Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, October 1st. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
With me this week to talk about what’s going on is Dinah Davis, the Canadian-based vice-president of research and development for Arctic Wolf. Before we start, though, he’s a brief capsule of what happened in the past seven days:
Today is the start of the annual Cybersecurity Awareness Month activities. It’s a time when company and IT leaders, employees and consumers are reminded of best practices for staying secure online. Whether progress is being made is one of the topics I’ll talk with Dinah about.
We’ll also talk about the release this week of a cybersecurity survey of some Canadian businesses. The results were underwhelming: Just 39 per cent of respondents said they are “very confident” in their firm’s ability to detect and respond to a cyberattack.
Researchers have discovered a new ransomware group, which they’re calling Colussus. It’s claiming a U.S. car dealership chain as one of its first victims. And an unknown ransomware group has crippled bookstores across France, Belgium and the Netherlands after an attack on the cloud-based book sales management application they use.
Thirty-three residents of Texas have been arrested for being part of the Black Axe gang that ran a number of online cons include business email compromise, investor, romance and other scams. They allegedly pulled in $17 million over four years. And a U.S. arrest warrant has been issued for a man in Turkey accused of being behind a distributed denial of service attack against a U.S.-based company that managed luxury hotels and resorts.
More bad Android malware has been found in the Google Play and third-party app stores. Distributed by a gang, the apps are disguised as tools like translators, heart rate and pulse trackers, voice recorders and games. What they really do is steal money by charging smartphone users for premium services they didn’t subscribe to. Always be careful in choosing the apps you download.
Finally, a person who claims they are the co-founder of the dismantled AlphaBay criminal marketplace says they’ve revived the site. If so it’s another place where hackers can sell stolen data.
(The following is an edited transcript of my conversation with Dinah. To hear the full version play the podcast.)
Howard: So today starts Cybersecurity Awareness Month. I’ve been writing about this for at least five years. It started in the U.S. in 2004. Initially it was aimed at individuals. It’s expanded to include urging organizations not only to better educate their employees but also to improve their cybersecurity maturity. However, the number of data breaches due to misconfigurations, failure to install patches fast enough, and poor preparedness continues to climb. Dinah, Arctic Wolf released a survey this month with some unhappy numbers. Tell us about it.
Dinah: One of the surprising things that we found in the survey was that nearly one third of organizations surveyed had breaches that exceeded six figures. And one in five respondents said that their organizations have knowingly concealed cyber attacks to preserve the reputation of the business. That’s just crazy to me. And a staggering 61 per cent of the business owners admitted that they actually concealed the breach themselves, which is just nuts.
Howard: What I thought is does that mean that they conceal the breach to their customers and partners, or does it mean they conceal the breach from the public, which is somewhat different. There’s regulatory requirements that they tell partners and customers as well as privacy commissioners.
Dinah: I don’t think we got into the details there in the survey, but I agree with you that there are big differences. If they concealed it entirely from everyone, then in many cases they may be breaking laws and that’s not really acceptable at all. We know that people are going to have cybersecurity breaches. So it’s really about what’s your response plan? How are you going to manage it? And to me, a successful response plan involves talking to your customers and your investors and anyone else that might be impacted and telling them that it happened.
Howard: There was another part of that survey that said 60 per cent of their executives believe that their individual employees could not identify a cyberattack targeting their business.
Dinah: I think it just constantly comes down to [employee] awareness training on what attacks look like, how to stop them and all that kind of stuff.
Howard: Another survey I saw this week was a KPMG Canada survey of 253 small and medium sized Canadian businesses that also had some unpleasant results. Here’s a few things that I noted: Less than 20 per cent of respondents said that they feel their firm can fully detect and fend off cyberattacks. Only 38 per cent said that cybersecurity is deeply embedded into all aspects of their business. Only half of the respondents said their firm actually tests the effectiveness of their cyber defenses. To me, these, these really aren’t good numbers. I mean, cybersecurity awareness has now been going on for like 18 years as a campaign. Why aren’t businesses doing better?
Dinah: I would love to know what the answers to that were five years or 10 years ago, because I bet you the needle has moved. Has it moved enough? I don’t think so. Obviously not. The numbers should not be that bad. But I think if we look at it more like what’s happened in the last four years, I think there’s been a significant level of awareness that has increased in the general public. But it has a long way to go.
Howard: Admittedly, when you do these surveys a number of them are kind of guesstimates by respondents. You know, it’s a sort of, ‘How do you feel?’ But if only 38 per cent of respondents think that cybersecurity is deeply embedded into all aspects of their business, that’s really alarming.
Dinah: But I bet you like five years ago it was 10 per cent
Howard: Can you talk about what firms need to do to strengthen their cybersecurity maturity?
Dinah: One of the things that’s really important to do is understand and assess your security posture. And the number one thing is to make sure you understand your attack surface: Where can you be attacked from? A lot of people will think that it’s just their work computers, just the network they’re in, but that really isn’t right. It’s every asset you have: It’s your entire network, it’s all the endpoints – including the laptops that are out there, especially in this hybrid world — it’s the cloud applications you use … and your employees and their family, they’re all part of the attack surface, as well as any of the vendors that you’re buying from.
You want to make sure you can assess each one of those. We’ll give you a little tip here on each each one. For all of your assets, this really comes down to vulnerability management and assessment. And that all comes down to patching, patching. You want the latest versions of software and hardware running on all assets that you possibly can. You want to create a [patching] program around that so it’s not done ad hoc.
Howard: What’s really important with patching is that you have a documented process. As we all know, in IT people come and go so the process that they should be using for patching has got to be documented. And then new people coming in can read it and see what their responsibilities are and what they’re supposed to be doing.
Dinah: That’s really key.
Howard: There was a story I covered this week on a report from Trustwave on an internet scan to see how many systems that they could detect did not have, patches that had been installed for vulnerabilities this year, let alone, let alone ones that they know that are unpatched and are three, four years old and that attackers are still exploiting. And they, they found that there were lots of systems that they could detect on the internet that still hadn’t been patched. These included on-premise Microsoft Exchange systems and a number of VPNs. And again, this just underscores how important it is for organizations to have a rigorous patching and asset discovery.
Dinah: And it’s, it’s difficult. Sometimes patching something means you’re going to break a whole bunch of things. So it has to be planned. And this is why you need to have that program put in place. You might need to wait for a maintenance window so that you can do it properly, but anything with a vulnerability rating above a nine you should be doing immediately, no matter what the impact.
If we continue looking at the attack surface, your network is also really important: Do you have the right firewalls in place? Do you have a firewall with the right roles in place? Do you have an IDs in place? Are you monitoring the network traffic with a SIEM (security information event management) system or a managed service?
For any endpoint – laptops and servers — you should be running and point software. Recently our security team recommended a customer get agents and sysmon (Windows System Monitor) installed on all of their employees’ laptops. It’s a recommendation we often make but not all companies will do it because there’s an effort to get them all installed, but this company did. And within a few hours of installing the agent and sysmon we got a malicious PowerShell alert. It turns out that malware was present on the system and in a few other environments and was running all kinds of malicious scripts that you really can’t find in less, you have endpoint software running.
The concierge team was able to get on the phone with a client and help them through stopping that attack entirely. It just goes to show the importance of the endpoints, especially in a world where most people are working from home right now and they’re not inside your network.
The next area that we want to look at is the cloud. Cloud software is not inside your network. We [at Arctic Wolf] recently were able to stop a business email compromise attack by monitoring the Office 365 logs for our clients. We first noticed an issue when we got a login by one of the company executives from a suspicious country. We notified the customer, and they said it could be okay. We decided to keep an eye on the situation. And that was when the second indicator of compromise came in. We saw through the Office 365 logs that a new email rule had been created. This is really typical [of an email attacker]. Somebody gets into an [email] account and they change the email rules so that they can see what’s happening. So this was a combination of a suspicious login followed by an email rule change, which really strongly indicates that an attack is in progress. By reviewing the Office 365 logs we were able to identify that the rule was created to conceal any email replies from the accounting team. What the attacker was going to do was send the accounting team an email for a wire transfer and then hide all the replies so that the person who had that email account, wouldn’t see the replies, because few people look at their ‘Sent’ box. The attacker sent an email to the accounting team asking for a wire transfer of $700,000. But because we saw this we were able to contact the accounting team immediately and stop the transfer. And the way you get attackers like this out of your system is you lock down the account and change the passwords. So really important to be monitoring your cloud sources as well as your onsite resources.
As for employees, 80 per cent of what people learn they forget in four months. That’s quite staggering. So a yearly awareness training program is only effective for two months after you do it. You need to re-engage staff multiple times a month. It’s best in tiny little bits. We educate our employees multiple times a month in short three-to-five minute videos. And the content we share with them is really relevant. For example, after the Colonial Pipeline ransomware attack we had a little video about what happened, how they were breached and how you could protect against that.
You also want to take risk away from your employees. And one way to do that is by implementing single sign-on programs, so they don’t need to remember different usernames, different passwords. They need one username and one very strong password they don’t use for anything else.
Howard: And finally, you’ve got to keep an eye on your vendors because they’re also part of your attack surface either indirectly – you use their software – directly – in that you may be allowing them direct access into your systems for any number of legitimate reasons like maintenance.
Dinah: Exactly. The Kaseya attack is the latest example of needing to make sure you’re checking your supply chain. You need to make sure to identify your suppliers, define where your risks are and start measuring and monitoring these risks. You also want to make sure you can find out what does the supplier have access to, and maybe define different procedures for handling their access. And then look at the contracts you have with the suppliers. What is your recourse if they have a breach and it impacts you? Is that built into the contract? Do they owe you money? What do they owe you if that happens? There are lot of things here to consider, but again, it starts with looking at your attack surface.
Howard: I want to also note that if you’re thinking about how the heck am I going to have a documented process for all of this there’s great advice from the websites of the Canadian Centre for Cyber Security, the United States Cybersecurity and Infrastructure Security Agency, NIST (the U.S. National Institute for Standards and Technology. See its cybersecurity framework). And then your vendors will often have white papers and free advice on how to get going to have a documented cyber security strategy.