Published on September 3rd, 2021 📆 | 7558 Views ⚑
0Cyber Security Today, Week in Review for Sept. 3, 2021
Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday September 3rd. Iâm Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
Â
With me today is Jim Love, IT World Canadaâs CIO and chief content officer. Weâll talk about a disastrous attack on a Canadian web hosting company and a report on insider threats. But first a look at some of the headlines from the past seven days:
The gang behind the Ragnarok ransomware has shut operations and released a free decryption utility that victims can use to get their data back. At least one expert speculates the operators will take their profits and return to ransomware with a new scheme.
Meanwhile those behind the botnet distributing the Phorpiex malware seem to want out of the business. They are selling the source code. However, if a threat actor buys the code the botnet can be re-activated.
Another botnet called Mozi was in the news. The operators were arrested in July, but a cybersecurity company called 360Netlab this week argued the botnet â made up of 1.5 million compromised devices, many of them in China â will likely automatically continue. Thatâs because it uses a peer-to-peer network structure, so even if some nodes go down the whole network keeps infecting other devices.
One of the ways business email compromise scams can be spotted is the imperfect English used in messages. Thatâs because this type of scam tries to trick victim companies into wiring payments they usually make to a partner or customer to an account controlled by crooks. Some crooks have figured that out grammar flaws can be a giveaway. So, according to a security firm called Intel471, recently threat actors have been looking for help. One person was spotted on a Russian-language cybercrime forum looking for native English speakers. Another person was looking for someone to handle the social media side of an attack, while he took care of the technical aspects.
For years cybersecurity experts have taught computer users that hovering over a link in an email or text is a good way to find out if the link is legitimate. After all, if you expect to go to âcheapcars.comâ and hovering over the link displays âzxy123.co,â thatâs suspicious. However, Microsoft says a recent scam tries to foil that. It takes advantage of a procedure called open redirects, commonly used by legitimate sales and marketing campaigns to lead customers to a special web page. Customers would see a trusted or expected web address when they hover over a link. However, scammers have found a way to abuse this capability. So remember, hovering alone wonât always reveal a scam. Any time you click on a link, watch the web address of where it goes to. And be suspicious if you get asked to re-log in with your Microsoft username and password.
Finally, IT administrators were reminded to follow basic cybersecurity practices when U.S. wireless carrier T-Mobile briefly described how a hacker was able to steal the data of over 50 million current and former customers. It was done by compromising the carrierâs test network. Details werenât revealed. But the lesson is an internet-connected test network has to be as secure as the live operating network.
(The following is an edited transcript of my conversation with Jim Love. Play the podcast to hear the full talk)
Howard: I want to first talk about the misery that Montreal-based Web Hosting Canada faces. This is a company that hosts websites and provides backup services. Some companies resell its services. It has perhaps 60,000 customers. But last weekend some of its backup and production servers were wiped. Some of them have been, or are being restored, but many customers who relied on the company to back up their data, their data may have lost everything. Thatâs there, their data, as well as their website content, unless they had local backups.
UPDATE: On Thursday the company said six of 12 servers had been restored, most data on a seventh had been recovered but there was some data loss. Attempts at data recovery were on going on five other servers. WHC was âcautiously optimisticâ data could be restored on three servers.
According to the head of the company, an employee of a third-party service provider used their account to log into one of Web Hosting Canadaâs management portals. Whether it was malicious or not, we donât know.
Jim, what did you think when you heard of this incident?
Jim: My heart just went out to them. First of all, my heart went out to the guy who heads the company, This is the ultimate disaster. And then second, my heart went out to some people. We saw one story â I canât give all details because cause we donât have permission â but they had painstakingly created this site over years and years with all this data. And I went, âOh please God, let them have a backup or let them recover it.â
Howard: The company has said some servers are irreparably damaged.
Jim: The last claim I saw was they could recover 50 per cent [of customer data]. Thatâs an astonishing number. Youâve got to give credit to these people for being transparent in this.
Howard: Have you ever experienced something like this where a provider that you or your firm dealt with had wiped out data?
Jim: Yes. Thereâs two types of people: Those who will admit it to you and those who [donât]. Iâve experienced at least four major data losses in my career. Each one I could say I was blameless, somebody else did it. But the buck stops with you [the IT or backup leader]. We had one occurrence with a preferred supplier. They were very knowledgeable, had access to our machines. What possessed them to reformat a disk, or to overwrite a disc, while the backups were connected on this machine is beyond me. Like, itâs beyond insanity. You canât imagine why anybody would be that stupid, but they wiped our prime copy [of data] and our on-site backup, which then led us to another backup that we went through and the programmer had not tested the backup.
So Iâve been in this situation trying to get a disk restored because of someone that you trusted, someone you thought had the experience and the expertise to do this [but] doing the most radically stupid thing possible. You know, Murphyâs law? Murphy was an optimist. So at that point youâll pay literally anything to get your disc restored, anything. In fairness, I have saved other people because weâve had backups as well. So itâs not like Iâm sloppy. Weâre not. But sometimes the bolt of Zeus strikes you and thatâs all there is to it.
Howard: I spoke to one WHC customer who was initially angry and despondent. What he said to me is âEverything is gone.â He told me of years of marketing data that had been collected and relied on the [WHC] online backups ⊠Eventually he cooled down and said that fortunately his firm had done a local data backup three months ago, but any data that he had collected since then was gone, and he wasnât sure how much of the older data was available. He thought it would take two or three days to get his websites back and running, which is two or three days when heâs not able to do business. So this incident must be terrible for customers.
Jim: I have to tell you how the day that we lost that drive â and that was the only drive â I lay awake at night with my stomach aching. I donât lose sleep over almost anything [but] it was the most awful experience in my life. And I vowed. It would never happen to me again. Ever ⊠We need to get back to that. Donât let it happen to you. We canât change whatâs in the past, but the future. Now, if you work for me and everybody knows it, I might be thought of as the jerk of all times [but] I can tap you on the shoulder at any one time and you must be able to restore data. If you canât, hand in your resignation right there. That sounds brutal, but life is brutal. We [IT leaders] have to have responsibility for the data we have. You can control it in your own world. Iâve seen many times where people you presume have a backup, and they donât. I donât trust that anymore.
Howard: So what lessons can IT leaders learn from this incident?
Jim: If you canât touch a tested backup of your data that is disconnected from the internet and restore it, youâre never sure. And thatâs the only thing you can do: Make sure you have your data backed up. That is it. There is an absolute air gap. This is offline, and it can be restored and thatâs it. Donât count on anyone else. The second piece is, test continuously. I did a data center move one time [for] a remarkably big institution. And we had backups for our data. But you would be surprised how many backups were empty. They ran the backup job successfully, just didnât back up data for many, many reasons. So if you donât test it, if you canât see it restored, forget it. Dataâs only good if you can restore it. It doesnât matter where it is or what it is. If you canât restore it, you donât have it.
Thatâs regardless of where you have it. Donât forget clouds are just somebody elseâs computer. I donât believe that that you know, that [Amazon] AWS is going to fry two regions. If you want to do [backup] between two regions in AWS or whatever, the hardware device is not the issue. The issue is can we restore it? Is it safe? Is it offline? And can we restore it if we need to? So I wonât describe how people do that, but thatâs the theory. Itâs gotta be offline so nobody can scramble it. You want to make sure that, itâs write-protected so that nothing can touch them. And then you restore them somewhere safe.
Howard: This particular incident [Web Hosting Canada] was what security experts call an insider attack. The security industry definition of an insider includes not only employees, but also partners and contractors and consultants who have login access to the organizationâs IT network. By coincidence this week a cybersecurity company called DTEX and the Ponemon Institute released a report on inside insider threats. Tell us about what that report said.
Jim: As if you needed more depressing news. In the executive summary they referred to another report that said thereâd been a 450 per cent increase in employees circumventing security controls. We are doing something wrong. And a 230 per cent increase in behaviors that indicate [insiders] might steal data. They also have a list of reasons why security is a problem with insiders, and I donât really care. Iâve said before, I donât care whether itâs fat fingers [accident] or sticky fingers [deliberate], if the dataâs gone, the dataâs gone. If youâre granting too many access permissions to people, then youâve got to watch what youâre doing.
They go through the list of reasons: Lack of in-house expertise â okay, fair enough. Lack of collaboration between IT security and the line of business â sorry, donât accept. A shift to the remote workforce â a fact of life. Lack of budget â yep, I get that sort of stuff. And then at the bottom, 20 per cent said it was a lack of leadership. Iâm going to reverse that. The buck stops here ⊠I think thereâs a wake-up call here, which has nothing to do with technology and has everything to do with culture.
Howard: Whatâs worse for the organization: The deliberate insider attack or the insider who accidentally makes mistakes?
Jim: When your dataâs gone, do you really care? You have to watch both, but they have one thing in common: They have the access to do this, and thatâs where you star. Do they have more access than they need? Thatâs the first thing. Second, do you have a [security] culture with your suppliers and with your employees? Nobody reads a manual anymore. Nobody. Some just obey what the accepted rules of behavior are. But if youâre trusted with access to something, you have to take the accountability to be careful and to exercise great care with that. And then of course you have safety nets. I remember the old days when we used to have a password to get into the main system. It was put it in an envelope, and to get it somebody had to tear it open. So you knew somebody had used it. When that happened you had to write a report â and you had to change that password. That established a cultural moment. You knew if you ripped that envelope open, you were accountable for everything that happened with, with that password. Thatâs what we have to make sure we go back to.
This 450 per cent increase in employee circumventing security controls, and the lack of collaboration between security and line of business â if you were a leader in an institution right now, you canât afford that nonsense. You just canât. And thatâs where true leadership comes to draw the line and say this is not acceptable behavior. I would say no matter how big the company I donât have time for you not to get along [with security rules.] Get along. Thatâs your job.
As for those circumventing employee controls, youâve got to look why. Are we making it so hard that employees need to circumvent these to do their job? If so, fix it. And if not, draw the line and say, âSorry, this is just how you have to do your job.â I think weâre a little wimpy on this stuff. And, you know, executives close their eyes. I remember one time when tablets were first coming in and everybodyâs concerned about security, but theyâd let the board of directors take all the company information on their tablets. Why? Because they could. Leaders have to lead and say, âNo, we wonât do anything thatâs insecure.â
Howard: So identity and access management is one key to reducing the risk of an insider threat. You donât let employees have access to sensitive data that they donât need to have.
Jim: Privilege management is something you should do, but you should reinforce why itâs done. And if you donât do random audits [of activity] â you donât have to look through all of your logs â but you have to let people know thereâs a chance theyâre going to get caught. You have to do random audits. Take a day once a month and go through and ask questions: Why were you there? Is that really part of your job? Why would you be doing that? People assume because IT canât do everything they can do as much as they can. Build in your culture that people know they could be held accountable.
⊠You have to watch for the signs of [bad] behavior. This report also gives a good Insider Kill Chain. Before people steal data theyâre going to do some things: Reconnaissance [to find sensitive data], Circumvention [of security rules]. People accumulating a lot of data on their machines. Why are you accumulating all this data? Especially if youâre expected to store on a [corporate] server and you start storing locally. Thatâs not not good. You should have a great reason for that. Then thereâs Obfuscation âtrying to try to hide what youâre doing.
Howard: In summary, what can IT departments do to help reduce the odds of a successful insider attack?
Jim: One thing we can do is have frank conversations [with employees and executives], a lot of training, explain the reasons for our rules, have a least access privilege [policy] and defend that, and test backups. And again, lead by example: If we [as IT pros] have got rules, make sure we obey them, too.
Gloss