Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 
0
Dan Gavin
Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 

Week after week, we write about the latest breach or how hackers use social engineering to get into corporate and government systems, but as you read this in Cochise County you think these types of things only happen to big corporations in big cities.  You may think: “My small business is not worth the hackers’ efforts.”  I’ve got news for you; your small or medium-size business is worth their effort.  Why?  Because some businesses make it so easy for them. As we do forensic investigations locally in Cochise County, we have met some of the victims.  Sometimes healthcare providers post a banner on their web pages discussing their breach and compromised data. 

One of the most common way hackers get unauthorized access to local business systems is to scan for open ports on public facing servers. A port is simply a door into your network. The port in particular that they love is the one used for remote access.  In this case think of this port as the magic wardrobe that the children found to enter Narnia. During COVID when many switched from working at the office to working at home, the local IT guru opened that famous port so that users could remote into their server or desktop using Microsoft Remote Desktop.  It was a great solution because it is easy, and it works.  Unfortunately for many, it is not at all secure and is a favorite target for our worldwide hackers.   

It’s possible to scan the entire internet in hours. In 2019, a researcher named Robert Graham scanned the entire IPv4 address space for the remote desktop port and found around 3 million exposed servers. That’s exactly what the bad actors do.   Once they find the open port, the first tactic they try is to determine the type of server and use the default usernames and passwords from the manufacturers.  Many people never remove and reset these.  The next thing hackers will attempt a password cracking technique.  Some techniques are sophisticated like the credential stuffing attack, where hackers look on the dark web for actual cracked passwords for the business which was hacked.  They are hoping that people will reuse their passwords.  Another technique is to run a dictionary attack where common usernames and passwords are automatically attempted.  We see this occur locally where the port is opened for maintenance and within an hour there are failed login attempts from North Korea, China, Russia, and Iran. It really happens here in Cochise County. 

Many business owners believe that they are safe from cyber-attacks because their IT person assured the owners that they have the best firewall the world has ever seen along with the latest and greatest anti-virus.  This is a good start, but the bad news is unless you block internet and email traffic on the firewall, it won’t stop phishing emails.  Your anti-virus won’t stop brand new malware.  According to Verizon’s 2023 Data Breach Report, around 90% of breaches are linked to phishing emails. The others are related to downloading malware through internet browsing.   

Some business owners might say they are safe and don’t need cyber security because their software is cloud-based.  In that case, what happens when an employee downloads a key-logger program that was on a link in their email?   The hacker has access to all company data and if that employee had administrative privileges, the hacker has total control.   

If a breach or ransomware attack could shut down your business for more than a day or if a breach would make you liable to your clients, your business needs solid cybersecurity.  We recommend a defense-in-depth strategy where there are multiple layers of defense.  Start with the basics of up-to-date firewalls and anti-virus, then add endpoint detection response that stops malware from executing, then get some monitoring and user training.  You follow that up with solid security policies. 

Don’t be an easy target.  Harden your business with a defense-in-depth strategy to thrive in the digital world.  Get a cyber risk assessment done to make sure that you are not low hanging fruit for the lazy hacker. 

Even the Experts Can Be Fooled
0
Dan Gavin
Even the Experts Can Be Fooled

When even experts in social engineering can be fooled, it is important to ensure a defense in depth strategy for your business’ information security.  KnowBe4, one of the country’s largest providers of cybersecurity and social engineering training, got fooled by a North Korean IT worker intent upon loading their network with malware. 

KnowBe4 had a job opening. They were looking for someone for their internal Artificial Intelligence (AI) team.  What they received instead was a valuable training lesson in advanced social engineering. They were fooled. But unlike many companies, they disclosed the failure. Their experience might save others from a similar fate. 

Fortunately, they caught the imposter early enough so there was no breach or illegal access to the company’s systems.  They stopped him before he could do any damage.  Here is how it happened, how they stopped it, and some lessons learned. 

The human resources team did their jobs.  Background checks came back clean because the imposter was using a valid but stolen US-based identity.  They conducted 4 video conference-based interviews validating that the person matched the photo on the application.   The imposter took a stock photo and used AI to merge his features to the photo.  HR even verified his references. 

Once hired, the imposter asked to have his laptop sent to a farm. Not the kind you’re thinking of. It was “an IT mule laptop farm.”  The laptop farm is like an office filled with laptops and computers hackers use. They connect remotely from North Korea to the laptop farm. It was a good thing KnowBe4 restricted new employee access and didn’t allow access to the production systems. 

Once the imposter had been successfully hired and his laptop had been delivered, it was time for him to embed his malware onto the company network.  He downloaded and attempted to execute malware.  He then used some technical trickery to cover his tracks. 

The good news is the company security operations center (SOC) was alerted to potentially dangerous behavior and called the imposter.  The imposter claimed criminals must have compromised his router.  The SOC team quickly isolated his computer from the rest of the network preventing his access to valuable systems and data.  The imposter was unresponsive once he figured out that he was caught.  

Here are some lessons learned.  When a company uses remote workers with remote computers, the company should have a way to scan the device ensuring there are no other connections on the device.  When hiring workers, don’t rely simply on email references.  Do not ship laptops to locations that don’t match the applicant’s address.  Make sure applicants are not using Voice over IP (VOIP) phone numbers.  Lastly, watch for discrepancies in address and date of birth.  

With all the process failures, KnowBe4 did not suffer a breach.  They understood defense in depth.  They had multiple lines of defense in case one (the employee screening process) was breached.  All their laptops had endpoint detection and response (EDR) software loaded and they had a SOC watching over their network.  The EDR stopped the malware from executing and alerted the SOC. The SOC team isolated the computer right away and escalated the issue.   

When it comes to protecting your business, you cannot rely on the minimal protections.   Firewalls and anti-virus are useful, but they do not stop a hacker from entering through your email or your browser.  Technology, like EDRs and SOCs, may save the day, but must be backed up with tried-and-true policies and training.   Although KnowBe4 is an expert in social engineering, they got scammed due to lax hiring policies.  They have since updated their hiring policies.  Remember, a fool may learn from his own mistakes, but a wise man learns from the mistakes of others.   Be the wise man. 

One Click That Shutdown 15,000 Businesses, the CDK Hack 
0
Dan Gavin
One Click That Shutdown 15,000 Businesses, the CDK Hack 

What started out as a peaceful shift for one of the country’s largest Auto Dealer Software-as-a-Service vendor, turned into a nightmare.  By 2:00AM, the security team determined that they needed to shut down two of their data centers to stop the ransomware from spreading.   

The vendor is CDK Global and they provide software services for over 15,000 car dealerships nationwide. They provide a platform that handles all aspects of an auto dealership’s operation including customer relationship management, financing, payroll, support and service, inventory, and back-office operations.  On June 19th, CDK announced there was a cyber incident they were investigating, and services were not available.   They started restoring service later in the day, but then they had a second cyber incident which caused them to take the systems offline again.   

What makes the problem more complicated is that their clients are always connected to their network through an “always-on” VPN. This provides a tunnel from the client to the data centers.  Normally that would be a good thing, but in this case, the always-on VPN just extended a network that was poisoned by ransomware.  They recommended that the clients disconnect so that the hacker could not “pivot” from the CDK network to the client dealership network.  What was even more critical was that the CDK software had administrative privilege on the client systems to do software updates. Hacking that software would give the attackers admin access to the local computers.  Thankfully no clients reported any contagion.  

This attack caused widespread disruption at car dealerships with no ability to track and order car parts, conduct new sales and offer financing.  Some dealerships shut down completely, while others reverted to the tried-and-true method of pen and paper assisted by spreadsheets.  They are projecting to have all their clients fully operational by July 4th.   However, the damage has been done.  The disruption comes at a cost to CDK and the dealerships an estimated $944M. 

The attacker is purported to be a hacking group identified as BlackSuit, who although only starting a couple years ago, have been responsible for over 95 breaches across the globe.  They are known for using a technique called “double extortion.”  During the breach, they upload the victim’s data to their server before encrypting (locking) the data on the client system.  They request a ransom for the key to unlock the data allowing the victim to continue operations.  Additionally, they also threaten to release the data on the dark web if the victim does not pay a second ransom.  

This breach may have been avoided if CDK fully implemented Zero-Trust methods.  In a Zero-Trust environment, it is assumed hackers are on the network and only trusted applications can run.  Application whitelisting would have stopped this attack in its tracks.  Whitelisting allows only those known trusted applications to run on the network.  Any new application, like ransomware, would not be allowed to run. 

The attack also highlighted the importance of being prepared for anything.  All businesses should have a Contingency Operations Plan written and validated prior to any incident or emergency.  Those dealerships that adapted the process without a computer could continue to sell and service vehicles.  Those that did not have a plan suffered. 

The ray of sunshine in this otherwise dreary incident was that our local dealerships were unaffected by the attack. All the dealerships from Sierra Vista to Tucson escaped this disaster as they do not use the CDK service for their management.  

For CDK, one improper click costs them and their clients a billion dollars.  Implementing Zero-Trust concepts and employing continuous cybersecurity training would have been a much more cost-effective solution.  The problem is many companies don’t really understand that until it is too late. 

The original article was published in the Sierra Vista Herald here.

Ransomware Shuts Down Municipalities; How To Protect Our Cities
0
Dan Gavin
Ransomware Shuts Down Municipalities; How To Protect Our Cities

On June 9, 2024, the city of Cleveland, Ohio uncovered a “cyber incident” which was later determined to be a ransomware attack. Since the attack, city hall has been closed to the public for over a week.  Citizen facing services have been offline as well. To contain the damage of the ransomware, the city shut down the affected systems until they could restore them safely.  On a positive note, emergency services, works, utilities and healthcare were not impacted. 

Details about the attack have been kept close-hold as the investigation continues.   Some employees were allowed back to work on the 12th, but many issues remained.  They could not process building permits and birth/death certificates.  After over a week, the mayor’s office still has not disclosed what information was exposed.  The city did say that they were not negotiating with the hackers and will not pay the ransom.

This is not the first major city in the U.S. to get hit with ransomware.  In 2019, the city of Baltimore, MD was hit with a devastating attack that crippled their municipal services for weeks.  The cleanup cost the city over $18M.  In May of 2023, Dallas, TX was hit with ransomware that disrupted the city’s 911 emergency services. New Orleans, Knoxville, and Las Vegas also have joined the Ransomware Victim Club. 

Don’t think that this only happens in faraway places in different states.  The city of Kingman, AZ experienced a significant cyberattack where the city’s computer system was compromised.  The breach included social security and driver’s license numbers mostly affecting employees. 

There are several reasons why hackers target city governments.  For one, cities have valuable data.  This includes sensitive information such as personal records and financial data.  Secondly, hackers assume that municipalities are a soft target.  Municipalities often lack the necessary funding and skilled personnel to address technology challenges.  Often the IT infrastructure is outdated, making them vulnerable to attack.  Lastly, municipalities provide critical services.  Hackers think that if they take down critical services, the city will gladly pay the ransom.  

Many of these municipalities had cybersecurity services which monitored their systems.  So, how did the hacker install the ransomware?  The problem with this method is that the hacker must be actively inside the network before the threat can be identified, and sometimes that is too late. New malware (zero-day attack) is not in the antivirus databases and is not automatically stopped.  

The solution to this problem is “application whitelisting” or “application allow listing.” With this method only applications which have been validated previously can run on the computer.  Even if an employee clicked a malicious link, when the software tried to run on the local system, it would fail. It is not on the allow list.  There is upfront friction with this implementation where users cannot load anything they want whenever they want.  They submit a request for their new software to be put on the allow list.  The cybersecurity personnel validate the software in their testing environment looking for unusual behavior.  If it checks out, the software is approved for use.  

Another cybersecurity aspect which is often neglected by municipalities is continuous cybersecurity training.  The one-time annual cyber classes are not effective. However, if the training is kept short, about three minutes per week every week, delivered to user’s email box, the results are exponentially better. Cybersecurity is top of mind. 

The lesson to be learned is that every government municipality is a target, not just big cities.  The data is valuable to hackers.  If they can take down emergency services, the hackers expect a fast payment.  Does your local government have the proper cybersecurity measures in place, such as application whitelisting and continuous training, to avoid the disaster that Cleveland is experiencing?

The original article was published in the Sierra Vista Herald and can be found here.

The Rising Importance of Cybersecurity in Our Digital Age
0
Dan Gavin
The Rising Importance of Cybersecurity in Our Digital Age

Tom and Dan were camping deep in the woods one night when Dan runs into the tent and says “There’s a bear attacking our site, we have to go!” Tom is confused when Dan stops to put his shoes on. Tom says, “What are you doing that for, you can’t outrun a bear?” Dan says, “I don’t have to outrun a bear, just you.” That’s how it is in the cyber world. In general, hackers are lazy. If it’s too hard, they move along to an easier target. 

Cybersecurity is crucial to our very survival. As technology continues to advance, so too do the threats that lurk in the deep recesses of the World Wide Web. From individuals to businesses and governments, everyone is a potential target for cybercriminals who seek to exploit vulnerabilities for their gain. 

Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These cyberattacks are aimed at accessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes. The internet is ubiquitous. The proliferation of connected devices means the scope and scale of these attacks have grown exponentially. Cybersecurity is no longer a concern solely for large corporations or government agencies. It is a critical issue for individuals and small businesses as well.

One of the most common types of cyberattacks is phishing. Phishing attacks involve sending fraudulent emails that appear to come from reputable sources, tricking recipients into revealing sensitive information like passwords or credit card numbers. Another prevalent threat is ransomware. It is a type of malware that encrypts a victim’s files and demands a ransom payment to restore access. Ransomware can have devastating consequences, leading to financial losses, reputational damage, and operational disruptions.

The increasing frequency and sophistication of cyberattacks highlight the need for robust cybersecurity measures. You must be vigilant about protecting your personal information online. Simple steps such as using strong, unique passwords for different accounts, enabling two-factor authentication, using an adblocker on all your browsers, and being cautious about clicking on links or downloading attachments from unknown sources can go a long way in preventing cyberattacks.

For businesses, cybersecurity must be a top priority. It is no longer a cost center. It is a revenue guarantee. Businesses need to implement comprehensive security policies, conduct regular security assessments, and provide continuous cyber education for employees. Small businesses are particularly vulnerable. They often lack the resources and expertise to defend against cyber threats. They can take advantage of various tools and services designed to enhance their cybersecurity posture. For instance, investing in a zero-trust provider can help protect sensitive data and prevent unauthorized access.

Businesses should develop and practice an incident response (IR) plan to quickly address and mitigate the impact of a cyberattack. The IR plan outlines steps taken in the event of a security incident, including notifying affected parties, containing the threat, and restoring normal operations. By being proactive and prepared, businesses can minimize the damage caused by cyber incidents and recover more swiftly.

Cybersecurity is an essential component of our digital world. As cyber threats continue to evolve, it is imperative for individuals and businesses to take proactive measures to protect themselves. By staying informed and implementing robust security practices, we can collectively enhance our resilience against cyberattacks and safeguard our digital future. The key to success is to make yourself a hard target so that the bear goes after the easy prey instead of you. 

The original article was published in the Sierra Vista Herald and can be found here.

Cyberwarfare: How foreign wars can affect us at home
0
Dan Gavin
Cyberwarfare: How foreign wars can affect us at home

On April 13, 2024, for the first time from their own country, Iran launched a huge missile and drone attack against Israel. This is all over the news, but did you know there was a cyber-attack prior to the strike against the Israeli radar systems? The pro-Iranian cyber gang known as Handala claimed to have breached radar systems and sent 500,000 text messages to Israeli citizens. The attack was meant to soften up the Israeli defense system and intimidate citizens, although it appears not to have had the desired effect.

More and more, cyberwarfare is part of the multi-pronged attack in kinetic warfare. So far, it has not been something that wins wars directly, but it contributes to the effects of other strategies. Cyberwarfare encompasses a range of activities, from espionage and sabotage to propaganda and disinformation campaigns. It is characterized by its low visibility and high impact, making it an attractive tool for state and non-state actors seeking to achieve strategic objectives without resorting to conventional military force. Additionally, the cyber domain offers a level of deniability and the ability to strike at the heart of critical infrastructure and societal functions.

There are three types of cyberwarfare commonly used today: wipers, distributed denial of service (DDoS), and defacement. The objective of wipers is to delete information from a network. This denies users access to their own data. Wiper attacks may include ransomware. A DDoS attack aims to take down a website or online resource by overwhelming it with malicious traffic. This is usually done with botnets (remotely controlled malware infected computers). Both types of attacks deny the end user access to their information or network. The third type of attack goes about their objective slightly different. Defacement deletes or modifies information on a website. The objective is to mislead the public into thinking the malign planted news is reliable with the hopes of that news going viral. This can be part of a wider psychological operation in the campaign.

There are estimates that the Iranian Ministry of Intelligence (MOIS) carried out more than 2,000 attacks each in the first week of April. Together, they operate more than 10 different attack groups. A cybertracker from CyberKnow reveals that 65 groups were involved in the campaign against Israel from the 1st to the 8th of April 2024, carrying out DDoS, defacement, and other types of attacks.

The targets of these attacks are not always digital. During the April 13th missile attack, Iranian-backed hacktivist group, the “CyberAv3ngers,” caused power outages in several Israeli cities. The CyberAv3ngers became famous in the U.S. in November and December 2023 for targeting U.S water facilities. Water utilities in Pennsylvania, Texas, and Florida were compromised. Although the consequences of the compromises were not dire, the group was sending a message that it could compromise high value targets and do damage if it wanted. The group targeted U.S. utilities for the U.S. support of Israel.

Although Iran’s cyber-attacks are noted above, it is not specific to that country. Cyberwarfare is being employed by all major powers across the globe. Israel, the U.S.A, China, Russia, North Korea, the UK, and European Union countries use these activities as part of their wider strategy to affect their influence.

Even though a kinetic war is being waged over 6000 miles away, cyber-attacks can affect us at home. Public utilities should especially be cyber prepared for anything in this environment.

You can find the original article here from the Sierra Vista Herald.

The Cyber Guys: Swatting customers, cyber hackers’ new extortion method
0
Dan Gavin
The Cyber Guys: Swatting customers, cyber hackers’ new extortion method

What you are about to read is fiction, but the scenario is feasible and, in a few months, may be likely.

Bob was sitting on the couch watching the Chiefs play the Bills. The Bills had just made a touchdown, bringing the score to Bills 17, Chiefs 10. Suddenly the front door burst open and a heavily armed group of people flowed into his home. In moments Bob was on the floor face down, arms behind him zip tied. Bob was under arrest.

Bob wasn’t guilty of a crime. He was the victim of a horrible extreme prank called “swatting.” Someone had accused Bob of posting extreme anti-government threats on social media. Bob’s social media account had been compromised, then filled with anti-government rants. Enough evidence to justify the temporary chaos you just witnessed.

Why was Bob targeted? Unfortunately, he was the client of a medical center that recently had fallen victim to a cyber-extortion group. The patient information was stolen (including Bob’s) and the threat group promised that if the ransom wasn’t paid, the threat group would make life a literal hell for the patients.

Because Bob had the bad habit of reusing his passwords it was trivial for the threat group to take over Bob’s social media account using his stolen credentials and make those false posts. Bob became the first of many to endure such humiliation.

The story is fictitious. But the threat is real. Swatting as a service is the latest tactic threat actors are using to coerce businesses into paying cyber ransom. You are truly just a pawn. Because cyberattack reports are so common today, we’ve become overwhelmed and desensitized to the implications of the threat. But now the implications are physical. Visits from actual police to your home. So far, the police visits have resulted in only momentary inconvenience for the victim and a waste of police resources. But it is conceivable this will escalate.

You are probably thinking, “There’s no way this could happen. Who would ever go to such an extent just to get money?”

The reason you think this is because you are not evil. But there are truly evil people who absolutely don’t care about the pain this causes innocent people. The effort it would take to conduct such a campaign as described above is very little on the part of the threat actor, especially in the age of artificial intelligence.

An AI bot can easily craft the content for social media posts at scale. The level of effort on the part of the human is then as little as copying and pasting the content into a compromised social media account.

But you can do something to make sure it isn’t you who suffers. First, if you don’t absolutely need social media, you can cancel your accounts. One principle of cybersecurity is “if you don’t need it, remove it.” If you do use your social media accounts, make sure you use a password manager like Bitwarden to create and securely store your passwords.

Lastly, you do have a right to ensure your data is secure. The tactic described above has been used against medical centers. Your protected health information is governed by the Health Information Portability Accountability Act. You have the right to ensure your medical provider is protecting you. Ask it to provide you with evidence it is doing more than the bare minimum. If it refuses to show you, then you may consider changing doctors.

I know this sounds extreme, but so is “swatting.”

Original article was featured in the Sierra Vista Herald and can be found here.

The $100 Million Phone Call – Tale of the MGM Hack
0
Dan Gavin
The $100 Million Phone Call – Tale of the MGM Hack

In 2008, an Australian man received a $147,000 phone bill while traveling in Europe. It appeared his 12-year-old son was playing a game of “Tap, Tap, Revenge” on his iPhone the whole time. That was quite a bill, but it is peanuts compared to the 10-minute phone call to technical support that cost MGM Resorts close to $100 Million.  

In September of 2023, a group of cyber hackers from the US and UK, ranging in age from 19-22 called Scattered Spider, used social engineering to take down many of the operations of the almost $34 Billion gambling giant. Cyber criminals went to the Linked-In social media page to find an employee that works in IT for MGM Resorts. A member of the State sponsored group named Scattered Spider called the MGM tech support team impersonating a hard-working IT employee that needed a password reset. After 10 minutes on the phone, the hackers owned that account. This was the cornerstone of the operation. If tech support verified who they were talking to prior to resetting the password, this attack may have been less damaging. The helpful tech support worker had an amygdala hijacking. The urgency to help took over the logical part of the brain that would have verified the caller.  

Once in the network, they escalated their privileges (gained admin rights) and found their way into the most valuable computers. The computers were responsible for the hospitality applications used to run the hotels and casinos. The hacking group loaded ransomware on over 100 servers. One by one the ransomware encrypted the systems and the applications crashed. Hotel keys no longer worked. Slot machines were unavailable. Point-of-Sales systems (credit cards) were unable to take payments. Guests were not able to reserve rooms and check in or out. MGM saw operations in eight states affected by the intrusion.  

Because MGM did not immediately pay the ransom, their systems were in a state of upheaval for 10 days. The losses from the disabled slot machines alone cost MGM an estimate of $5 Million a day. Some estimate a total loss of $8.4 Million per day. MGM Resorts International claimed the disruption in service caused a $100 Million loss in the third quarter results. Additionally, they spent another $10 Million on legal fees and technical consulting. As a result of the attack, their stock dropped $850 Million in market value. They have since recovered that loss. However, their biggest loss might be the damage to their reputation.  

Just a week before, another casino giant, Caesars Entertainment, suffered a ransomware attack. In contrast they immediately negotiated the ransom from $30 to $15 Million and saw only minimal disruption. The bright side (if there was one) for both corporations was that they both carried excellent cybersecurity insurance policies which covered the cost.  

There may be legitimate business reasons to pay the ransom, but it comes with an additional ethical price. The ransom you pay funds other elicit criminal activities like drug smuggling and human trafficking. We will save that discussion for another day.  

Don’t think this only happens to huge corporations, it happens to small and medium sized companies every day in America. Employees need cybersecurity training, so they don’t fall for the kind of trick played on MGM. You need to have company policies in place to protect against impersonation. You need business plans such as Incident Response Plans and Contingency of Operation plans developed and ready in case of an attack or disaster.

Keep all that in mind for your business the next time you receive an unexpected call. What will this phone call really cost? 

Original article in the Sierra Vista Herald found here:

Protect Your Castle Like a Medieval Fortress
0
Tom Jewkes

In the year 1209 the Cathars were besieged at Carcassonne in southern France. The Cathars were a religious group branded heretical by the Pope. Within the heavily fortified city the Cathars were protected but vulnerable to a supply chain attack.

The Castle Comtal within the fortified city in France’s Aude department, stands as a monumental testament to medieval military architecture and strategy. One of the most distinctive features of this castle is its portcullis with two independently controlled gates. This engineering marvel serves as an apt metaphor for the need to separate your Information Technology (IT) and Cybersecurity teams.

The Portcullis at Carcassonne

The fortified city of Carcassonne has a complex defensive system that has stood the test of time. One of its remarkable features is the portcullis, a heavy grilled door that could be dropped or raised to secure the castle’s entrance. But what sets Carcassonne’s portcullis apart is its two independently controlled gates. This means that even if one gate were compromised, the other could remain secure, providing an additional layer of defense.

Separating IT and Cybersecurity Teams: A Modern-Day Portcullis

In modern organizations, the IT and Cybersecurity teams often have different mandates but overlapping responsibilities. The IT team is generally responsible for managing the hardware, software, and networks that keep the company running. In security terms this is called “Availability”. The Cybersecurity team, on the other hand, focuses mainly on protecting the “Confidentiality” (controlling who can see what), and the “Integrity” (who can change what).

Much like the dual gates of Carcassonne’s portcullis, these teams should operate independently but in tandem. A Change Board approves software installations and updates; The Cybersecurity team updates the allow policies and the IT team implements the changes.

Advantages of Separation

1. **Focused Expertise**: Specializing allows each team to become experts in their area, leading to better performance and problem-solving.

2. **Risk Mitigation**: Separating the approval and installation of software makes it almost impossible for a disgruntled employee to wreak havoc.

3. **Checks and Balances**: Independent operations allow for internal checks, reducing the likelihood of systemic failures and oversights.

The Harmony of Independence and Interdependence

While it’s crucial for these teams to operate independently, they should not work in silos. Much like the independent but harmoniously functioning gates of Carcassonne, IT and Cybersecurity teams should have protocols for secure communication and collaboration. For instance, while the IT team may be responsible for implementing a new software platform, the Cybersecurity team should be involved in assessing its security features and updating the allow policies.

Conclusion

The dual-gate portcullis at the Castle at Carcassonne serves as a timeless symbol of defense in depth. In a world where cyber threats are increasingly sophisticated, the need for separate but coordinated IT and Cybersecurity teams has never been greater. By learning from the past and applying its lessons to the present, your company can fortify your castle against the ever-evolving challenges facing you.

Put On Your Cyber Armor Before Your First Cup
0
Dan Gavin
Put On Your Cyber Armor Before Your First Cup

Knights Prepare: In the early Middle Ages, knights spent hours getting ready for battle putting on their armor with the help of a squire.  There were hooded coats, trousers, gloves and shoes made of chain mail. Add the helmet, shield, and sword, and they were ready for war.

Cyber Protection: In order to be safe in the cyber world, computer users need to be prepared for the cyber battle that we did not request. We need protection.   Here are two examples of attacks and how to defend your home or business.

Ransomware Attacks: To avoid having to pay the ransom for your data held hostage, your organization should be backing up data nightly or more often if operations require.  In that case, you will only lose one day’s worth of data plus the time and resources it takes to restore your infected system.    

Suncrypt: This happened to Haywood County School District in North Carolina.  Their computers were attacked by Suncrypt ransomware.  They did not pay the ransom because they had backups, however, they had to delay school for a week to restore everything.  Suncrypt uses a Windows admin utility called “PowerShell” to send a file to execute on other computers in order to rename and encrypt every folder on the infected computer. The hackers now have your data hostage.

Could It Have Been Avoided?: What could the school district have done to avoid the infection altogether? 

Admin Privileges: First, the person who clicked on the phishing email had “administrative” privileges.  Cybersecurity has a concept called “least privilege” where a user has a least amount of privilege to do her work.  All internet browsing and email reading should be done as a non-admin user.  It is critical to only use admin privileges when performing admin functions (configuration and installation).

Outbound Powershell: Second, the computer security policy allowed the use of outbound PowerShell.  The system policy should have disabled outbound PowerShell capability. Powershell is the new favorite of hackers.  According to https://news.softpedia.com/news/malware-created-with-microsoft-powershell-is-on-the-rise-503103.shtml   eighty-seven percent (87%) of common malware uses PowerShell. This one change to your system can block much of the current malware.

Controlled Folder Access: Finally, for this particular attack, and those like it, the entire attack would have been thwarted if the systems had a simple setting enabled called “Controlled Folder Access.”  This feature allows only authorized applications and users to modify folders.  This would have completely blocked Suncrypt.

Phishing Attacks:  Phishing is getting very complex.  There are new targeted phishing campaigns where emails are sent to company users claiming to be from the IT Department.  The emails explain that certain sent emails were quarantined and provides a link for the user to login and review the files.  The link takes you to a screen that looks exactly like the company login.  The hackers grab the user’s credentials when they attempt to login and fix the problem.

Don’t Click It: The lesson here is to always hover over any link.  Do NOT click the link without checking it.  When you hover over the link, the details of the link show in the bottom left-hand corner of your browser or pops out on your email application.  Verify the entire link carefully. Hackers can be creative with their domain names making them similar to the real domain names. So look closely.   When it comes to links, hover, hover, and hover again. 

Put Your Cyber Armor On: So, along with that first cup of coffee or tea in the morning, remember to put on your cyber armor before you check your emails.

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981