your systems and information and testing those backups is also essential. If a ransomware attacks locks up your files, having a recent backup of your information could be one way to ensure access without paying a ransom.

However, even if you take every possible preventative measure, you can’t just assume you won’t be targeted. Given the dramatic increase in ransomware attacks, it is essential to also plan your response if something ever happens. Incident response teams should therefore understand the response plan and simulate ransomware attacks to ensure preparedness and find ways to strengthen your response should the worst happen.

Are These the Cybersecurity Guidelines “To Which Nobody Can Deny”?

It may seem that when you seen one set of cybersecurity guidelines, you’ve seen……one set of cybersecurity guidelines.  Every vendor, every regulation, every client is looking for something similar, but not quite the same when it comes to cybersecurity.  Maybe there’s some hope, for U.S. businesses, at least, coming from the Securities and Exchange Commission.

At the end of January, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a report of cybersecurity guidelines based on observations made during “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.” The report details a series of cybersecurity practices within 7 key areas of concentration:

#1 Governance and Risk Management

The report emphasizes the role senior leadership needs to play in defining and implementing cybersecurity strategies for the organization. Board members and other senior leaders should oversee the adoption and regular updating of policies and procedures based on an organization-specific risk assessment as well as establish proper communication channels regarding cyber threats throughout all levels of the organization.

#2 Access Rights and Controls

The report also highlights the need for organizations to limit access to sensitive information only to those who need it for specific and legitimate purposes. The OCIE recommends organizations frequently reevaluate access privileges and implement systems to monitor unauthorized access attempts.

#3 Data Loss Prevention

The OCIE also outlines a number of steps organizations should take towards preventing the loss or exposure of sensitive information. This includes measures such as frequent vulnerability scans, encryption and network segmentation, and insider threat monitoring.

#4 Mobile Security

Organizations should also have policies and monitoring systems in place for the use of mobile devices for business purposes. The OCIE recommends training employees on mobile security as well as requiring the use multi-factor identification for any business applications used on mobile devices.

#5 Incident Response and Resiliency

Developing and testing a response plan for any cybersecurity incidents is also an important area for organizations to concentrate. The OCIE recommends assigning and training specific staff members in incident response, simulating an incident to test response effectiveness, and updating the response plan based on testing.

#6 Vendor Management

Because vendors may have access to an organization’s information, the OCIE also recommends implementing policies to assess and monitor vendors’ security posture. This includes reviewing vendor contracts and implementing a vendor management program.

#7 Training and Awareness

Lastly, the OCIE encourages organizations to provide training in cybersecurity for all employees. Organization leadership should develop the training based on the their specific security policies and use training programs that actively engage employees.

Implications

While the cybersecurity guidelines that the OCIE outlines cannot ensure compliance or prevent liability concerns, many consider the report as a strong and practical roadmap for organizations to consider. In an article for the Legal Intelligencer, Devin Chwastyk laments the legal ambiguity of what is considered “reasonable care” with regards to safeguarding sensitive information and sees the steps outlined in the SEC’s report as offering “practicable (and understandable) advice on how [organizations] might start to try to avoid liability for a data security incident.” The National Law Review also notes that, while the report is aimed at the financial sector, it provides “helpful benchmarks” for a variety of industries. Moreover, given the SEC’s strong focus on cybersecurity in the past few years, there is speculation that this report could help inform regulation enforcement determinations in the future.