Poisoning Your Own Well

Thriller Novel: It’s the scene from the opening of a Tom Clancy novel:  An advance team of cyber hackers from an unnamed enemy of the USA, strikes first in the upcoming WWIII.  This war won’t be started with a rifle shot, it is digital warfare with deadly results.  The hackers infiltrate the control systems of a water treatment plant where 15,000 people get their drinking water in Smalltown, America.  They take control of the chemical dosage, flooding the town’s water with poison.  Thousands die before authorities determine what happened.

Not So Fictional: It sounds like a fiction action-thriller novel, but something similar happened in Oldsmar, FL last month.  It could have been tragic, were it not for an alert staff member of the water treatment facility.  A hacker gained access to the chemical controls of the water treatment facility for less than five minutes.  In that time, he was able to change the level of sodium hydroxide from 100 parts per million to 11,100 parts per million.  The staffer was at his computer, monitoring the facility when a remote user took control of his mouse and attempted to poison the water.   Once the attacker relinquished control, the staffer reduced the level back to 100 before the water was impacted.  

Utilities as Cyber Targets: All around the country there are thousands of gas, electric, and water facilities that are part of the critical infrastructure of the country.  You may ask “How did this happen to such a critical resource?”   I know I did.  It turns out, this small facility had a small budget, and cybersecurity was not included. 

Forget the Rules: The organization broke just about every principle of basic cybersecurity imaginable.   The system was running on an unsupported version of Windows.  The organization used a desktop-sharing software package called TeamViewer, which allowed the staff to monitor the system remotely.  Everyone shared the same password, and the password was the manufacturer’s default password.  It’s hard to say which cyber bumble was the worst, but it could have been the fact this critical infrastructure was connected directly to the internet without any type of firewall protection.  One more thing – six months prior to the attack, the facility stopped using the tool, TeamViewer, but neglected to uninstall it. This is the very tool the hacker used to infiltrate their system.

Convenience over Security: This is what happens when functionality and convenience trump security. These lessons apply to every business.   Password hygiene is critical.  Disable the default account on all devices.   Use unique passwords per user.  This enables proper access control to the devices and auditing of the system.  Otherwise, you don’t know who did what.  Always keep your systems updated with the latest patches for both the operating system and the applications that are in use.  If you are no longer using a piece of software, remove it. When someone leaves the organization, disable their account.  Close your firewall, so only the required applications can pass. 

Wake Up: This is a wake-up call to all the small and medium-sized utilities, letting them know they are a target.  In most cases, the larger utilities do have more regulations to follow and subsequently, a larger budget.  They understand their critical systems have to be separated from the rest of the organization’s network, and it is best practice to have no direct internet access. 

Be Prepared: The attack on the Oldsmar Water Facility did not require the skill and resources of a major world power.  It could have been a disgruntled employee who had the password.  It could have been a low-grade terrorist organization that researched industrial control systems.  Oldsmar made this hack extremely easy.  We don’t want to live in the first chapter of a Tom Clancy novel.  Our utilities and our businesses need to beef up their cyber defenses.  Our lives may depend on it.

The Stuffing Will Make You Sick

The Conflict: For years, my mother-in-law insisted on stuffing the turkey – with stuffing. She wanted the stuffing to get all the turkey deliciousness by absorbing the juices. I didn’t really like it because the stuffing was soggy, and we had to cook the bird longer. That meant dry breast meat.

The Solution: Now, our family is in charge of the thanksgiving meal. We don’t stuff the turkey. We brine it. Then smoke it. The result? Juicy turkey breast, and crisp, fluffy stuffing. I win.

The Concern: The problem is with putting stuffing in the bird, you can end up with salmonella poisoning if you don’t get the center of the bird up to 160 degrees. That’s what the experts say, anyhow. I’ve never felt like it was worth the risk to test that hypothesis. So, I just kept my mouth shut and soaked the dry breast meat in salty gravy.

Credential Stuffing: There is another stuffing that will make you sick. It’s called “Credential Stuffing.” It works like this: You read a really captivating Cyber Tripwire article about passwords. You’re instructed to make them long. Thus, you create a portmanteau of the first name of every grandchild and their birth year. Then to make it really strong, you put an exclamation point at the end. NO ONE will ever guess that! You have your new favorite password.

Just One Password: Next, you proceed to change all of your passwords to that new, really strong one. Instagram, Facebook, Bank of America, Linkedin, Gmail… the list goes on. Every website you use regularly now has a really strong password—the same password.

The Opening: All it takes is for a threat actor to get the password database from one of those sites, and they will have your email address and password for every other site, especially your email account.

Textbook Scams: What they do next is textbook. They log into your email account and send spam emails to everyone in your address book, straight from your account! One of my clients received an email this week from the victim of an attack just like this.

The email read something like, “Hey, when you get a second, I have something important to talk about. Let me know your availability.” If the recipient replied, there was an immediate response. It read, “Thanks for getting back with me. My daughter was diagnosed with cancer. I’m hoping you can help out financially. Just send me some Google Play gift cards.” This was a classic gift card scam.

The Process: Gift card scams and their variations, “The Refund Scam,” the “Fake Tech Support Scam,” almost always involve gift cards. Here are a few characteristics to watch out for:

  1. Someone CALLS YOU on the phone promising an unexpected monetary award (refund or sweepstakes).
  2. Maybe you get a scary pop-up screen on your computer notifying you of several viruses detected. The screen has an 800 number prominently displayed (Remember: Emotion shuts down the logic center of your brain.).
  3. The person on the phone almost ALWAYS has a non-American accent (No prejudice here. Just fact.).
  4. The person on the phone, or the fake tech support person “accidentally” refunds you too much money.
  5. They need you to “help them get that overpayment back or they will lose their job” (Preying on your natural goodness.).
  6. They instruct you to buy several thousand dollars in gift cards.
  7. Or, they may instruct you to use Western Union to wire money.
  8. Or, they may instruct you to get physical cash from the bank and ship it via FedEx.

Notice the Signs: No matter what the person tells you, or what you see on the computer screen, these are tell-tale signs of fraud. If you find yourself in a situation like this, immediately hang up the phone and contact the cyber guys from CyberEye BEFORE any transactions take place.

Cyber Food Poisoning: Undercooked stuffing can make you sick. Credential stuffing leading to a gift card scam is no less annoying than food poisoning.

The Walking Cyber Dead

Zombies: In the movie “Night of the Living Dead,” (the precursor to “The Walking Dead”) zombies are walking around the city attacking humans.   If the humans are infected, they become zombies, too, and join in the chaos.  

Cyber Zombies: Strangely enough the cyber world has exactly the same thing, except it is not fiction, it is real. It usually starts out with users getting this great free software program or clicked on a link that advertised an unbelievable deal.  This means it sometimes comes in as a Trojan Horse.  A Trojan Horse is an actual application that works as advertised, but it also has additional malware functionality that goes with it.   The malware may also be distributed by using an email with a malicious hyperlink.     The hackers have various methods to infect your machine.

What They Do: Once infected, the fun begins.  First, the software searches your computer for any useful information like credit card, bank account or other critical information.  Critical information might be relatives names, birthdays, home towns and other similar data that might help them answer your security questions.  The information is sent to the hacker’s Command and Control (C2) server. 

They’ve Just Begun: The really bad part about being a zombie is that the C2 is not finished with you once it has your information.  You are now part of the zombie botnet.   It’s a network of computing devices that infect other computers – perhaps everyone in your email address book.  Or they might control your computer to perform a denial of service attack on a large corporation making their network unusable.   

Beacons: You may ask how the C2 server can control your laptop once you are infected.  The malware running on your computer is sending a “beacon” back to the C2 server.  The activecountermeasures.com website defines beaconing as “the practice of sending short and regular communications from an infected host to an attacker-controlled host to communicate that the infected host malware is alive, functioning, and ready for instructions.”  In other words when your device is a zombie, your system communicates with the C2 server to see if there is any nefarious work for your device to perform. 

Millions of Cyber Zombies: Remember that the Trickbot network we discussed a couple weeks back had over a million devices on their network. There are many other botnets with hundreds of thousands of devices.  It’s very common.  Almost all devices show no indication that they’ve been compromised even though they are controlled by hackers.   It’s funny to think that some of the devices are part of the “Internet of Things” appliances. Imagine that your refrigerator or your coffee maker could be a zombie in one of these botnets.

Cyber Zombie Apocalypse Response Team: Unfortunately most managed security service providers are not looking for beacons even though they are prevalent.  Anti-virus won’t stop it and firewalls won’t block them.  In order to detect them, you need to be looking for them.   Beacons have very specific characteristics.  They phone home periodically at regular intervals and similar message size.  Beacons can be detected and there are some manage service providers that know how to hunt them down and take them out. Unlike the zombies in the “Night of the Living Dead,” there is a cure for this sickness in the cyber world. We do have the cyber equivalent of the Zombie Apocalypse Response Team. 

Minor Mistakes, Costly Consequences

The Launch:  It was 6:45PM on December 11, 1998.  After years of engineering effort and toil, the Mars Climate Orbiter was being launched.  This space vehicle was designed to study Mars from orbit and serve as a communications relay for space probes.  The goal was to determine the distribution of water on Mars and monitor the Red Planet’s daily weather and atmospheric conditions.  The team celebrated as the Mars Climate Orbiter started its first step in the over nine month journey to Mars.

The End:  Fast forward 286 days to September 23, 1999.   The orbiter had successfully navigated 140 million miles (225 million kilometers) to Mars with only some minor corrections required on the way.  This was the day the Mars Climate Orbiter would enter into the orbit of Mars.  The key to success was to keep the spacecraft higher than 80 km above the surface.  Go any lower and the fragile spacecraft would shatter into Mars’ atmosphere.    The first sign of trouble occurred during the insertion burn into orbit.  The engineers were expecting a communication loss, however, the loss of signal occurred 49 seconds earlier than expected.  Instead of regaining signal twenty minutes later, it never returned.  

What Happened:  The celebration was replaced with an investigation.  What happened?  It turns out that the orbiter went past the 80km safety zone and was within just 60km smashing into the atmosphere.  After traversing space for over 225 million kilometers, how were they 40 km farther than they thought?

The Answer:  American standard versus metric.   Yes, one part of the software in the orbiter’s thruster calculated pounds of force and the second piece of code that read the data assumed the metric unit – Newtons per square meter.  Although this resulted in a factor of four times, it was a relatively small difference in fuel.  Several engineers commented during the route when they had to make minor corrections, but no one made the connection along the way.  

Costly: This was a $327 million mistake – $193 million on spacecraft development, $92 million on the launch, and $42 million for mission operations.  Wow!

Employee Mistakes:  Hopefully, mistakes at your workplace don’t cost your company that much, but statistics show that many of the cybersecurity breaches are caused by employees making mistakes.  These are instances where the breach could have been avoided if not for the employee making a mistake.

No Public WiFis:  One of the biggest mistakes that people make is to trust public wifi hotspots.  That’s right, do not trust any public hotspot.  Public hotspots are hotbeds of cybercrime.  

Proper Use Required:  Another mistake of employees is “inappropriate use of IT resources.”  Examples of this are: non-work related web surfing, peer-to-peer file sharing, unlicensed software, pirated music or videos, and non-approved remote access programs.  Remember, on the internet, if something is free, then you are the product.   These sites and applications are riddled with malware and allow hackers a foothold into your organization.

Social Engineering:  Another employee mistake in the cyber arena is falling for social engineering. Hackers use human emotions to manipulate people into downloading their malware or buying gift cards or wiring money.  Either out of fear or a sense of helping someone, we get tricked into doing something that harms us.  

It’s Avoidable:  Just like metric conversion in the Mars Climate Orbiter, these mistakes can be avoided.  Education and training are key.   Your staff should be able to identify a phishing attempt or know enough to avoid public wifis. Cybersecurity training should not be a once a year requirement.  Employees should get periodic cyber training and phishing scenarios.  Breaches are costly and as the old saying goes, “An ounce of prevention is worth a pound of cure.”

Avoid the Pain, Train: Whether you are orbiting Mars or providing services to valuable clients, it is always prudent to check your math and your cybersecurity.  Train to avoid the pain.  

The Flight of the Auk

Adaptability: One of the fundamentals of survival is the ability to adapt quickly to a changing landscape.

In June 1844, the last Great Auk was killed, ironically, so it could nest permanently in a dusty museum.

Akin to the Dodo: The Great Auk was a helpless, hapless, flightless bird that bred in colonies on some rocky islands in the North Atlantic. You may never have heard of it. Perhaps, because the sly insult “strong as an Auk” doesn’t sting like “cunning as a Dodo”, and “Auk”, could be linguistically confused with “Ox”.

What Is It: The Great Auk is similar to a penguin: flightless and helpless. Why aren’t the penguins extinct, too? They live in Antarctica. People haven’t gone there in great numbers. For the Auk, they lived on an island used by sailors as a pantry for restocking supplies, like bird meat. Antarctica isn’t somewhere people regularly frequent for the same purpose. It’s inconvenient, and inconvenience to humans may have saved the penguin.

Extinction: Whether Dodo, Great Auk, or Wooly Mammoth, the end was the same—extinction. Extinction due a cataclysmic collision of unfortunate events. The animals had developed defenses ideal for the geographic bubble in which they lived which was a specific geographic ecosystem.  Suddenly their bubbles popped. The conditions changed. Their serene world careened into the 19th century, and they lost. They lost because of an inability to adapt.

We Adapt: Humans are different. We don’t adapt to suit our environment. We adapt our environment to suit ourselves. This is our axiom. Now, whether this application of adaptation is a moral one, is not the purpose of this discussion.

Change to Survive: Situations and environments change. Those who most nimbly adapt will survive. The others will not. For a case study, look at Sears. They OWNED the mail-order business. Then came Jeff Bezos in his tiny garage selling books—over the internet. No threat there. Until it was one. It was too late for Sears. Sears SHOULD HAVE owned the online mail-order business. The same way they owned the magazine mail-order world. Like the Great Auk, they failed to recognize a threat. With their ineffective wings and clunky feet, Sears bumbled into the 21st century, failing to adapt quickly when the environment changed.

The Trouble of Inconvenience: For Sears to change its business model would have been inconvenient. People don’t like inconvenience. We develop a bubble of comfortable systems and familiar procedures. We actively reject anything that may disrupt the playful bubble of familiarity.

Hard for the Bad Guys: As defenders of our world, we can use this natural human aversion to personal inconvenience to our advantage. If we make it sufficiently inconvenient for a cyber-criminal to successfully attack us, it may demotivate them and cause them to seek a softer target.

Contact CyberEye – They Know: Unfortunately, this article doesn’t provide the space to list everything you can do to introduce inconvenience into your cyber defense plan. Feel free to contact the Cyber Guys from CyberEye for details.

Recognize the Threat: Both the 19th century Great Auk and the 20th century Great Sears, didn’t recognize the threat early enough. At best, the great Auk could have changed breeding sites to a less convenient location, then decrease the frequency of human interaction. Sears could have bought Amazon’s business model for a few thousand dollars and adapted to it.

Make Adjustments: In 2021, if your business survives the tragedy of COVID, the most likely cause for failure will be a lack of flexibility in your business processes. There is a cyclone of cyber-criminal activity on the near horizon. There are threats we’ve never even considered about to drop anchor just offshore.  Sadly, change is the axiom of the cyber-threat landscape.

The Internet is NOT Mr. Roger’s Neighborhood

Desert Animals: Before moving to Arizona, we had only seen coyotes in photographs.  Javalina or coatimundi? Never heard of them. Mom moved here before us. She and her little 10-year-old black and white shih tzu, Jasmine.

Coyote Magic: Mom was fascinated by the coyotes she saw daily running through the desert across the street from her new house. To her it was as magical as the tiny trolley on Mr. Roger’s Neighborhood. But the magic was not destined to last.

The Awakening: One night she let Jasmine out the front door to do her “business” before bed, just like she did every night. But this time, as she returned to her office chair by the front door, almost immediately there was an odd noise. She got this feeling inside her told her something was wrong. She bolted for the door. Jasmine was gone.

Predators: I know that’s hard for some of you to read. It was tragic for her, and for the grandchildren. We all loved Jasmine. But it illustrates the point. No matter how many times she saw the coyotes, AND knowing that coyotes are predators, there was that natural human tendency to disbelieve that could ever happen to her.

Not to Me: She’s not alone. Regardless of the situation, humans are inclined to think the worst will never happen to them. For example, we have auto insurance. Not because WE are bad drivers. No, we insure ourselves to protect us from the poor choices of others.

Online: How does that apply to life online? Believe it or not, there REALLY ARE organized crime syndicates that are planning the next big hit. They normally target big businesses – the Big Game. But they have found that the big businesses are getting better at protecting themselves. So they target small businesses who traditionally have weaker defenses, but who connect their smaller network to the big company network, ESPECIALLY now that more people are working from home. IT departments of small businesses have had to scramble to figure out how to allow remote workers. So the simplest solution has been to open a port in the firewall and allow the worker to use Remote Desktop.

Simple, not Secure: That would be a great solution – in Mr. Roger’s Neighborhood. But we don’t live there. A report I reviewed this week provided compelling statistics advising NOT to allow that type of remote access. One large company was breached when a nation-state threat was able to brute force a login through that open firewall port. A brute force attack uses automation to generate a large number of guesses at a password until they get in. 

Act Now: If that has been the solution at your company, stop everything and get that port closed NOW. There are better solutions. And in many cases, you can have remote workers without providing them remote access to your network.

It Can Happen to You: People tend to make poor choices that provide the right opportunity for a threat. Even when the threats are as obvious as ferocious predators running down the street next to your house. The internet is TEEMING with ferocious predators. Sometimes those choices can cause irreparable damage to your business, or your family’s livelihood. By the way, those ferocious predators on the internet are allocating huge budgets to enhance their attack capabilities. Our defense is only as good as OUR budget allocation.  Don’t think that it couldn’t happen here in a small city.  It already has and is more common than you would think.

Congratulations, You Are About to Lose the Super Bowl

Jets in Super Bowl: The last time the New York Jets won a Super Bowl (in fact, the ONLY time they ever won), Richard Nixon was elected president of the United States. The year was 1969, kids.

Intel on Opposing Team: One thing about being in the Super Bowl is both teams know who they are up against. The opposing team has just finished an entire season of football. Both teams will review the video recordings of every game so they know the strengths and weaknesses of the other team, and of their own.

Your Turn: Imagine YOU are the New York Jets, and you’ve just been notified that through a quirk of fate, you are playing in the next Super Bowl! Congratulations! Oh, but there is a catch. You don’t know who you are playing.

Cyber Super Bowl: What does this scenario have to do with cyber security, you ask? Actually, quite a lot. For one, almost every network, especially homes and small businesses, are about as well defended as the New York Jets. Which means, not very well. And offense is completely out of the question.

Offense & Defense: As with football, so with networks. We need BOTH defensive AND offensive lines. We’ve already established that offensive cyber operations are off the table for home users and small businesses. Since we aren’t permitted legally to conduct offensive cyber operations, the next best thing is to detect an intruder early. In a computer network, defense equates to prevention. Prevention consists of firewalls and antimalware. Conversely, offense equates to detection.  Detection consists of Endpoint Detection and Response tools, as well as Security Operations Center (SOC) analysts responding to alerts. In addition, your team can leverage Cyber Threat Intelligence (CTI) from the Intelligence-sharing groups and then actively hunt for those very threats on your network.

Prevention is Affordable: For most home users and small businesses, prevention is all they can afford. Because prevention is usually an automated process facilitated by software, you set it and forget it. Since most home and business users are running Windows 10, you have Windows Defender installed by default, and that is the best option for antimalware and the host firewall.

Detection: Detection is tougher because it usually involves hiring an SOC team (or tasking your IT staff with additional duty, for which they aren’t trained). For a small business and home user, detection and threat hunting is only feasible with a Managed Security Service Provider (MSSP). For example, Dell purchased SecureWorks a few years ago, and AT&T purchased AlienVault to provide those services. The downside is most of the MSSPs target large businesses with deeper pockets. You just need to make sure you pick a vendor that can provide the sweet spot of security and cost.

Cover Your Bases: The sweet spot is really about covering all your bases (forgive the mixed metaphor). Getting prevention and detection capabilities in place. But even when you do that, the persistent attackers will still get through. Eventually. That’s where the cyber insurance comes in. A great place to start looking for solutions would be Stickler Webb Insurance. There you can get cyber insurance quotes and find a cost effective SOC vendor to provide the offensive line.

Your Offensive Line: You are not going to the Super Bowl. If you have a computer network, you are already IN the Super Bowl. Relying on prevention alone is like going to the Super Bowl with only your defensive line. Imagine how that game would turn out. You are in the game whether you like it or not. Make sure you at least HAVE an offensive line.

Back to the Basics

Hills Are Alive: In the Disney classic, “The Sound of Music,” the troublesome but optimistic nun turned nanny, Maria, is teaching the Von Trapp children how to sing since they did not know how.  She starts into song saying “Let’s start at the very beginning, a very good place to start, when you read begin with A-B-C, when you sing begin with do-re-mi.” Here at the Cyber Tripwire, we change that second part a bit to apply to cybersecurity.  “When you cyber, begin with C-I-A.”   OK, so maybe it won’t be sung by teenagers around the world and I’ll have to postpone my song writing career.

C-I-A: With cybersecurity, getting back to the basics is as easy as C-I-A … Confidentiality, Integrity, and Availability.  These are the high level basics.  Confidentiality means that only the people who are supposed to access the data have access.   Integrity means that there are no unauthorized changes to data at all during transmission, in use, or while stored.  Availability means that the computer resources are ready and can be accessed by legitimate users.  Together they are referred to as the “C-I-A Triad.”  For most organizations a chink in the armor of any of the three could cause havoc. Let’s look at each one closer.

Confidentiality: The importance of confidentiality differs depending on your industry.  If you have a secret recipe like Colonel Sanders, it is critical.  If your organization handles any personal information, the protection of that confidential information is required by law.  Here are some examples of failure to maintain confidentiality.  An unauthorized person accesses data.  An unauthorized process gains access to data. Consider a hacker that uses malware to copy your data.  An unauthorized person accesses an approximate data value, a range. For instance if someone found out that an employee’s salary is within a certain range.   Loss of confidentiality could even be an unauthorized person finding out that a piece of data exists.  If you are sending personal information over unencrypted email, the confidentiality of the data is highly at risk. 

Integrity: Integrity does not necessarily require hacker intervention to be lost.  It is possible to lose integrity through careless use by an authorized user.  For instance, a user that accidently saves unapproved modification to a file without realizing it.  Information system errors could also affect the integrity of data.  In order for data to have integrity, it needs to be precise, accurate, meaningful and useful. Modification made must use acceptable ways and only by authorized people or processes.  When a hacker captures unencrypted data, changes it, and sends it to the original recipient, the integrity of that data is lost.

Availability: Availability allows authorized users to access and use network resources, like a printer or a website.  Available resources must complete the service request in a reasonable time.  When I was in college, I remember that the telephone networks lost availability every Mother’s Day.  The telephones circuits could not handle the flood of calls.   Similar things happen today on the internet when there is an Amazon Day or occasionally during Cyber Monday.  When hackers use malware to overload a particular service or website, it is called a Denial Of Service (DOS) attack.  A DOS attack is intended to remove the availability of its victim’s resources.   As many of you know from experience, you don’t need a hacker to lose availability.  It could be lost with a malfunctioning resource, or an upgrade gone bad.

Auf Weidersehen: So there it is, the basics of cybersecurity, the C-I-A Triad.  Now, we can all go back and singing the rest of the Von Trapp family songs – “So long, farewell, auf weidersehen, good night.”

The Saga of the Stolen Stingray

Protect It: I imagine one day I’ll own a 1970 Corvette Stingray. It will have its own garage. I’ll lock the garage doors when I’m not using it to make sure it’s safe. I’ll put an alarm on the building—to be sure. And I WON’T leave the keys in it!

Hijacked: A few months ago, my mother-in-law told me her email “broke.” For a few days, she hadn’t received any emails in her Outlook Client. So, I took a peek at her Cox webmail. I found a message stating the account was locked, due to suspicious activity. After a couple hours with tech support, we were able to get in. We found the account had been sending hundreds of spam emails every day. A criminal had hijacked her mail.

Recently I read a blog post in Dentaltown from a dentist victimized like this. His email account had become an unwitting offender. How did this happen to them? Will it happen to you? How can you prevent it?

Credential Stuffing: These email accounts fell victim to what we call a “credential stuffing attack.” It’s often performed by software known as “bots.” See, websites should be storing your username/password pairs (AKA “credentials”) in an encrypted database, but they often don’t. It’s like storing a 1970 Corvette Stingray in your garage (keys in the switch), and then leaving the door wide open. You’d never do that, but websites do—all the time!

Darkweb Dump: Criminals break into those websites and scoop out your credentials. Then, those same criminals dump your credentials on the darkweb. Other crooks snag these breached credentials from darkweb, Amazon-like sites. They then code their bots with lists of credentials, including yours. Finally, the bot logs into your email account.

Picture this:  You use your Gmail address as the username to log into scrapbook.com. Then, you use the same password for scrapbook.com that you use for your Gmail account. A criminal breaks into scrapbook.com. If the database isn’t encrypted (the doors were left open), the thieves steal your credentials. In essence, the criminal drove away in your beloved Stingray! It happened because you used the same key for every door you own: Your house, your Stingray garage, your business office, your mailbox…  You get my point? Worst of all, you left a copy of the key taped to the front door of your house, right in plain sight.

Unique Passwords: We often recommend in these articles that you make sure and use unique passwords for the bucketload of websites you log into. Certain sites are more critical, for example, your email account, as well as your bank account and other accounts containing your financial information. Use a password manager like Bitwarden. If you use a long, unique passphrase, instead of a short password,  and you use a different passphrase for each site you visit, then you reduce the chance of becoming a credential stuffing victim.

A Turkish Taxi or Going to the Cloud

Traveling: Did you know that when you take a taxi cab in Turkey and there is an accident while you are in the car, then you, the passenger, are liable for the damages? Why? Because you hired the cab. That is what it means for your business when you “go to the cloud.” Businesses think the cloud solves all of their cybersecurity problems, but that is not the case. Your business is responsible.

Regulatory Requirements: For most businesses, they have at least one set of regulatory compliance rules to abide by when handling data. For example, if your business accepts credit cards as payment, you are subject to the Payment Card Industry Data Security Standard (PCI DSS). If you track any Personally Identifiable Information (PII) on your customers or employees, you are subject to the Privacy Act. If you are a health care provider and handle Protected Health Information (PHI), you need to be compliant with the Health Insurance Portability and Accountability Act (HIPAA). Healthcare providers have the trifecta of data protection liability – having PCI, PII, and PHI to worry about. In the cybersecurity world, regulatory requirements drive your data security plan.

Data Security: The definition of data security from technopedia.com is “protective digital privacy measures that are applied to prevent unauthorized access to computers, databases and websites.” In other words, data security is how you protect your customer’s data. Although there are many laws, regulations, and guidelines, they do not dictate HOW to implement the protective measures. THAT is up to the individual business owners to decide. This is important because the business is held legally responsible for any privacy breach that may occur whether the data is in the cloud or in your back-office data closet. You are responsible for its protection.

Cloud Absolution? No: Some business owners think that if they push their system to the cloud they will be absolved of data security. Many cloud service providers offer Software as a Service (SaaS) solutions for just about every application these days, making it a turn-key solution for many businesses. One example is Office 365. it reduces local IT costs and in most cases provides an increase in service. In many cases, the business can coordinate with the provider to pay for controls like encryption and firewalls in the cloud. Sounds great, doesn’t it? So where’s the problem?

Who’s In Charge: The cloud customer (that’s you) decides who gets access to the application. The employees are usually working from a laptop, desktop, tablet or phone to access the application.

Threats Still Exist: The cloud is NOT threat repellant. If any of your business computers get key-logger malware (malware that records your keystrokes), the hacker will steal your cloud login credentials and use them to access to your data from anywhere in the world. Your client data that you use daily is sitting on the computer memory of your local device. If the data is (heaven forbid) sent unencrypted to the cloud, you are subject to interception of your data with what’s called a man-in-the-middle attack. This happens often when using public Wi-Fi hotspots. Employees are also susceptible to social engineering where they are tricked into clicking on a malicious link or even provide their password information over the phone. As we noted in other articles, the dark web has usernames and passwords available from previous breaches. If people re-use their passwords, the hacker may get access that way too.

Due Diligence: Even in the cloud, business owners must have due diligence with data security because they are liable. Your employees need cybersecurity training. Their devices should have antivirus and endpoint detection monitoring – agents watching for unusual behavior. Businesses should have cyber insurance to transfer the risk in case a breach occurs despite best efforts.

The Bus?: So, if you are in Turkey you may want to take the bus. Using cloud services on the other hand, there isn’t any substitute for a robust security plan.