Month: March 2023

Categories
Computer & Network Security

The Ultimate Guide to Backup Strategy: 7 Essential Best Practices for Ensuring Data Safety

Safeguarding valuable data is paramount for businesses and individuals. A robust backup strategy prevents data loss and ensures business continuity. This comprehensive guide will discuss the top 7 best practices for creating a reliable backup strategy to keep your data safe.

  1. Develop a Comprehensive Backup Plan

A well-crafted backup plan is the foundation of a secure backup strategy. Begin by identifying the critical systems and data that require protection. Then, consider the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) to establish the desired frequency of backups and the acceptable amount of data loss.

  1. Utilize Diverse Backup Types, Including Air-Gapped and Immutable Backups

Optimize your backup strategy by combining full, incremental, differential, air-gapped, and immutable backups. Full, incremental, and differential backups balance storage space and recovery time, while air-gapped and immutable backups enhance security by protecting against unauthorized access and data alteration.

  1. Ensure Data Encryption and Secure Transmission

To protect sensitive data, implement encryption both at rest and during transmission. Encryption ensures that only authorized individuals can access the data. Use strong encryption algorithms, such as AES-256, and secure transmission protocols, like SFTP or HTTPS, to maintain the highest level of security.

  1. Store Backups in Multiple Locations

Storing backup data in multiple locations is vital for disaster recovery. Create at least three copies of your data, with one stored onsite for easy access and two stored offsite for added security. Consider using a combination of physical and cloud storage solutions for increased redundancy and accessibility.

  1. Regularly Test Your Backup and Recovery Process

To guarantee the effectiveness of your backup strategy, routinely test your backup and recovery process. This ensures that your data can be restored quickly and accurately during an emergency. Schedule regular tests and document the results, making any necessary adjustments to your strategy based on the findings.

  1. Monitor and Maintain Backup Systems

Continuous monitoring and maintenance of your backup systems are crucial for optimal performance. Implement monitoring tools to check the status of your backups, identify any issues, and generate reports. Regularly update software, firmware, and hardware components to prevent system vulnerabilities.

  1. Educate and Train Your Team

Lastly, investing in the education and training of your team is essential for maintaining a successful backup strategy. Provide regular training sessions and workshops on backup procedures, best practices, and disaster recovery. Encourage a culture of responsibility and vigilance to ensure that your entire organization is dedicated to protecting your data.

Conclusion

Following these seven essential best practices can create a robust and reliable backup strategy to safeguard your valuable data. Developing a comprehensive backup plan, utilizing multiple backup types, ensuring data encryption, storing backups in numerous locations, regularly testing your backup and recovery process, monitoring and maintaining backup systems, and educating your team are all critical components of a successful backup strategy. With these practices in place, you can rest assured that your data will remain secure and accessible in the face of any disaster.

Categories
Cybersecurity Advisories

Microsoft Outlook Elevation of Privilege Vulnerability (CVE-2023-23397)

CVE-2023-23397 (CVSSv3 Score: 9.8 – Critical) – Microsoft Outlook Elevation of Privilege Vulnerability

This zero-day is a critical privilege escalation vulnerability in Microsoft Outlook that could allow an attacker to access the victim’s Net-NTLMv2 challenge-response authentication hash and then impersonate the user. To achieve this, a threat actor could send a specially crafted email that will cause a connection from the victim to an external UNC location of adversarial control. The victim’s Net-NTLMv2 hash will be leaked to the attacker who can then relay this to another service and authenticate as the victim. What makes this dangerous is that the flaw will be triggered before the email is viewed in the Preview Pane, no user interaction is required.

Microsoft says that this vulnerability was exploited by STRONTIUM, which is a state-sponsored Russian hacking group. Between mid-April and December 2022, CVE-2023-23397 was exploited in attacks to target and breach the networks of fewer than 15 government, military, energy, and transportation organizations.

Affected Products

CVE-2023-23397 affects all supported versions of Microsoft Outlook for Windows. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

Mitigations

  • Customers can disable the WebClient service running on their organization’s machines.
    • This will block all WebDAV connections including intranet which may impact users or applications.
  • Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Performing this mitigation makes troubleshooting easier than other methods of disabling NTLM. Consider using it for high value accounts such as Domain Admins when possible. Please note: This may cause impact to applications that require NTLM, however the settings will revert once the user is removed from the Protected Users Group.
  • Block TCP 445/SMB outbound from your network by using a perimeter firewall, a local firewall, and via your VPN settings. This will prevent the sending of NTLM authentication messages to remote file shares.
    • This process is claimed to be insufficient due to the vulnerability’s ability to be exploited on any port if WebClient is running.

Additional Information

  • Microsoft recommends all customers (on-premises, hybrid or online) to install Outlook updates.
  • Exchange March SU does not address CVE-2023-23397, you need to install Outlook updates to address this vulnerability in Outlook.

Detection

Microsoft has released a PowerShell script to help admins validate if any users in their Exchange environment have been targeted using this Outlook vulnerability. The script checks Exchange messaging items to see whether a property is populated with a UNC path. Admins could also use this script to clean up the property for items that are malicious or even delete the items permanently.

POC Available

Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

MITRE Summary

Tactic

Technique ID

Technique Name

Privilege Escalation

T1068

Exploitation for Privilege Escalation

Credential Access

T1187

T1212

Forced Authentication

Exploitation for Credential Access

Defense Evasion

Lateral Movement

T1550.002

Pass the Hash

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.  

 

Microsoft Customer Guidance

Resources & Related Articles

Categories
Compliance > HIPPA | Information Security Compliance > Privacy

FTC and HHS Guidance for Online Tracking Technologies by HIPAA Covered Entities and Business Associates

On January 7, 2021, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published guidance on the use of tracking technologies by covered entities under the Health Insurance Portability and Accountability Act (HIPAA). The guidance, titled “FAQs on HIPAA and Health Websites and Social Media,” addresses various issues related to the use of tracking technologies, including cookies, beacons, and other similar technologies.

The guidance emphasizes that covered entities must ensure that their tracking technologies comply with HIPAA’s Privacy, Security, and Breach Notification Rules. Covered entities must also provide clear and conspicuous notice to individuals about their use of tracking technologies and obtain their affirmative consent before using such technologies.

The guidance also highlights the importance of properly securing any data collected through tracking technologies to protect against unauthorized access, use, or disclosure. Covered entities should implement appropriate security measures, such as encryption, access controls, and monitoring, to safeguard this data.

In addition, the guidance addresses several specific issues related to tracking technologies, such as:

  • The use of cookies for targeted advertising: Covered entities must obtain affirmative consent before using cookies for targeted advertising. They must also allow individuals to opt out of such advertising.
  • The use of beacons to track individuals’ locations: Covered entities must obtain affirmative consent before using beacons to track individuals’ locations. They must also provide clear notice to individuals about the purpose of such tracking and the types of data that will be collected.
  • The use of third-party tracking technologies: Covered entities must ensure that any third-party tracking technologies they use are compliant with HIPAA. They must also enter into a business associate agreement with any third party that has access to protected health information (PHI).

While this is not new information, the details of a $7.8 million fine being leveraged against BetterHelp yesterday, March 2, 2023 signal a shift in enforcement.

“The Federal Trade Commission has issued a proposed order banning online counseling service BetterHelp, Inc. from sharing consumers’ health data, including sensitive information about mental health challenges, for advertising. The proposed order also requires the company to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.” 1

There had, up until now, been some ambiguity regarding what constituted PHI and PII (Protected Health Information and Personal Identifiable Information). The most notable example of this is the following example:

If a person visits an informational site about pregnancy, and the covered entity gathers information such as IP Address, Email, Location Data, etc. – that information is considered PHI/PII. It will be covered under HIPAA’s privacy guidance. This is true even if the site visitor does not have a relationship with the covered entity.

This is a significant change in previously understood and enforced HHS guidance. As such, organizations in the healthcare vertical should review all applications, web, and mobile, for tracking technology and evaluate what it is gathering and it if violates the HHS guidance.

SecurIT360 has put together a package that assists covered entities in evaluating the compliance, reputational, and technical risk associated with tracking technology across their application portfolio.

This approach can be summarized as follows:

  • Perform an in-depth technical analysis of the HHS guidance for HIPAA-covered entities.
    • Tracking on user-authenticated webpages
    • Tracking on unauthenticated webpages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies
  • Establish a testing protocol that evaluates those requirements in addition to standard web security standards (OWASP WTG v4.2).
  • Create a project plan for the execution of this testing protocol as it is applied to all domains in scope.
  • Perform testing.
  • Present a comprehensive technical report that outlines detailed risk and remediation for issues found.
  • Assist with establishing a remediation plan.
  • Perform validation of remediation.
  • Issue a final report reflecting the residual risk after remediation.

For reference, we have included some additional scenarios that are both discovered and solved by this approach.

  • Unauthorized access to PHI: If tracking technology is used to monitor the location or movements of individuals in a healthcare setting, it could potentially provide access to PHI that should be kept confidential. For example, if a hospital uses a tracking system that shows the location of patients or staff members, but the system is not properly secured, unauthorized individuals could potentially gain access to PHI.
  • Unintentional disclosure of PHI: If tracking technology is used to monitor the location or movements of individuals in a healthcare setting, there is a risk that PHI could be unintentionally disclosed. For example, if a tracking system is used to monitor the location of patients, and the system is not configured properly, it could potentially display PHI in a public area or to unauthorized individuals.
  • Improper disposal of PHI: If tracking technology is used to collect PHI, there is a risk that the data could be improperly disposed of. For example, if a tracking system is used to monitor the location of patients or staff members, and the system is not properly secured or disposed of, PHI could potentially be accessed by unauthorized individuals.
  • Use of PHI for marketing purposes: If tracking technology is used to collect PHI, there is a risk that the data could be used for marketing purposes without proper consent. For example, if a tracking system is used to monitor the location of patients, and the data collected is used for marketing purposes without proper consent, this would be a violation of HIPAA.

Failure to obtain proper consent: If tracking technology is used to collect PHI, proper consent must be obtained from individuals before their data can be used. For example, if a tracking system is used to monitor the location of patients, but the patients are not properly informed of the data collection or their rights, this would be a violation of HIPAA.

References:

1: https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-ban-betterhelp-revealing-consumers-data-including-sensitive-mental-health-information-facebook