Published on October 2nd, 2022 📆 | 8140 Views ⚑
0Cyber Security Today, Week in Review for Friday, September 30, 2022
Welcome to Cyber Security Today. This is the Week in Review edition of the podcast for the week ending Friday September 30th, 2022. From Toronto, Iâm Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes Iâll be joined by Terry Cutler, head of Montrealâs Cyology Labs, to discuss whatâs been happening â or about to happen â in cybersecurity. Most of our discussion will focus on Cybersecurity Awareness Month, which begins tomorrow.
But first a look back at some of the headlines from the past seven days:
A hacker managed to break into the content management system of the news site Fast Company and alter stories with obscene and racist remarks. The publication had to temporarily take the site offline to fix the problem. The hacker claims they were able to figure out a password used by a number of employees that had a shared element. Terry and I will discuss this incident.
Last week I told you that the encryptor code for the LockBit ransomware has been stolen and leaked. It hasnât taken long for another hacking group to take advantage. There are multiple reports that the B100dy ransomware gang has already adopted this code for an attack on a victim in Ukraine.
Crooks continue to target medical offices and healthcare service providers in the U.S. According to SC Media, some of the latest victims include Physicians Business Office, which provides practice management services for doctors. Just under 200,000 patients are been notified their personal and health data was likely stolen in a hack last April. A Tennessee walk-in doctorâs office is notifying just over 58,000 patients that their data was stolen after a hack that started in July. A Texas hospital said it has nearly finished recovering its IT systems after a ransomware attack earlier this month. And a medical provider has acknowledged that a security configuration error at a third-party provider in May led to the theft of data of over 22,000 patients.
A criminal gang has made tens of millions of dollars since 2019 by using stolen credit card information on some 200 fake dating and adult websites they created, researchers at ReasonLabs revealed.
Finally, Australiaâs attorney-general is pondering changes to the Privacy Act following the huge data breach at the countryâs second-largest wireless carrier. Optus, a subsidiary of Singapore Telecommunications earlier this month. After the attack the hacker dumped the data on 10,000 customers â including Medicare numbers â on the dark web.
(The following transcript has been edited for clarity)
Howard:Â The Week in Review often gets caught out by the calendar for certain events â Fraud Awareness Month, Password Awareness Day â which inevitably happen a day early or a week ahead. But not this time. Tomorrow starts the annual October Cybersecurity Awareness Month. Yes, people still need to be shaken from complacency and reminded to be aware of cybersecurity and to follow cybersecurity best practices. This includes individuals at home, employees at work, IT security teams and senior management.
Organizations should, of course, be conscious of cybersecurity every day. So how should this yearâs Cybersecurity Awareness Month be observed by organizations? Are there things they can or should be doing differently that they do every day, every week, every quarter?
Terry Cutler: Hereâs the challenge: Weâre seeing attacks are increasing and weâre trying to defend against all attack surfaces. There are phishing and spearfishing attacks, ransomware, employees copying out data to cloud storage, websites are being attacked, employees that are losing or getting their devices stolen, they click on links theyâre not supposed to, thereâs no visibility to know if a hacker is in your environment and you donât have an incident response plan, thereâs outdated software, passwords are stolen, there are IT guys who are not trained in cybersecurity so theyâre often giving wrong advice â and companies think their cyber insurance will take care things but theyâre also having a hard time qualifying for cyber insurance âŠ
So my advice to everyone from the CEO down to their IT teams is they need to sit down and ask this question: Can we identify, protect, detect, respond â and especially recover â from a cyber attack? Recovery is vital because if gets destroyed how fast can you recover from a backup?
Thereâs a couple of tips to share: The big one is around passwords. Use a password manager [across the organization]. But hereâs my take on password managers. They can create really strong passwords that are somewhat unbreakable but remember the LastPass hack a month or so ago. If your passwords have been corrupted or are made unusable thereâs no way you can remember what password that was to this or that account. [Editor: Unless there is a safely protected written or digital backup]. Password managers are useful but youâve got to be careful with them.
Second, use multifactor authentication. If an employeeâs password is leaked on the dark web and a hacker tries to use it theyâll get an alert. However, there are ways to bypass multifactor authentication âŠ
You also want to make sure your data is backed up.
Employees have to be taught to hover over the links in email before clicking on them.
I think one of the most important things senior leadership and IT department should do this year is get a penetration test done. See how strong your defences are â is IT receiving the proper alerts to know an attack happening? Pen tests can also testing users as well.
Another thing companies could be implementing is server message block signing. Itâs where workstations and servers have their communications encrypted so no tampering or man-the-middle attacks can happen.
And get rid of outdated software and operating systems.
Howard: My take on Cybersecurity Awareness Month is that it shouldnât only be thought of as something that should be aimed at ordinary employees. So I want to talk about three events that suggest organizations and infosec leaders still have a lot to learn. First, the recent American Airlines hack, news of which um was only revealed this month. In July customers notified the airline that they received phishing emails that had come from the hacked email accounts of airline employees. So first of all, the airline didnât know that these employeesâ accounts had been hacked.
Terry: The hackers got access via a couple of ways: Either they sent phishing emails to the employees and they clicked on it and gave away their access, or could be passwords that leaked onto the dark web and were reused. And either multifactor authentication wasnât turned on or it was bypassed ⊠Whatâs interesting is that the airline didnât have technology in place to know that there was suspicious activity happening. Maybe they didnât turn on geo-fencing to know that people who usually log in from Canada are logging in from somewhere in the Middle East or Africa.
Howard: The second thing about this incident was the hacker used an IMAP protocol to access the employeesâ mailboxes. And then using that protocol the hacker may have been able to synchronize the contents of the mailboxes to another device that was controlled by the hacker. Explain what IMAP is and why organizations shouldnât be using it today.
Terry: IMAP has been around since the mid-â80s. It enables remote users to view and manage their messages that are stored on a server. But IMAP has become very insecure when it comes to enterprises. Weâre moving away from IMAP and using webmail. One of the problems with IMAP is that itâs designed to accept plain text login credentials, which could be intercepted. But a lot of companies still have IMAP enabled. Itâs very, very challenging to defend. This is a perfect example of how backward compatibility is still enabled. You want to eventually kill off the IMAP service and use webmail. The other problem with IMAP is it doesnât support strong authentication, so you canât necessarily enable multifactor authentication. Thatâs why everybody moving towards an Office365 or Gmail approach where you can enable all of these stronger functionalities. Also, IMAP uses port 143. You want to switch over to port 993, which encrypts email transmissions.
The point is move away from IMP as fast as possible.
Howard: And the third segment of this hack that I want to talk about is the hackers were able to copy a lot of sensitive data of about 1,700 people from the email accounts. Those airline employeesâ accounts they hacked into included peopleâs names, Social Security numbers, driverâs license numbers, passport numbers, employee numbers, dates of birth, mailing addresses, phone numbers. This is all the sort of stuff that an attacker can use to to create a phony ID. Arenât there ways of protecting data held in employeesâ inboxes like attachments that hold sensitive data?
Terry: Whenever we travel and we have to deal with our travel agent, they need information to avoid any problems. We typically send copies of our passport and whatever they need to get us up and running as quickly as possible. But once this data leaves our inbox we no longer control it. Weâre hoping employees on either side of the airline will actually delete the email afterwards to protect the data. As an airline employee thereâs not too much they can do to protect their inbox except for things like paying attention to email phishing attacks, and creating a strong password. But on the IT side they should be implementing things like geozones in order to block access from other countries that are trying to access these inboxes. They also want to make sure theyâve implemented multifactor authentication for all of their users. How many times have we discussed where companies say, âWeâve implemented MFA already,â and then you ask the question, âWell for all your users, or just the executives?â They need to have it on for everybody.
Howard: The second incident I want to bring up to illustrate this point that IT administrators have a lot to answer for is the hack this week of the website of the news site Fast Company. Hacker defaced several news articles, which went out to Apple News subscribers â who as you may imagine were surprised at the wording in the news stories. Apparently several employees who had administrative access to the website were given, or allowed to have, a similar access password with a variation on the word pizza. So it sounds like one employee had the password âpizza123â and another had the password âpizza456â and a third employee may have had the password âpizza789.â That would be pretty easy to guess if the hacker had figured out one employeeâs password. This is a violation of cybersecurity 101.
Terry: This is a perfect example of [doing something for] convenience. They probably set up a default password but expected each user to change it.
Howard: The third incident I want to bring up regarding Cybersecurity Awareness Month and the responsibilities of senior management and IT administrators is the recent Uber hack. The cause of this hack was an employee of a third-party contractor who fell for a trick. They gave into the repeated messages on their smartphone asking for a verification of their multifactor login. These messages were being sent by a hacker who was trying to get around the multifactor authentication protection. The employee got tired of seeing these messages. Thatâs a matter of bad cybersecurity awareness training. But this incident also spawned a column in The New York Times by security expert Bruce Schneier, who argued that the hack is another example of how companies skimp on security because they have no financial incentive to tighten up. He said only strong government regulations are going to change that attitude. Do you agree that companies are skimping on security because they have no financial incentive to tighten up?
Terry: Absolutely. A common theme I hear is, âWhoâs going to want to hack me? Iâm small fish.â But they donât realize â especially the small and medium business guys â that almost 80 per cent of all small businesses are being targeted by cybercriminals. because they know that they donât have the time, money or resources to do cybersecurity. Theyâre hacking into smaller businesses and using them as a jump point to attack another company ⊠One study 60 per cent of small businesses that get hit with a cyber attack will go bankrupt within six months. Weâve seen a lot of cases where a firm gets hit with ransomware and if they have to dish out $300,000 or a million dollars to get their data back. That could be a death sentence for a small business.
The other challenge is weâre 3,000,000 personnel in the cyber security industry. Thereâs not enough experts to help protect everybody.
Howard: One of the problems I have is that some cybersecurity pros want to have it both ways: They say no combination of technologies can stop a cyber attack if a threat actor has the time and the money and the determination. Theyâre going to hack you, and your job is only to lower the risk. But at the same time there are complaints that organizations donât take cybersecurity seriously every time that there there is a big hack in the news. Am I wrong to say thereâs an inconsistency here?
Terry: Thatâs a tough question, but the answer is no silver bullet to stop a hacker. You only make it harder for them to get in. So if you have enough defences in place to thwart off a hacker heâs going to move on to somebody else. But like you said earlier, if these guys have the financial means and the expertise theyâre going to get you. Weâve seen cases where you could drop in millions of dollars of cybersecurity technology and expertise, but it just takes one mistake âŠ
Howard: I want to emphasize to chief executives and IT security leaders that no organization can be prepared for a cyber attack unless it has a written and implemented cybersecurity strategy for reducing risk. Can you go over what that plan would include?
Terry: First, have a proper inventory of all the hardware and software currently in the environment. What versions do you have, what operating systems do you have [on every device] how old are the machines?
Second, how much valuable information do you have on computers? Weâve seen cases where employees have copied sensitive information from the server to their workstations and forgotten about it. Data needs to be prioritized for protection.
Third is creating a great patch management system.
Fourth is having antivirus anti-malware and firewall technology â although I have a problem with that. These are traditional cybersecurity technologies. You also need behavioural analytical technology and other advanced technologies.
Fifth is access control. Remove all default administrative passwords. General employees shouldnât have administrative access on their systems, but we often still see that. We also want to make sure employees create strong passwords and have multifactor authentication turned on.
Sixth is a user awareness training program that regularly tests the employees â at least once a month or every three months â to see how theyâre doing.
Seventh, you want a policy to take care of data thatâs at rest or in transit
Eighth, create a strong backup and recovery plan. This is one of the most important takeaways â make sure your backups are safe and tested.
Ninth, have a proper incident response plan in case of a disaster. My strong suggestion here is to work with a consultant or IT firm that will have fresh eyes on your environment.
Howard: I want to close by saying for organizations that donât already have a cybersecurity plan there are lots of free resources. The Canadian governmentâs Canadian Centre for Cybersecurity has a set of baseline cyber security controls for small and medium-sized organizations. The United States Cybersecurity and Infrastructure Security Agency has similar resources. If you are in the United Kingdom the UK National Cyber Security Centre has free resources. The Center for Internet Security has its Critical Security Controls.
Not only that, big IT vendors probably have free resources for their customers.
Gloss