Author: David Forrestall

Categories
Computer & Network Security

Best Practices for Privileged Account Management – Part 2

Privileged and Service Account Management

We spoke previously on the management of privileged accounts and how important it is to keep them accountable. Privileged accounts are one of many different types of accounts that should fall under your organizations Account Management Program and another one to add to that would be service accounts.

What is a service account anyway? In basic terms, a service account is an account that a service on your computer uses to run under and access resources. While they may look the same, the separation of users from services is very important for both tracking and the ability to tighten down what an account can do. A service account could also be an account that is used for a scheduled task (sometimes referred to as a batch job account), or an account that is used in a script that is run outside of a specific user’s context. A scheduled task account should not be a personal user’s account for the same reasons that a service should not run under a personal user’s account.

You may ask what is so important about these? It seems like if it is not a user account, then how would it have access to my organization’s network? On the contrary, these accounts are a favorite target of many malicious actors because they are often implemented in such a way that they have a higher level of access than a user account. These accounts are members of the domain in the same way a user account is. Historically, they also have not changed passwords as often (if ever) as user accounts.

Services are often installed under the built-in Local System account, which gives what are essentially local administrator privileges, so they are more predictable in how they will be able to be used if compromised. While local administrator privileges may seem somewhat harmless since they are not usually useable on other computers on your network, the local administrator privileges can end up granting access to domain username/password combinations. An attacker can use this as a jumping point  leading to account changes that allow for elevated access to other parts of your network. As a result, both locking down a service account and following good password change and audit procedures is an important part of keeping your systems secure.

What can you do?

When it comes to the configuration and management of service accounts, there a few things listed below that can help.

  • Password Management – Some administrators like to set these accounts up with passwords that do not expire or use the same password for all the service accounts. Instead, there needs to be a strategy for managing these passwords and changing them on a regular basis, as well as using unique passwords. Use an encrypted vault to protect, store and generate random passwords for service accounts.
  • Privilege Management – It is best practice to implement the principle of least privilege. Only provide the minimum necessary privileges to service accounts. If your service account must run with administrative privileges, deny that account access to all of the directories besides the one or two that it needs. Creating limited access to systems and denying interactive rights to only what is required reduces exposure.
  • Governance – First inventory all service accounts to know what you have and where. Next establish regular reviews of service accounts in the environment documenting ownership, required access and lifecycle of the account. Enforce these requirements with a workflow to gather these elements for new authorizations.
  • Auditing – Logging and auditing of service accounts, and all accounts in any case, is very important to keep systems secure. Using a SIEM looking for specific events can be helpful in discovering security problems and services that are not working correctly.

Locking down your service accounts should be a basic component of your hardening guide for all computers. While it requires more time to lock down a new service account to allow access only to what it needs, it is well worth the time spent. Defense-in-depth requires that you look at more than the perimeter, and service accounts are one major place where the in-depth strategy can serve you well.

Categories
Computer & Network Security

Best Practices for Privileged Account Management – Part 1

Basic Privileged Account Management

Abused and Misused privileges are often seen as being the cause of breaches within organizations around the world.  Privileged account management should be a major focus for Security and IT management who are looking to mitigate the risks of data breaches and insider risks.

What is Privileged Account Management?

Privilege Account Management is the definition and management of policies and processes that define the ways in which the user is provided access rights to enterprise systems.  It governs the management of the data that constitutes the user’s privileges and other attributes, including the storage, organization and access to information in directories (FICAM-09).  In other words, how an organization manages privileged passwords and delegates privileged actions.  Do you delegate, control, and filter privileged operations that an administrator can execute?  Do you audit, record, and monitor privileged access?

Why is it important to an organization?

When it comes to utilizing high business value IT systems, privileged users, such as administrators, typically have the widest operational latitude.  They are typically responsible for deploying and managing functionality on which the business depends, from vital day-to-day functions, to strategic capabilities that enable the business to maintain its competitive edge.

However, there are risks to wielding this power.  IT complexity means that minor changes could potentially have unintended, and severe impacts on availability, performance, and/or integrity.  Malicious attackers, inside and outside of the organization, can capitalize on administrative level access to inflict serious damage to the business.  Given the increasing sophistication and popularity of modern attacks via malware and other methods, it is common for attackers to gain and exploit such privileges by impersonating trustworthy personnel.

What are some common best practices?

There are countless solutions out there for organizations to implement and everyone has their opinion on what is the best way to do it.  Below are a set of common privileged account best practices all organizations should follow:

  • Separate regular access accounts from privileged accounts
  • Inventory all privileged accounts and assign ownership to that inventory
  • Do not use shared accounts
  • Minimize the number of personal privileged accounts
  • Limit scope for each privileged account
  • Use privilege elevation for users with regular access
  • Document policies and processes for the management of privileged accounts
  • Monitor and log all privileged access activity
  • Implement separation of duties model to manage superuser administrative privileges
  • Use default administrator, root, and similar accounts only when absolutely necessary
  • Require multi-factor authentication for all privileged accounts
  • Require complex and long passwords for privileged accounts
  • For service or application privileged accounts store passwords in an encrypted vault with a random password

Read Part 2 of this blog here >>.

Categories
Computer & Network Security|Information Security

Simple Cybersecurity Tips for your Business

If you’ve ever had someone break into your home or even your car, you know the feeling of vulnerability and fears that accompany that experience. The fear and uncertainty can linger for months and even years.

Now imagine a break-in at your business that jeopardizes everything you have worked so hard to build. But this intruder is invisible, and there is no chance that the neighbors will see something suspicious and call the police. Someone in a distant coffee shop in another country can steal your bank account information, private employee data, and information about your clients. Security cameras and motion detectors are useless in detecting this kind of intruder. What does the aftermath look like? In the best-case scenario, you will spend a LOT of time and money cleaning up the situation and making things right. With a little luck, you might be able to get everything running normally again. In the worst-case scenario, you lose a significant amount of money, you are sued by employees and/or clients for not securing their information properly, and the devastation leads to your business not being able to recover.

According to Homeland Security, 44% of small businesses reported being a victim of a cyber-attack, with an average cost of approximately $9,000 per attack. Protecting your business from cyber threats has become a top priority and it takes everyone in your company working together to keep your business safe, from top leadership to the newest employee. It takes everyone in your company, from leadership to the newest employee, working together to keep your business safe. Here are a few tips from Homeland Security your company can apply.

SIMPLE TIPS FOR EMPLOYEES

  • When in doubt, throw it out. Stop and think before you open attachments or click links in emails. Links in email, instant message, and online posts are often the way cybercriminals compromise your computer. If it looks suspicious, it’s best to delete it.
  • Implement a backup plan. Make electronic and physical back-ups or copies of all your important work. Data can be lost in many ways including computer malfunctions, malware, theft, viruses, and accidental deletion. Your backup plan should include offsite storage.
  • Guard your devices. In order to prevent theft and unauthorized access, never leave your laptop or mobile device unattended in a public place and lock your devices when they are not in use.
  • Secure your accounts. Use passwords that are at least eight characters long and a mix of letters, numbers, and characters. Do not share any of your usernames or passwords with anyone. Create a unique password for each site that you visit. When available, turn on stronger authentication for an added layer of security, beyond the password.
  • Report anything suspicious. If you experience any unusual problems with your computer or device, report it to your IT Department.

SIMPLE TIPS FOR THE BUSINESS OWNER

  • Equip your organization’s computers with antivirus software and antispyware. This software should be updated regularly.
  • Secure your Internet connection by using a firewall, encrypt information, and hide your Wi-Fi network.
  • Establish security practices and policies to protect sensitive information.
  • Require employees to use strong passwords and to change them often.
  • Invest in data loss protection software, use encryption technologies to protect data in transit, and use two-factor authentication where possible.
  • Protect all pages on your public-facing websites, not just the checkout and sign-up pages.

In a perfect world, every employee would work their hardest to keep your network safe and secure. Since we don’t live in a perfect world, let this post help you determine next steps. Businesses often think they can’t afford outside help…until it’s too late.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.

Categories
Computer & Network Security

Artificial Intelligence Advancements In Healthcare: The Needed Next Level of Cyber Security

How is Artificial Intelligence being used in healthcare?

Artificial Intelligence, or AI, is having a dramatic effect on the healthcare sector. At its core, artificial intelligence seeks to mimic the unique processing capacity of the human brain. Using algorithms, pattern matching, deep learning, cognitive computing, and heuristics, AI is able to quickly sort through masses of raw data. This is incredibly helpful in the medical field. In addition to the millions of Electronic Health Records (EHRs) at the center of our healthcare system, medical practitioners must also incorporate data from studies, data from testing, and past patient records when diagnosing and treating a case. AI can use predictive models to find irregularities or similarities in raw data that doesn’t have to be pre-sorted. This helps doctors improve diagnosis accuracy, patient care, and outcomes. AI’s ability to find meaningful relationships in data is being used as a powerful tool to aid in drug development as well as patient monitoring and treatment plans. Artificial Intelligence is becoming more common in many parts of the healthcare system, and it is estimated that $36.8 billion will be invested in AI systems across the US by 2025. AI is poised to be the main force that drives improvement across the healthcare industry.

Why is this a big deal?

Artificial Intelligence will be the engine of change by organizing masses of data and giving relevance to data points, which will ultimately improve reliability and objectivity in diagnoses. AI will provide context for patient data more quickly than ever before, allowing doctors to identify and treat diseases accurately, minimizing misdiagnosis and lowering the mortality rate. In addition, the costs for drug development will be lower, as we will more accurately be able to predict the drugs’ effects in certain patients. This all leads to an increase in doctors’ facetime with patients. They become freed from analyzing mountains of data and more able to focus on care and healing.

What concerns with cybersecurity arise when using AI?

When we open up patient records to artificial intelligence, we are opening up our systems to outside attacks. With sensitive information at risk, healthcare providers must be very careful that their rate of system upgrade does not outpace their security improvements. Installing new systems that sort sensitive patient data must be tested from all endpoints to ensure there are no flaws or vulnerabilities to attack. AI dramatically increases the complexity of assessing security threats. These new systems could be a point of entry for malware that will be difficult for systems designed to monitor human behavior to detect. 

What upgrades in cybersecurity are necessary to protect against these concerns?

Greater use of AI in healthcare systems means that we need greater use of AI in cybersecurity software to match it. Our main protection will be anomaly detection. This will mean installing these detection programs across all endpoints in the system. Anomaly detection works in the same way that the AI identifies meaningful relationships in patient data. It monitors the system and senses potential threats whenever there is unusual behavior. Anomaly detection can do more than discover malware within a system. It can also identify where the cyber attacks are coming from and what kind of attacks being perpetrated. Predictive analytics for malware detection can also stop problems before they start. These analytics can identify suspicious files and prevent them from opening, stopping problems before they start. Properly planned and configured, these new cyber security measures act like the immune system for a healthcare company. 

What are the challenges in implementing new AI/Cyber Security Procedures in healthcare systems?

Establishing new and heightened security procedures require behavior monitoring, to make sure users are complying with new systems. While some users may think that increased security measures are intrusive at first, compliance is paramount. When cybersecurity systems are implemented without factoring in the human element and allowing time for training, it can often lead to users falling back on unauthorized apps and outdated but familiar systems. These non-sanctioned entrances into the system leave it vulnerable to a breach. There are human users in your system in addition to AI, and it can take time and planning to make sure your innovations don’t outpace your cyber security procedures. A coordinated strategy that considers both human and artificial intelligence creates a healthcare system that is more accurate, faster, and cheaper for patient treatment.

Want to know more about how you can ensure your company is secure? Contact us!

Categories
Webinar

Arriving at the Scene of a Cyber Attack

In this 1-hour webinar, SecurIT360 experts describe what’s like to arrive at the scene of a cyber attack and how to respond.

Watch the full webinar recording below.

Webinar Speaker:

  • David Forrestall, Managing Partner, SecurIT360
Categories
Computer & Network Security|Uncategorized

New Ransomware Attacks

Grey marble column details on building in Shanghai,China.

In the past few weeks, 5 law firms reported ransomware attacks by a malicious group known as Maze. This new and unique virus doesn’t follow the typical protocol. Instead of placing a ransom note on your system, they place your firm’s name on a public website. Entities that do not comply with ransom demands have portions of their data released publically until the ransom is paid; two different firms had their data released this week. Now that you are aware of the situation, we’ve put together some resources to help you understand it and how to prevent ransomware attacks:

Ransomware – the basics

How to spot it and how to deal with it

Emisoft has stated that at least 45 companies were the center of attack by Maze in January. They also state that this only accounts for 25% of their hit list. More information about this ransomware attack can be found here [LawSitesBlog.com]

Categories
Computer & Network Security|Information Security

IT and the C-Suite: 3 Tips for Communication

Cybersecurity

Years ago, I served as Head of Information Security for a large organization. After just 6 months on the job, we experienced every network administrator’s worst nightmare…. a data breach. As we worked to resolve the problem, it seemed like there was enough blame for everyone. IT was blamed because of their operation. Application Development and Support was blamed because of their code. Then the CIO started taking heat because security hadn’t been his top priority. Finally, the CEO came under fire for the overall performance of the team leading up to the breach.

A recent article I read by Kacy Zurkus in Security Boulevard reminded me of this situation; Zurkus does a great job outlining recent trends in cybersecurity and corporate accountability. There is no doubt that C-level executives are held just as accountable as IT teams when a breach occurs. However, that doesn’t mean that the C-suite and IT are on the same page. Knowing this, why are there continuing challenges in communication? are there continuing challenges in communication?

Communication Between C-Suite Executives and IT

There is a communication gap between the C-Suite and IT. 91% of IT pros feel that their organization is improving its cybersecurity while only 69% of C-level executives agree. Executives also disagreed with IT on data priority. They prioritized protecting employee data while IT prioritized financial data.

If IT and executive leadership are going to prepare for inevitable data breaches, we need a roadmap for communication so that we can align priorities and coordinate efforts.

3 Tips for Communication Between IT and the C-Suite

The article on Security Boulevard highlighted some good thoughts on communication with the C-Suite. Here are some ideas that jumped out at us plus a few thoughts of our own.

Tip #1: Don’t Use Industry Lingo

IT must learn to communicate complex IT issues and security threats in layman’s terms. We recommend using analogies and avoiding industry jargon. As you will see in our next tip, your communication still needs to have some meat on the bone.

Tip #2: Make Substantial Recommendations

While words like “synergy” and “collaborative” are great in presentations (not really!), they don’t do much to make your company more secure. The CEO is personally responsible for every type of issue across all parts of the company and you can help by bringing specific, actionable recommendations to the table.

Tip #3: Understand the Role of the Chief Information Security Officer (CISO) in Preparing for a Data Breach

Many companies have designated a Chief Information Security Officer (CISO) to advocate for information security within the organization. This seems like a great solution, but many CISOs are not as empowered as they could be. The CISO frequently reports to the CIO, and their interests are not necessarily aligned. This can lead to a breakdown in communication within the executive team and lead the CEO to develop a false sense of security. Consider whether a CISO would benefit your organization and think about how they fit into the corporate hierarchy.

Conclusion

I’ve worked in IT security for over 30 years. Many things have changed, but it occurred to me as I was writing this article that these thoughts would have been applicable 10, 20, or 30 years ago. Before concluding this article, there is one more tip that passes the test of time:

Bonus Tip #4: Get an Outside Perspective

IT security is complex, and the only certainty is that the bad guys are always looking for new approaches. Having a fresh set of eyes to analyze your data security in light of the latest threats and security resources is frequently the difference between an unsuccessful hacker and a catastrophic breach.

At SecurIT360, we specialize in delivering our cutting-edge security resources with communication that is understandable and helpful for anyone from an executive with no background to the highest-level network engineers.

We are offering a free security audit to identify the paths that could leave you vulnerable to the next data breach. Contact us today to find out more.

Categories
Compliance|Computer & Network Security|Uncategorized

New York DFS – 23 NYCRR 500 Compliance

Checklist for Compliance

In response to the increasing threats of cybercriminal activity and as an effort to protect Non-Public Information (NPI)
held by entities under its jurisdiction, the New York State Department of Financial Services (DFS) implemented a cybersecurity
regulation, 23 NYCRR 500. It has twenty-three Sections and went into effect on March 1, 2017. There are
designated “Transition Periods,” but the last one expires on March 1, 2019. A few key things to consider when looking
at this Regulation:

  • It applies to Covered Entities, which include those operating under NY Banking Law, Insurance Law, or Financial
    Services Law – see next page.
  • It is specifically about protecting Non-Public Information; social security numbers, drivers’ license numbers,
    financial accounts, biometric records, health record, and other personal information.
  • Third Parties that provide services to Covered Entities will indirectly be pulled into some type of compliance.
    See Section 500.11.

The Good News

Some may not agree that any of the regulation is good, but the requirements align with many security best practices.
For the most part, DFS is not asking for many things out of the ordinary (besides reporting and retention), and if you
comply, you will be implementing layers of protection for your company.

What to Do

  1. Check the Exemptions – see next page.
  2. Assess Your Risk. This supports other requirements and your decisions for prioritizing other efforts.
    1. Perform a Risk Assessment.
    2. Perform Vulnerability Assessments.
    3. Perform a Penetration Test.
  3. Establish a Security Program prioritized by risk. This will require effort and time. NIST has many available resources to assist.
    1. Establish a Chief Information Security Officer(CISO). Can be internal or external staff.
    2. Implement Policies to cover required areas -see page 3.
    3. Ensure you have qualified staff. Disciplines of Security are different than IT. You may need to hire or train.
  4. Develop an Incident Response Plan that includes notices to Superintendent. Requires 72-hour notice. There is additional guidance on the FAQ page.
  5. Ensure that your security program addresses the following requirements (prioritized by risk):
    1. Multi-Factor Authentication
    2. Encryption of NPI
    3. Security Auditing. This typically requires a new system or Managed Security Service.
    4. Review of access privileges to NPI
  6. Develop Vendor and Third Party Risk Management Program. You will need to rank your vendors and ensure that you perform due diligence on those with higher risks.
  7. Develop a Data Retention Policy and Process. The Superintendent requires 5 years of records for compliance. Be familiar with other required retention periods for different types of data.
  8. Annual Certification. Submit by each February 15th a written statement covering the prior calendar year.

Covered Entities

The Department of Financial Services supervises many different types of institutions. Supervision by DFS may entail chartering, licensing, registration requirements, examination, etc. More details are available on their website:

  • All insurance companies
  • Banks Trust Companies
  • Budget Planners
  • Charitable Foundations
  • Check Cashers
  • Consumer Credit Reporting Agencies
  • Credit Unions
  • Domestic Representative Offices
  • Foreign Agencies
  • Foreign Bank Branches
  • Foreign Representative Offices
  • Holding Companies
  • Investment Companies (Article XII)
  • Licensed Lenders
  • Life Insurance Companies
  • Money Transmitters
  • Mortgage Bankers
  • Mortgage Bankers-Exempt
  • Mortgage Brokers
  • Mortgage Brokers – Inactive
  • Mortgage Loan Originators
  • Safe Deposit Companies
  • Sales Finance Companies
  • Savings Banks; Savings & Loan Associations (S&L)
  • Service Contract Providers

Exemptions

[fusion_table]

Exemption Exempt From Still Required
500.19 (a) (1) Fewer than 10
employees working in NYS

500.19 (a) (2) Less than $5
million in gross annual revenue

500.19 (a) (3) Less than $10
million in year-end total assets

500.19 (c) Does not control any
information systems and
nonpublic information

500.19 (d) Captive insurance
companies that do not control
nonpublic information other
than information relating to its
corporate parent company

 500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.04- Chief Information Security Officer

500.05- Penetration Testing and Vulnerability

500.06- Audit Trail

500.07- Access Privileges

500.08- Application Security

500.10- Cybersecurity Personnel and Intelligence

500.12- Multi-Factor Authentication

500.14- Training and Monitoring

500.15- Encryption of Nonpublic Information

500.16- Incident Response Plan

 500.02- Cybersecurity Program

500.03- Cybersecurity Policy

500.07- Access Privileges

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

500.09- Risk Assessment

500.11- Third Party Provider Security Policy

500.13- Limitations on Data Retention

500.17- Notices to Superintendent

500.18- Confidentiality

500.19- Exemptions

500.20- Enforcement

500.21- Effective Date

500.22- Transitional Periods

500.23- Severability

[/fusion_table]

23 NYCRR 500 Sections

Section 500.00 Introduction
Section 500.01 Definitions
Section 500.02 Cybersecurity Program
Section 500.03 Cybersecurity Policy.
(a) information security
(b) data governance and classification
(c) asset inventory and device management
(d) access controls and identity management
(e) business continuity and disaster recovery
(f) systems operations and availability concerns
(g) systems and network security
(h) systems and network monitoring
(i) systems and application development and
quality assurance
(j) physical security and environmental controls
(k) customer data privacy
(l) Third Party Service Provider management
(m) risk assessment
(n) incident response
Section 500.04 Chief Information Security Officer
Section 500.05 Penetration Testing and Vulnerability Assessments
Section 500.06 Audit Trail
Section 500.07 Access Privileges
Section 500.09 Risk Assessment
Section 500.10 Cybersecurity Personnel and Intelligence
Section 500.11 Third Party Service Provider Security Policy
Section 500.12 Multi-Factor Authentication
Section 500.13 Limitations on Data Retention
Section 500.14 Training and Monitoring
Section 500.15 Encryption of Nonpublic Information
Section 500.16 Incident Response Plan
Section 500.17 Notices to Superintendent
Section 500.18 Confidentiality
Section 500.19 Exemptions
Section 500.20 Enforcement
Section 500.21 Effective Date
Section 500.22 Transitional Periods
Section 500.23 Severability

Categories
Information Security>Data Breach|Computer & Network Security>Viruses|Computer & Network Security>Vulnerabilities

A Ransomware Savings Account – Pay in Advance!

Diet and exercise versus a pill. An ounce of prevention versus a pound of cure. Saving for expenses versus using credit cards.

We all understand that good habits and planning are valuable to achieve our goals. We apply the same principles to Cyber Security…

This is a cautionary tale. We all learn from experience, and when fortunate, we can learn from the experience of others. This story teaches a valuable lesson based on real-world experience, and it will help you avoid a terrible situation.

A medium-sized firm, unfortunately, became the victim of a ransomware attack. An IT employee came into the office early in the morning to discover their ERP server had a white on red full-screen text message (complete with skull and bones ASCII art) stating the contents of the hard drive were encrypted. To recover the contents, they were to transfer one bitcoin to the wallet address on the screen, and to email a Hotmail address notifying them the ransom had been paid in order to retrieve the decryption key.

SecurIT360 Standard Operating Procedures (SOPs) do not recommend paying the ransom under any circumstances. We’ve found that once a company pays the ransom, they are “tagged” for further exploits because the company has been known to pay out. It is safer and better to simply restore from the last known good backup and redo the 12-24 hours of work lost.

Unless the last known good backup is over eight months old.

As a cost-saving measure, this business only purchased a single license for Veritas Backup Exec Server. For the other servers, they used a combination of tarballing, Secure Copy (SCP)/File Transfer Protocol (FTP) or xcopy, and 7zip to archive and transfer critical network files, Microsoft SQL database data, transaction, and log files, and customer detail records to the one server with a backup license.

Business continuity was literally running on a shoestring budget with a fragile, multiple-step process that required each step to complete before the next step would begin. This giant Rube Goldberg machine had a high failure rate. In this case, the Microsoft SQL data and log files hadn’t been transferred from the ERP server to the backup server in eight months. Imagine losing eight months of orders, inventory, fulfillment, and financial reporting. Did we mention that this is a real-world case study?

We discovered that Hotmail address that the hackers provided for payment confirmation had been terminated, and the value of a Bitcoin at that time was nearly $14,000 US. The business owners insisted on paying the ransom even though the likelihood of receiving an encryption key was remote. The felt that they had to try because of the magnitude of the data loss.

Unfortunately, they never received a decryption key.

But maybe they should try this Axis Incyte code:  8EM7YQ58

The company ultimately had to pause operations for two weeks to recreate as much information as possible from employee emails and printed reports. Then, they had to conduct a physical inventory to repopulate their ERP system.

This particular client sadly ended up paying their ransom three times: once in a bitcoin transfer that received no response, once in lost revenue while they recreated their ERP data so they could begin conducting business again, and then once again in new backup server licensing for all of their servers post incident.

How could this have been prevented?

A much less expensive “ransom” could have been paid ahead of time by purchasing five more Veritas Backup Exec Server licenses for $5,000 to cover their remaining servers, properly ensuring business continuity. This would have saved them thousands compared to the cost of the “ransom” paid and the additional 2 weeks of lost productivity while recovering data.

What can you do to not fall into the same trap as this business?

SecurIT360 works with our clients every day to ensure business continuity. Based on our experience, we would like to share 3 critical processes that your business must have in place to avoid this kind of disaster.

  1. Invest in a backup process for all of your servers and business-critical data.
  2. Regularly test your backups to make sure that all processes are running properly.
  3. And while backups are one of the most important things that you can do to protect your business, they shouldn’t be your first line of defense. Schedule regular “black hat” penetration tests to ensure that your network is protected from this kind of event.

Would you like a free assessment of your disaster preparedness and business continuity procedures? Call us today to make sure that the disaster experience you learn from isn’t your own.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm. We can work with you to stop cyber attacks in real time. Book a meeting with us today for a complimentary budgeting and strategy session by following this link Appointments.

Categories
Uncategorized

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.