Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
The Definitive Guide to Free Cybersecurity Resources During COVID-19 PandemicCOVID-19 has transformed the world in a matter of weeks. Many people now work from home for the first time, relying on the latest tools to connect with their employers, colleagues, and clients. Sadly, cybercriminals are still exploiting weaknesses and targeting vulnerable people with scams. Fake government websites and messages have been reported, tricking users searching for official information in a time of profound unease. As more people are cut off from their usual working environments, they may be unsure how to stay safe online. Fortunately, Canadian businesses can take advantage of free cybersecurity resources and defend themselves during the COVID-19 crisis. In this guide, we explore the most valuable websites and tools available right now. Cybersecurity Informational Resources for BusinessesEmployees who are new to working from home can struggle to adapt to monitoring their own cybersecurity and taking effective precautions. The first step is to read the right information. Canadian businesses looking to protect their infrastructure and employees during the COVID-19 upheaval can share the following resources with their teams to help them safeguard their own hardware and software at home: Canadian Anti-Fraud CentreThis may have been your first port of call, but if not, the Canadian Anti-Fraud Centre is packed with helpful insights. For example, there’s an in-depth list of reported scams to be aware of, including people posing as charities, cleaning companies, the Public Health Agency of Canada, Red Cross, and government departments. Check the list regularly to stay up to date on the latest scams. It also provides tips on how to protect yourself and your business against online dangers. It’s never been more important to stay vigilant. Canadian Centre for Cyber SecurityThe Canadian Centre for Cyber Security is another crucial resource for businesses. It features a fantastic guide — ‘Staying cyber-healthy during COVID-19 isolation’ — which links to several eye-opening articles on phishing, spotting malicious emails, and updating software & devices to mitigate risks. National Institute of Standards and Technology (NIST)NIST operates an outstanding Small Business Cybersecurity Corner, covering everything from Cybersecurity Resources Roadmaps to Cybersecurity Framework Steps for Small Manufacturers. There’s a Telework Cybersecurity section with lots of resources for teams working from home, exploring such critical topics as Telework Security Basics and Mobile Device Security. Cybersecurity News UpdatesBusinesses across Canada should try to stay well-informed on cybersecurity dangers and scams. The following sites are posting regular updates:
Free Cybersecurity ToolsSophosAntivirus brand Sophos is offering free cybersecurity software for professional and personal use. For as long as the COVID-19 crisis lasts, Sophos customers have free access to Sophos Home Commercial Edition program, which delivers business-grade defense for all users. On top of this, Sophos’ XG Firewall is available with a 90-day free trial. This provides automatic threat isolation and insights into hidden threats. Click ArmorClick Armor is a Canadian security platform, and its “Can I Be Phished?” tool is a handy resource for all businesses and remote workers. It’s a user-friendly three-minute assessment designed to identify your ability to recognize phishing emails. This invites users to choose emails they believe are suspicious, such as falsified HR policy updates, news alerts, and more. It may help employers and employees alike develop a stronger eye for spotting dangerous emails lurking in inboxes. QualysQualys is providing Remote Endpoint Protection for remote workers. This is in response to the increased number of people now doing their jobs from home and is free for 60 days. This gives users real-time visibility on all major weaknesses and issues (such as misconfigurations) that could put devices at risk. DomainToolsDomainTools has built a free list of websites considered high-risk during the COVID-19 crisis, helping businesses to protect their systems, workers, and data against cybercriminals. This tool provides access to the list after a brief registration process. The keyword-based, streamlined search function makes finding problem sites fast. Users also can see when high-threat domains were created and the level of risk they pose (represented as a score for at-a-glance insights). The list includes tens of thousands of sites so far. 1PasswordCanadian cybersecurity company 1Password has adjusted the pricing on its 1Password Business package, so that companies can now get their first six months’ usership for free (instead of just 30 days). The company discussed its reasons for making the change in this blog post. This tool enables businesses to centralize their login details in one space, with no need to memorize them or write them in notebooks which could go missing. Remote workers can access their business logins securely, increasing safety and reducing the amount of time they could waste by forgetting or misplacing their passwords. CiscoNetworking company Cisco is allowing its Cisco Umbrella customers to exceed their user limit for free, to accommodate the increase in employees working from home. Newcomers also have access to a free license, not just existing users. Cisco’s offer applies to Duo Security, too, which is a two-factor authentication tool. It can be integrated into mobile or web apps, and prompts users to confirm their identity when trying to login. Cisco AnyConnect Secure Mobility Client is also included in the offer, which runs until July 1, 2020. These are trying times for businesses of all sizes, but the strain may be particularly tough for smaller companies with tighter budgets. Taking advantage of these free cybersecurity resources and tools can help you stay safe online, even when cybercriminals are at their most ruthless. At The Driz Group, we continue to provide our customers with cutting-edge managed services to prevent cyberattacks and protect applications. Schedule a free consultation to discuss your business’s cybersecurity options now. Cybersecurity Risks Posed by COVID-19 PandemicThe Canadian Centre for Cyber Security has warned that the COVID-19 pandemic poses an elevated level of risk to the cyber security of Canadian organizations involved in the response to the pandemic. In a recently released alert, the Canadian Centre for Cyber Security said that the COVID-19 pandemic presents an elevated level of risk to cyber security, not just to the organizations in the medical and health sector but also to other Canadian businesses, particularly those with employees teleworking through VPNs. The Cyber Centre recommends that these high-risk organizations remain vigilant and take the time to ensure that they’re engaged in cyber defense best practices. Cyber ThreatsAccording to the Canadian Centre for Cyber Security, high-risk organizations should engage in cyber defence best practices in fighting against sophisticated threat actors and ransomware. 1. Sophisticated Threat ActorsThe Cyber Centre said that sophisticated threat actors may target Canadian organizations involved in supporting the country’s response to the COVID-19 pandemic, which include organizations within the medical research community. The Cyber Centre said these sophisticated threat actors may attempt to steal data relating to the response to the pandemic, including ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actors. 2. RansomwareRansomware is a type of malicious software (malware) that encrypts victims’ computers or files, thereby locking out legitimate users and forcing the victims to pay ransom in exchange for the decryption keys that would unlock the computers or files. According to the Canadian Centre for Cyber Security, the impact of a ransomware attack on Canadian organizations involved in supporting Canada’s response to the COVID-19 pandemic could be more devastating during the current pandemic than if it were to occur in a non-pandemic environment. Cyber criminals, the Cyber Centre said, may take advantage of the COVID-19 pandemic, exploiting the increased pressure being placed on Canadian health organizations to extract ransom payments. Preventive and Mitigating Measures Against Cyber Threats Arising from the COVID-19 PandemicHere are some of the preventive and mitigating measures or cyber security best practices in these trying times: Stay Aware of COVID-19 Phishing CampaignsAs of March 28, 2020, the Government of Canada reported 5,386 confirmed COVID-19 cases and 60 confirmed deaths. Globally, the World Health Organization (WHO) as of March 28, 2020 reported 571, 678 confirmed COVID-19 cases and 26,494 confirmed deaths. As this pandemic unfolds, people are hungry for information and cyber criminals are taking advantage by launching phishing campaigns – cyber-attacks that weaponized emails. In phishing campaigns, victims are tricked into opening emails that masquerade as coming from legitimate sources. These malicious emails are in fact, laden with malicious links or malicious attachments that once clicked could install malware, including ransomware. Increase Compromise MonitoringHigh-risk organizations should exercise increase monitoring in order to detect attempted compromises by sophisticated threat actors or ransomware attackers. Employees who are now working from home as a result of COVID-19 pandemic put a strain on your organization’s network. It’s important to monitor logs for malicious activity. Follow the 3-2-1 Rule of Backups3: Stands for keeping 3 copies of any important file: 1 primary and 2 backups. 2: Stands for keeping the files on 2 different media types to protect against different types of hazards. 1: Stands for storing 1 copy offsite that’s outside the organization’s facility. Apply Patch to Critical VulnerabilitiesAccording to the Canadian Centre for Cyber Security, critical security vulnerabilities related to telework, also known as remote work, are of particular concern during the COVID-19 pandemic. As organizations rush to make more infrastructure available to remote users, such as virtual private network (VPN), unpatched software may be deployed, the Canadian Centre for Cyber Security said. Over the past year, multiple critical vulnerabilities in VPN devices have been identified. Multiple successful exploitations of these critical vulnerabilities in VPN devices have also been reported, leading the Canadian Centre for Cyber Security to assess that these same VPN critical vulnerabilities “are likely to be leveraged for renewed compromise attempts over the short term”. The Cyber Centre added that the critical security vulnerabilities listed below are among those that are likely to be targeted by malicious actors: - CVE-2019-0708: This security vulnerability in Remote Desktop Services allows an attacker to execute arbitrary code on the affected Windows operating systems, enabling an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. - CVE-2019-19781: This security vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway could be exploited through a directory traversal attack against the /vpn directory of a vulnerable system. - CVE-2020-0688: This remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. - CVE-2020-0796: This remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploits this critical vulnerability could gain the ability to execute code on the target server or client. - CVE-2020-1938: This critical security vulnerability in Apache Tomcat could allow attackers to access the Apache JServ Protocol (AJP) port by bypassing security checks based on client IP address and by bypassing user authentication if Tomcat was configured to trust authentication data provided by the reverse proxy. It’s important to apply as soon as possible the available security patches and mitigating measures for the above-mentioned critical security vulnerabilities. When you need help or looking for cybersecurity advice, to help Canadian businesses stay safe, The Driz Group will provide complimentary cybersecurity advisory services and resources during the COVID-19 pandemic. Call us today 1.888.900.DRIZ (3749) or email [email protected] How to Facilitate Secure Remote Work ArrangementsThe Government of Canada, in an effort to contain and prevent further spread of the new coronavirus disease (COVID-19), has urged all Canadians to stay home and practice social distancing. In the work environment, this means that Canadian businesses are urged to facilitate “remote work arrangements”. The World Health Organization (WHO) on March 11, 2020 assessed COVID-19 as a pandemic. As of March 21, 2020, the Government of Canada reported 1,231 confirmed cases of COVID-19 in Canada, with 13 deaths. Worldwide, as of March 22, 2020, WHO reported 267,013 confirmed cases of COVID-19 and 11,201 deaths in 185 countries or territories. “During this extraordinary time, the Government of Canada is taking strong action to help Canadian businesses as COVID-19 is affecting them, their employees and their families,” the Government of Canada said. The Government has urged all Canadians to stay home unless it is absolutely essential to go out, and to practice social distancing and good hygiene. “For businesses, this means facilitating flexible and remote work arrangements,” the Government said. What Is Remote Work Arrangement?Remote work arrangement allows workers to work from home whenever and wherever possible. This arrangement limits the number of workers on-site, thereby contributing to the efforts to contain the COVID-19 outbreak and prevent further spread. Remote work, also known as telework, is nothing new. While remote work has been adopted by some sectors, this hasn’t achieved wide adoption. Based on the 2016 data from Canada’s General Social Survey (GSS), 2.3 million paid workers or 12.7% of the total workforce of Canada telework at least an hour a week. Out of the 2.3 million Canadians that telework, more than 500,000 workers work for more than 15 hours per week. According to the 2016 GSS data, remote work in Canada is associated with occupations that are most connected to the knowledge economy, with 36% of workers in the management sector, 24.3% in the education sector and 21.7% in nature and applied science sector telework. The sudden shift from office work to remote work arrangement as a way to contain and prevent further spread of COVID-19 has caught many employers and employees off guard. Remote Work ChallengesIn a remote work arrangement, there are 2 things that need protection: the devices (those used by the remote workers and those used by remote employers) and the communication link. One of the challenges of remote work in light of the COVID-19 outbreak is the fact that many organizations are forced to allow their staff to use their personal desktops, laptops or mobile devices as organizations have been unprepared to issue official or organization-owned devices. Allowing staff to use their personal computers is, in itself, a security issue. Some of the security issues arising from the use of personal computers include:
Organizations offering remote work arrangements are similarly faced with the same device security challenge. Organizations’ devices are at risk of unauthorized access from malicious insiders to malicious outsiders. Outdated computers, such as outdated server operating system, also pose a security threat not just to the organization concerned but also to remote workers allowed to remotely access the organizations’ devices. Best Practices in Facilitating Secure Remote Work ArrangementHere are some of the best practices in facilitating secure remote work arrangement: 1. Practice Network SegmentationNetwork segmentation refers to the practice of dividing your organization’s network into sub-networks. This practice ensures that in case one sub-network is compromised, the other sub-networks won’t be affected. For the security of your organization’s network, it’s important to prevent non-IT remote workers from accessing your organization’s network. For IT remote workers, network segmentation is specifically important. The negligence or malicious actions, for instance, of one remote worker who has access to a certain sub-network, won’t affect the other sub-networks especially those sub-networks that are critical to the operation of your organization. 2. Use VPNVPN, short for virtual private network, acts as a secure tunnel between two endpoints: the remote worker’s device and your organization’s server. For example, a remote worker can use this VPN to send encrypted data to your organization’s server. It’s important to use multi-factor authentication for all VPN connections. Multi-factor authentication for all VPN connections is particularly important as login credentials (VPN usernames and passwords) are sought after by cyber criminals. VPN login credentials are often stolen via phishing campaigns – campaigns that trick remote workers to click on malicious links or attachments contained in malicious emails that masquerade as coming from legitimate sources. Clicking on these malicious links or attachments could lead to the downloading on the remote worker’s device of a malware that steals VPN login details. The use of multi-factor authentication in all VPN connections renders the theft of login details useless. 3. Keep All Devices Up to DateAlways keep your organization’s devices up to date by using devices that receive regular security updates, and by applying security updates in a timely manner. Applying security updates on server operating systems and VPNs should be the top priority. Vulnerabilities in server operating systems and VPNs have in the past been exploited by malicious actors as these two are seen as gateways to victims’ networks. On behalf of all staff we wish you and your families well. During these challenging times, we are ready to help those who needs assistance with minimizing IT and cybersecurity risks. Need a few working remotely tips? Here are a few work from home productivity tips from our management team: 1. Dress for successEven though you are working from home, always dress as if you were going to work. We found that it helps to set a proper mood and help motivation and demeanor. 2. Find a quite spotKids and pets are fun, and you need to be 100% focused on the task at hand to be productive. Every minute of distraction may set you back an hour. 3. Plan your dayPlan as if you were in the office. Keep your calendar up to date and let your co-workers know when you are available and when you are not to avoid scheduling conflicts. 4. Take breaksCoffee breaks, and lunch are a must to stay rested and sharp. Even when you are working from home, your brain and your eyes still need rest. 5. Don’t check emailWell, most of us must check email, and we recommend checking your email twice a day to get more done. After all, if you are getting back to people the same day, it’s more than acceptable. If something is truly urgent, people will call you. 6. No social mediaAt least during business hours. Unless browsing social media is a part of your job, keep your mind focused and get more done. 7. AutomateFind the right apps and tools for your particular industry and spend the time automating as many menial tasks as possible. Many tools are free to use or cost very little yet save you a lot of time. If you don’t value your own time, no one else will. Looking for cybersecurity and IT risk advice? Contact us today to speak with a cybersecurity expert. We offer complimentary advisory services to Canadian businesses of all sizes during the COVID-19 pandemic so that you and your organization remain safe. How to Block Malicious SMB Traffic from Entering or Leaving Your Organization’s NetworkIn recent years, vulnerabilities in SMB, short for Server Message Block, have been exploited by attackers in entering or leaving their victims’ networks. What Is SMB?SMB is a network file sharing and data architecture protocol that’s used by major operating systems such as Windows, MacOS and Linux. A client – referring to a computer used to access a server through a network – uses SMB to access data on a server. A server – referring to a computer that stores a wide variety of files such as application and data files – uses SMB for workloads like clustering and replication. SMB was originally developed in the 80s by IBM. Microsoft adopted this protocol but made considerable modifications. Microsoft’s SMB protocol has since undergone 3 versions: Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3). The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. Microsoft publicly deprecated the SMBv1 protocol in 2014. SMBv1 Security VulnerabilityNed Pyle of Microsoft described SMBv1 as much like the 80s original version, that is, for a world that no longer exists – “a world without malicious actors, without vast sets of important data, without near-universal computer usage”. According to Pyle, key protections offered by later SMB protocol versions aren’t found in SMBv1, including the following:
On March 14, 2017, Microsoft issued a security update, also known as a patch, fixing the vulnerability in SMBv1. According to Microsoft, this vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Nearly 2 months after the release of the patch for SMBv1, on May 12, 2017, the WannaCry malicious software (malware) infected hundreds of thousands of computers worldwide. The group behind WannaCry exploited the security vulnerability in SMBv1. SMBv3 Security VulnerabilityLast March 12, Microsoft issued a patch for a security vulnerability in SMBv3. According to Microsoft, this security vulnerability, referred to as CVE-2020-0796, could allow an attacker to gain the ability to execute code on the target SMB server or SMB client. Microsoft said that in order to exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, meanwhile, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it. CVE-2020-0796 vulnerability exists in a new feature that was added to Windows 10 version 1903, including the following versions:
Cybersecurity Best Practices in Blocking Malicious SMB TrafficKeeping your operating systems up to date and using only supported operating systems are two of the effective measures in blocking malicious SMB traffic. In the case of the WannaCry attack, many of the infected computers failed to apply Microsoft’s March 14, 2017 security update. It’s, therefore, important to keep your operating system up to date. Other victims of the WannaCry attack were unsupported computers – those that no longer received security updates as these computers already reached their end of life or end of support. It’s important to only use operating systems that receive regular security updates or those that still haven’t reached their end of life. The high number of WannaCry victims showed that high number of Windows operating system users had used unsupported operating systems and hadn’t installed Microsoft’s March 14, 2017 security update. For the SMBv3 security vulnerability CVE-2020-0796, Microsoft recommends the following mitigating measures:
According to Microsoft, blocking TCP port 445 at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit CVE-2020-0796 vulnerability. This mitigating measure helps avoid internet-based attacks – those that originate outside the enterprise perimeter. Failure, however, to apply Microsoft’s March 12, 2020 security update could still leave vulnerable systems to attacks from within their enterprise perimeter.
One workaround for CVE-2020-0796 vulnerability, especially for organizations that can’t immediately apply the March 12, 2020 security update due to operational reasons is by disabling SMBv3 compression. Disabling SMBv3 compression blocks unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below. Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force Microsoft, however, warned that disabling SMBv3 compression doesn’t prevent the exploitation of SMB clients.
How to Strengthen Cloud Backups Against RansomwareCloud backup is an important defense against ransomware attacks. Cloud backups, however, have recently been the target by ransomware attackers. In a ransomware attack, the computer or the data within is encrypted preventing users’ access to this computer or data. The lack of backups forces many victims to pay ransom in exchange for the decryption keys that would unlock these locked computers or locked data. Cloud Backups As many organizations have migrated their daily operations to the cloud, many have migrated their backups to the cloud as well. For many organizations, cloud backups have given them a false sense of security. If not configured properly, cloud backups could easily be stolen, deleted and, in a worst-case scenario, used against your organization. The group behind the ransomware called “DoppelPaymer” recently published on their leak website the admin username and password for a Veeam user account owned by one of DoppelPaymer ransomware’s victims who refused to pay ransom. Switzerland-based Veeam is a software company that develops cloud backup software. DoppelPaymer is the latest addition to the number of ransomware programs that establish leak websites to shame victims who refuse to pay ransom. Stolen data belonging to the victims prior to encryption are published on these leak websites. "Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options," the group behind DoppelPaymertold Bleeping Computer. How Cybercriminals Compromise Cloud Backups Ransomware attackers often initially compromise victims’ computers through phishing campaigns or exposed RDP. In phishing campaigns, attackers trick victims in opening malicious emails containing malicious links or attachments. Opening these malicious links or attachments could lead to the downloading of the actual ransomware into the victims’ computers. Exposed RDP is another gateway of ransomware attacker to the victims’ networks. RDP, short for remote desktop protocol, is a protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Exposed RDP, those that used weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security measures, are targeted by cybercriminals as an initial entry point to gain access to their victims’ networks. The group behind the ransomware called “Maze” told Bleeping Computer that cloud backups credentials are used to restore the victims’ data stored in the cloud to the servers under the group’s control. Maze ransomware started the trend among ransomware operators in establishing leak websites in order to shame victims who refuse to pay ransom. "Yes, we download them [data stored in the cloud],” the group behind Maze ransomware told Bleeping Computer. “It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.” Operators of the DoppelPaymer and Maze ransomware, however, didn’t elaborate to Bleeping Computer how they were able to gain access to their victims’ cloud backups. In the case of users using the Veeam software for cloud backups, the role of Mimikatz and configuring Veeam to use Windows authentication could have led to the compromise of these cloud backups. Once malicious actors gain access to their victims’ networks, they systematically move through the network, for instance, via the use of Mimikatz – an open-source application that allows attackers to view and save Windows authentication credentials. These stolen Windows authentication credentials are used by the attackers in accessing cloud backups that use the Veeam software as some administrators configure Veeam to use Windows authentication. Cybersecurity Best Practices in Securing Your Organization’s Cloud BackupsIn a white paper released by Veeam, the company said that one of the best practices in securing your organization’s cloud backups is through the use of different credentials for cloud backups. “One of the key characteristics of ransomware is its ability to propagate,” Veeam said. “By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc.” It’s also important to follow the time-tested 3-2-1 rule: 3: Keep 3 copies of any important file: 1 primary and 2 backups. 2: Keep the files on 2 different media types to protect against different types of hazards. 1: Store 1 copy offsite (for example, cloud backup). Following the 3-2-1 rule, aside from cloud backup, it’s also important to keep a backup on-premise or on-site. This on-premise backup must be kept offline to ward off ransomware attackers. Aside from attacking cloud backups, ransomware attackers have targeted on-premise backups exposed to the internet. In the past few months, ransomware attackers have targeted Network Attached Storage (NAS) devices. NAS is a storage and backup system that consists of one or more hard drives. To gain access to NAS devices, attackers use brute force attack, that is, guessing through trial-and-error the correct username and password combination. To gain access to NAS devices, attackers also exploit security vulnerabilities that remained unpatched either through an absence of a vendor’s security update or failure of a NAS device user in installing in a timely manner the vendor’s available security update. When you need help securing your cloud backups and applications against ransomware attacks, our experts are here to help. Get in touch with us today and protect your valuable assets. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
November 2024
Categories
All
|
3/31/2020
0 Comments