Published on May 21st, 2022 📆 | 6731 Views ⚑
0Cyber Security Today, Week in Review for Friday May 20, 2022
Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday May 20th, 2022. Iâm Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Â
In a few minutes Iâll be joined by David Shipley, head of Beauceron Security, to talk about some of the news from the past seven days. Here are some of the headlines:
Cyber intelligence agencies from five countries including the U.S. and Canada issued another reminder that attackers routinely exploit poor security configurations, unpatched software and weak login controls. David and I will discuss their recommendations to IT leaders.
Weâll also look at an international survey of CISOs about ransomware and other things that are important to them.
And weâll analyze the latest proposal by the European Union to update cybersecurity standards for critical infrastructure sectors in the 27 EU countries. Can we do that here?
Elsewhere, the Conti ransomware gang continues trying to pressure Costa Rica with its multi-million dollar financial demands. The gang, which struck some government departments last month, now says itâs trying to overthrow the government with help from insiders.
Microsoft warned database administrators that hackers are going after SQL Server installations. Theyâre using brute force attacks to break passwords for initial compromise which isnât new. What is new is they are leveraging a server tool called sqlps.exe instead of PowerShell to run malicious commands.
Hiring IT staff over the internet is risky, especially if they are to work in a foreign country and never come into the office. The U.S. government said this week thatâs more true than ever because North Korea is directing its IT-trained citizens to apply for jobs in countries around the world. The goal, the U.S. alleges, is for them to get privileged access to IT systems for either espionage or to help hacking. Some North Koreans have been seen pretending to be teleworkers from South Korea, China, Japan or Eastern European countires, the U.S. says.
And IT managers whose building doors have smart locks that use Bluetooth Low Energy fobs should be worried. Thatâs because researchers at the NCC Group have discovered thereâs a way to defeat the short-range wireless system and unlock doors. The trick works on some models of Tesla cars and home door locks.
(The following transcript has been edited for clarity)
Howard: Letâs start the show with the cyber intelligence advisory from the U.S., the U.K., Canada, the Netherlands and New Zealand. Itâs a reminder that commonly used tactics are favoured by most threat actors. Things like exploiting unsecured applications open to the internet, poorly configured remote access services like VPNs, employees falling for phishing emails and taking advantage of trusted relationships by impersonating employees or partners through hacked passwords. David, what did you get out of this report?
David: Itâs the laundry list of the continual sins that bring us down. The ones that I think still need the most attention â and Iâm surprised that weâre still struggling with this given the current environmentâ start off with failure to implement strong password policies. This is bare-bones basics, and I think part of this may still be tied up into old advice: Uppercase, lowercase special characters â guidelines from NIST [the U.S. National Institute of Standards and Techology] from years ago, which we talked about back on World Password Day. I think itâs really important that people adopt strong, long random passwords and encourage the use of password managers. This [weak passwords] is is a problem we have the technological tools to solve. If IT leaders really want to go the extra mile get something like Troy Huntâs pawned password database and make sure your users arenât setting passwords that are already in known brute force lists. This should be basic. Maybe this is the summer we can finally cross that threshold. Secondly, I think itâs really important that we get multifactor authentication rolled out where itâs truly needed, properly enforced and properly administered. MFA is not a silver bullet. It canât guarantee you absolute security from criminals. But it can reduce brute force attacks by 99.9 per cent, which is amazing. That was one of the takeaways. The last one that I found particularly interesting was failure to detect or block phishing emails. What I find interesting about that is in the work that we have done. Make it easy for people to report suspicious emails. Quite a few phishing emails still get by secure email gateways, so your people are your best line of defense. But a lot of organizations, even if they have a âreport a fishâ button, arenât triaging and dealing with these really important signals that a control is failing.
Howard: One thing Iâd like to stick in here about multifactor authentication is youâve got to have backing from the CEO. Employees have to see that the CEO and all the vice-presidents are enrolled in the multifactor authentication program, because if theyâre not, if they think, âListen we got lots of work to do. Weâve got to log into things fast. Donât bother us. Leave us out of the multifactor authentication program,â the rest of your staff are going to say why should I be enthusiastic about it?
David: Absolutely. And this goes back to security isnât a project, security isnât a piece of technology you buy, security is not even a strategy. Security is a culture. Itâs a mindset and you have to lead by example. The best thing you can do is have your senior executives do a two-minute video and say, âI use this every day and itâs important to use. Thank you for helping us be safer.â I think the power of âThank youâ is so so underappreciated. It can make all the difference in setting the right tone for your organization. The last thing about multifactor authentication â particularly for large enterprises and critical industries â that they use the app-based notification. It can quickly be approved for a smartphone. If you remember back to the Okta breach and their third-party supplier getting hit. A one-time passcode that people enter is the best way to MFA. Give users a sufficient login time. Donât make them re-authenticate every hour.
Howard: How do you encourage people to choose proper passwords?
David: I think itâs just absolutely vital for enterprises and small and medium-sized businesses to adopt enterprise password managers. The average American, I heard yesterday at a conference, has 150 passwords. Canadians arenât that different. There is no way you can remember that many strong, random, unique passwords. So use a password manager. And the best part is many enterprise password manager solutions offer an opportunity to protect employeesâ personal accounts as well, keeping them separate from the enterprise. That encourages people to be safe 24 hours a day, 365 days a year.
Howard: You spoke of the failure to detect and block phishing, which is both a technology and human problem. How do you get to to the heart of that?
David: The reality is there is not a single product on the market that can block all of phishing emails out there. Phishing emails evolve, they use all kinds of ever-creative tactics. Sometimes they use island hopping, which is using a trusted partnerâs email to attack your people. So itâs a constant game of cat and mouse on the technological side. You can reduce the volume of attacks with good email controls. But even in large complex organizations no inline solutionsIâve seen stop all phishing emails. They still had phishes go through. But what was great for one organization is that their report rate of suspicious emails â both simulations and, by assumption, real ones, was north of 50 per cent. So there was a better chance that people were going to report suspicions faster than fall victim, which gives you critical intelligence to your incident response and triage teams to deal with. This whole idea of doing phishing testing and just looking at click rates is yesterday. The new metric is how many people are reporting it. And when they report in a test, celebrate it. Theyâre going to report the real attacks that get through, and thatâs going to give you critical minutes to get ahead of a potentially devastating social engineering attack.
Howard: Looking at a number of the issues raised by these cyber intelligence agencies, they arenât really hard for IT departments. Implementing tough multifactor authentication for some users, like requiring senior management and IT staff to use security keys, isnât inexpensive. But itâs not a crippling cost?
David: No. What is interesting about this report is that it highlights that people, process and culture are what hold us back in security â not a lack of technological know-how or solutions. And what I mean by the people side is management allocating sufficient resources to deal with cybersecurity. We still have a nasty human tendency to downplay risk â âItâs not going to happen to me.â If thereâs a CIO or a senior leader listening to this podcast today you have to understand in in cybercrime every single organization is getting hit. Numerous studies consistently show the threat is there. This is not fear-mongering. Itâs just a reality and you have to invest. Because if you donât invest in the front end you will pay $10 plus for every dollar you could have spent in prevention on cleanup from an attack.
Howard: One of the mitigations that this report mentions is that IT needs to limit the ability of local administrator accounts to log in from a remote session. The purpose of that is if somebody gets a hold of an administrator account they canât take advantage of access. Mitigations like access control are really important.
David: Absolutely. But the thing about access control is not the technology, itâs the process. How often are you reviewing your access controls? How often do you check that you didnât introduce human error? How are you revising access when people change roles? This is the Great Resignation â thereâs a massive amount of employee turnover. This is where the pressures come on identity and access management.
Howard: Another mitigation thatâs mentioned in this report is adopting a zero trust model. Arguably, thatâs the most expensive mitigation that these experts recommend.
David: Yes. Zero trust is easy if youâre just starting a business and youâre using only cloud services all your devices are untrusted to begin with. But if youâre a legacy business that has on-prem servers, data centers, network structures etc., this is both technologically expensive but also really complex from a planning and implementation standpoint ⊠Please donât just fall into the latest cybersecurity trend and just dive onto the next shiny thing because we think that thatâs going to be the silver bullet that we donât have to worry about security anymore. Get the basics right first.
Howard: Next on the list of issues that I want to look at is an international survey of chief information and security officers done for Proofpoint ⊠Iâll briefly summarize some of the responses in this survey of 1,400 people, 100 in each country. Here are the the the global results: 59 per cent of all of the CISOs said prevention rather than detection is the focus of their organizationâs defense against ransomware; 40 per cent said their organization doesnât have a policy on whether it would pay a ransom if it was successfully hit ransomware; 60 per cent respondents think that their employees understand the role they play in protecting their organization against cyber threats; and 56 per cent of CISOs think that human error is their organizationâs biggest cyber vulnerability.
David: First, I am encouraged that almost 60 per cent of folks said that they wanted to focus on prevention rather than detection and response for ransomware. I think thatâs is smart, because itâs is far less expensive to put a fire out with a fire extinguisher before it spreads and burns the entire building down. Itâs nice to see this proactive push. Weâre seeing ransomware crews get faster and faster, and in under a couple of hours go from initial access to running rampant through an organization.
I am discouraged that only about 40 per cent said the organization doesnât have a policy on whether they would pay a ransom. What that tells me is that the organization actually isnât taking the threat seriously, because itâs fine for the business to decide, âWell, this is where we are as a business, these are all of our different risks and we canât afford to be proactive. So weâre just going to roll the dice and pay the ransomware.â But if you have that uncomfortable conversation around your board and senior management it gives people an opportunity to question that, to challenge and say, âWhat if we put in place a plan to eventually not rely on the roll the dice?â
In very few contexts do I ever think itâs itâs ethically and morally okay to pay a ransom, aside from healthcare. I would much rather see organizations have a board policy that says theyâre not going to pay. Draw the line in the sand. Letâs take that take the gasoline that organizations have poured in the fire of ransomware away. Then, because they make that decision, they have to have a robust cyber security strategy and resourcing to reduce the risk of ransomware. Theyâve aligned their security investments with their approach to risk management. Maybe we need to have regulations, particularly for publicly-traded companies, saying they need to have a board policy on this â but not necessarily dictate that you canât pay the ransoms. Maybe thatâs a bridge too far right now. But say what your public policy is. Itâs an uncomfortable conversation and it may be slightly unrealistic to expect them to be transparent about what their policy is because that could be like a giant sort of âCome hack meâ sign to attackers. But maybe they have to have a confidential submission to a regulator.
Sixty per cent of respondents say that their employees understand the role they play. Hereâs whatâs interesting: We actually surveyed our employees as part of the work we do within our actual platform, and 90 per cent-plus of employees understand the role they play. What they feel very strongly about is whether organizations are actually providing them with contextual security training related to how their business works, not just the generic vendor phishing video. They want to know why security is important to senior management. They want to know what tools are provided to them and they want to know what to do when they see a threat. If the organization isnât being specific enough they donât feel empowered.
And finally, 56 per cent of CISOs think human errors are the organizationâs biggest cyber vulnerability. Well, 85 per cent of incidents always can be traced back to people not necessarily making a mistake but the people processing culture. Iâve read a fascinating study healthcare that showed the employees cared about security, they knew how to be secure but because they were so overworked stressed and tired and the organization sent them far too many internal emails they had a startlingly high phishing click rate. In that case itâs not beating more training into the employeesâ heads, itâs how are we communicating to our employees through whatever channels so that theyâre not overwhelmed.
Howard: You thought that the fact that 40 per cent of respondents said that their organization and doesnât have a policy on whether it would pay ransom means that those companies donât take ransomware seriously. I would disagree I put the following suggestion to you: What it means is they want to keep their options open. Theyâre just not sure what to do, and in some cases theyâre thinking, Maybe we would pay in other cases we wonât pay it depends on the situation.â So they canât have a policy.
David: Not making a decision before a gun gets put to your head is making a decision. So if youâre going to have a policy that says we may pay under the following circumstances, then make a policy. Thatâs our policy and then on the people, resources and strategy make that a reality. I think waiting till your board is up at three oâclock in the morning and youâre getting minute-by-minute updates and conflicting reports from your IT team about how bad is the situation is the worst possible environment to try and make a decision.
Howard: Issue Three: The European Union Parliament is recommending its 27 countries adopt an updated cybersecurity directive covering critical infrastructure organizations. The new standard aims to remove differences in cybersecurity requirements and implementations in each of the 27 countries. It would do this by setting minimum rules for a regulatory framework. It would lay out ways for cross-country co-operation for large cyberattacks affecting more than one country and it would give participating EU regulators the ability to impose sanctions. You see a lot of merit in this plan.
David: I do. Letâs be honest, countries are moving towards mandatory reporting frameworks, risk-based management frameworks and being able to demonstrate that youâre dealing with cyber in a sane and appropriate way. So in the European context you can either have 27 different ones or you can have a standardized, harmonized approach, and that makes a lot of sense to me. What was interesting in the proposal is youâve got a month to file a report, so this is going to be interesting for large, complex ransomware attacks like weâve seen in Ireland and Newfoundland. In other places, which typically can take months to actually fully play out, howâs that going to reflect the reality? Two other things are interesting: If you donât actually clean up your cybersecurity house the fine is. 10 million euros or two per cent of global revenues, whateverâs higher â which is half of what theyâve set for the fines for privacy violations under the GDPR. Also, senior management can be held personally liable for negligence when it comes to cybersecurity. I like this. It turns up the temperature. And it creates the right incentives where clearly the market hasnât necessarily done so.
Howard: Could this be done in Canada or the U.S.? In Canada the federal government doesnât have to deal with the provinces on on some things. It directly regulates banks, telecom carriers airlines, railways. So could could the federal government here set minimum cyber security standards?
David: I think so and I think itâs going to be an important evolution of Canadian federalism to start recognizing that the constitution didnât contemplate the digital world that we live in today. I think itâs time to have that conversation. We canât have 13 different jurisdictions [the provincies and territiroies] in this country overseeing cybersecurity. Weâre already heading down that way in privacy right now which is an absolute dumpster fire. Quebec hs basically adopted a very similar privacy law to GDPR. So if youâre doing business across Canada youâve got different frameworks for privacy, different conditions etc. The winners of that conflict will be lawyers and privacy experts and security firms. But thatâs just a tax on businesses. So we need a clear common national cybersecurity standard. We are too small of an economy and too small of a country to have 13 different response agencies. We need one well-resourced federal government response agency that can help. The Newfoundland healthcare system attack is an example. Healthcare is critical infrastructure and we need a common national standard and resourcing to protect those institutions.
Howard: But the other way of looking at it is why not put pressure on the provinces to look after things and in their jurisdictions? Businesses, retailers, law firms, municipalities, police departments all of these come under the jurisdiction of provinces â and provinces like to be independent. Why shouldnât they have to show the public that theyâre responsible for cybersecurity in their realm?
David: My issue with that is the provinces in Canada are not equal in the resources they have. How could we reasonably expect Prince Edward Island to have the same robust ability to do this kind of work that Ontario could have?
âŠWe have and have-not provinces for cybersecurity now. If you are a victim of a cyber crime and you are fortunate enough to live in Toronto, Calgary, Halifax or a decent size city the quality of police response you get is dramatically different than in other parts of this country. We need to scale cybersecurity at a national level.
Howard: Last, the finals of the annual Canadian cybersecurity competition for middle and high school students called CyberTitan were held this week. Itâs based on the CyberPatriot program in the U.S. One hundred and thirty teams from across Canada enrolled to participate this year. Itâs a great way to encourage teams to think about a career in IT generally and cybersecurity in particular.
David: I love the CyberTitan Program. We were a sponsor of the regional competition here in Atlantic Canada. It gets teens thinking about careers in IT security. Itâs fun, Itâs challenging, itâs attracting a lot of groups who donât traditionally consider cyber security careers, particularly young women, to get experience. And I think this is going to be key to meeting the massive talent shortage, and also the lack of diversity in this field. Iâm super proud that a team from Macadam, New Brunswick â which is a very small town â made it to the final. I think this is a program we should be celebrating in the same way that we celebrate when high school and middle school teams make it to the nationals in sports.
Gloss