By bagging a privileged user early on, attackers can move from entry point to mission accomplished in no time at all.
In the world of cybersecurity, there are two wildly different approaches to phishing.
The first, which we subscribe to, recognizes the threat posed to organizations by phishing attacks, and seeks to defend against it by both educating employees and tightening internal controls. In those cases where a phishing attack is successful, our camp aims to eliminate the threat as quickly as possible, and then learn from it.
The second approach is quite different.
There are those within the cybersecurity world who believe that since it is impossible to completely prevent employees from being suckered by phishing emails, there’s no point in even trying to educate them. The theory goes that defending against any form of cyber attack (including phishing) is the responsibility of your information security team. Employees are simply too busy, and too ignorant, to be involved in the process.
I believe this is a mistake, and I’ll explain why.
Understanding your attacker
Whatever your approach to cyber security, it makes sense to start with an understanding of the people you’re trying to protect.
Image Source: PhishLabs
The Verizon 2016 Data Breach Investigation Report is a tremendous resource for this sort of research; it immediately informs us that external attackers cause the majority of breaches. The insider threat is certainly a concern, but statistically you’re far, far more likely to be breached by an external actor.
The report also explains that although you’ll need to defend against many different cyber weapons (malware, social engineering, hacking, etc.), most attacks fall into two categories: point of sale (PoS) and phishing. Unsurprisingly, our main focus is on the various threats posed by phishing attacks. But perhaps most important of all, the report provides an insight directly into the mind of your attacker. Over the past 12 months there has been tremendous speculation as to the motives behind cyber attacks, with much being made of a few high-profile instances of state-sponsored cyber espionage.
But are governments and competitors really lining up to steal your secrets? Well… no.
In an overwhelming majority of cases, the motivation behind cyber attacks is financial reward. There is a huge black market, accessible through the Dark Web, where hackers can sell proprietary and payment data to the highest bidder. Typically this is a collection of large organized crime syndicates, many of which are based in countries with no extradition treaties.
Rest assured that there is big money in play here, and successful hackers get paid extremely well for their “work.”
So what does all this tell us? In short, it lets you know where to concentrate your cybersecurity efforts for maximum effect. If your organization does fall prey to an attack, it’s most likely to come in the form of a phishing email designed to grant access that can ultimately be used to steal saleable information.
The anatomy of a (successful) phishing attack
Now that we understand the methods and motivations of most attackers, it’s much easier to comprehend the format of a typical attack. Initially, the attacker needs an entry point. In most cases, this will be a phishing email that baits one of your employees into installing malicious software (malware) or giving away their login credentials (social engineering).
Once the attacker has gained access to your network, they’ll try to make lateral movements to expand their access and level of control. This could include stealing proprietary data to inform further targeted phishing attacks (spear phishing), identifying vulnerabilities, and/or stealing higher value credentials.
Finally, once they have the required level of access, your attacker can enact their primary mission: to steal and sell your data.
Going after the big phish
As you’ve no doubt gathered, your attackers’ job will be much easier if they can successfully phish someone with a high level of access. Rather than spending time gradually increasing their permissions and control, by bagging a privileged user early on they can move from entry point to mission accomplished in no time at all. This tactic is known as whale phishing, or “whaling,” and it can spell disaster for your organization. Clearly, this is not what you want to happen.
Every phishing attack relies, at some point, on being able to sucker employees into clicking on something they shouldn’t. Now, while it’s true that the information security team can play a huge part in preventing this, many phishing emails can be kept out of employees’ inboxes by well-maintained filters, and more can be foiled by tight security controls.
But what about your privileged users: directors, executives and system admins who all usually have a high level of access? What if they’re targeted by spearphishing or whaling attacks?
Access controls on your whales
I know it’s tempting to overestimate access requirements, but it’s important to consider how much access these people really need. Nobody wants the finance director to fly off the handle because he can’t run a report, but in reality he probably doesn’t need read/write access to every area of the network.
Regardless of your approach to dealing with the threat of phishing attacks, tightening internal controls such as user access levels is hugely important, and can spell the difference between a narrow escape and a crushing data breach. Most users do not need to be able to install programs or access sensitive data, and if for some reason they do, they can always be granted specific access on a case-by-case basis.
Controls aren’t enough
It’s true that you can’t rely 100% on your employees to report and delete phishing emails, but you also can’t rely 100% on your security controls. Like it or not, some phishing emails are going to end up in the inboxes of privileged users, and it’s going to come down to them to determine whether that attack is successful. If you can engage and train your employees to recognize and report phishing emails, you’re adding a vital last line of defense that otherwise wouldn’t be there.
At the end of the day, it’s a choice between a reported phishing email and a successfully installed malware package. I know which side I’m standing on.
Brian Krebs, JUL 16, 2016
Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.
If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.
This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.
In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.
These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.
That data mining process involves harvesting and stealthily testing interesting and potentially useful usernames and passwords stolen from victim systems. Today’s more clueful cybercrooks understand that if they can identify compromised systems inside organizations that may be sought-after targets of organized cybercrime groups, those groups might be willing to pay handsomely for such ready-made access.
It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce. In addition, the past few years have seen the emergence of several very secretive crime forums wherein members routinely solicited bids regarding names of people at targeted corporations that could serve as insiders, as well as lists of people who might be susceptible to being recruited or extorted.
The sad truth is that far too many organizations spend only what they have to on security, which is often to meet some kind of compliance obligation such as HIPAA to protect healthcare records, or PCI certification to be able to handle credit card data, for example. However, real and effective security is about going beyond compliance — by focusing on rapidly detecting and responding to intrusions, and constantly doing that gap analysis to identify and shore up your organization’s weak spots before the bad guys can exploit them.
Those weak spots very well may be your users, by the way. A number of security professionals I know and respect claim that security awareness training for employees doesn’t move the needle much. These naysayers note that there will always be employees who will click on suspicious links and open email attachments no matter how much training they receive. While this is generally true, at least such security training and evaluation offers the employer a better sense of which employees may need more heavy monitoring on the job and perhaps even additional computer and network restrictions.
If you help run an organization, consider whether the leadership is investing enough to secure everything that’s riding on top of all that technology powering your mission: Chances are there’s a great deal more at stake than you realize.
Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.
By KATIE ROGERS
JUNE 22, 2016
Mark Zuckerberg is one of the most powerful men in the world because billions of people give Facebook, which he founded, free access to their personal data. In return, users receive carefully curated snapshots of his life: baby photos, mundane office tours and the occasional 5K.
On Tuesday, observers were reminded that Mr. Zuckerberg, 32, is not just a normal guy who enjoys running and quiet dinners with friends. In a photo posted to his Facebook account, he celebrated the growing user base of Instagram, which is owned by Facebook. An eagle-eyed Twitter user named Chris Olson noticed that in the image’s background, his laptop camera and microphone jack appeared to be covered with tape.
Other publications, including Gizmodo, used the tweet to raise the question: Was this paranoia, or just good practice?
The taped-over camera and microphone jack are usually a signal that someone is concerned, perhaps only vaguely, about hackers’ gaining access to his or her devices by using remote-access trojans — a process called “ratting.” (Remote access is not limited to ratters: According to a cache of National Security Agency documents leaked by Edward J. Snowden, at least two government-designed programs were devised to take over computer cameras and microphones.)
Security experts supported the taping, for a few good reasons:
- The first is that Mr. Zuckerberg is a high-value target.
“I think Zuckerberg is sensible to take these precautions,” Graham Cluley, an online security expert and consultant, wrote in an email Wednesday. “As well as intelligence agencies and conventional online criminals who might be interested in targeting his billions, there are no doubt plenty of mischievous hackers who would find it amusing to spy upon such a high-profile figure.”
- The second is that covering photo, video and audio portals has long been a basic and cheap security safeguard.
“Covering the camera is a very common security measure,” Lysa Myers, a security researcher at the data security firm ESET, said in an email. “If you were to walk around a security conference, you would have an easier time counting devices that don’t have something over the camera.”
- Third, Mr. Zuckerberg is not immune to security breaches.
A recent hacking of his Twitter and LinkedIn accounts shows that he most likely committed two basic privacy faux pas: He may have used the same password across several websites and did not use two-factor authentication.
Judging from his photo, however, it appears that Mr. Zuckerberg was taking simple precautions to protect himself from anyone who may try to gain remote access. The practice is fairly technologically simple: Hackers trick people into clicking on links or unfamiliar websites containing malware that allows them access to the devices.
Mr. Zuckerberg is not the only high-profile case: James Comey, the director of the F.B.I., told students at Kenyon College in April that he also puts tape over his computer’s webcam, for surprisingly simple reasons, according to NPR:
“I saw something in the news, so I copied it,” Mr. Comey said. “I put a piece of tape — I have obviously a laptop, personal laptop — I put a piece of tape over the camera. Because I saw somebody smarter than I am had a piece of tape over their camera.”
People who are not billionaires or high-ranking government officials are not without risk, said Stephen Cobb, a senior security researcher at ESET.
“For people who are not C.E.O.s, the threat is people scanning the internet for accessible webcams for a range of motives, from voyeurism to extortion,” Mr. Cobb wrote in an email.
Experts don’t have a good estimate for how often such attacks occur, but according to a 2015 report released by the nonprofit Digital Citizens Alliance, the practice is a growing problem for consumers, especially young women. The report also said that trojans account for some 70 percent of all malware.
“They’ve been one of the most popular types of malware on every operating system, for quite a long time,” Ms. Myers, of ESET, said. “The best ways to protect against them are to update all your software on your machine regularly, and use reputable security software, including anti-malware and a firewall.”
June 21, 2016
A number of users are experiencing problems during logging into GoToMyPC because Citrix reset account passwords after hackers reportedly attacked it.
It’s official, the GoToMyPC service operated by Citrix is the last victim of the hackers.
GoToMyPC is remote desktop software that allows users to access and control their computers remotely by using a simple web browser.
A number of users are experiencing problems during logging into GoToMyPC because Citrix experts have reset account passwords after unknown hackers reportedly attacked the service.
The advisory doesn’t include details on the attack, it only describes it a “very sophisticated password attack.”
Now the problem is to understand if hackers breached the GoToMyPC severs or if the attackers used passwords available online leveraging the bad habit of users in sharing same credentials among various services.
The company is still investigating the case, meantime, let me suggest also to change the password for all those services for which you shared the same credentials.
The incident reminds us the problem recently suffered by TeamViewer, recently many TeamViewer users reported that their systems were accessed by hackers via the popular support tool, but the company denies any incident.
GoToMyPC is suggesting customers to enable two-step verification in order to improve the security of their accounts.
To learn more about the File Sync and Share Program that you may wish to use to replace accessing your computer remotely, contact us at 518-479-3881.
By Jeff Goldman | Posted May 06, 2016
According to the results of a recent survey of 221 IT practitioners, managers, directors and executives in North America, 50 percent of respondents said their organizations are less vulnerable now than they were a year ago, compared to just 12 percent who said they’re more vulnerable.
When asked why they’re less vulnerable, the top five reasons provided were as follows:
- Adoption of intrusion detection and prevention systems
- Introduction or expanded use of data encryption
- Improved patch management
- Implementation of log analysis, such as SIEM tools
- Improved or increased security training for employees
The survey, conducted by Penton Research for SolarWinds, also found that 30 percent of respondents experienced fewer IT security incidents in 2015, versus 20 percent who experienced more.
Thirty-six percent of respondents said the time it took for them to respond to a threat decreased in 2015, versus 28 percent who said it increased.
Many respondents said it takes just minutes for their organizations to detect threats, including SQL injection attacks (47 percent), exploitation of known vulnerabilities (50 percent), misuse or abuse of credentials (47 percent), rogue network devices (52 percent), and security policy violations (47 percent).
Fully 55 percent of IT professionals surveyed said their organizations didn’t experience any security breaches at all in 2015, compared to 29 percent who did.
“Given the heightened international media attention on IT security breaches, it was a pleasant surprise to see that 55 percent of respondents did not experience any security breaches in 2015, and only 24 percent believe a security breach is likely in 2016,” Dr. Kristin Letourneau, director of research at Penton, said in a statement.
“The survey data seems to reflect a shifting focus from fear of cyberattack to the implementation, maintenance and refinement of established and effective security systems,” Letourneau added.
Still, a separate survey of 209 respondents, conducted by Osterman Research for DB Networks, found that only 19 percent of organizations surveyed have “excellent” visibility into their data and database assets.
Thirty-eight percent don’t have the mechanisms and controls in place to continuously monitor their organization’s databases in real time.
Fully 59 percent of organizations lack a high degree of certainty about which applications, users and clients are accessing their databases, and 47 percent don’t have anyone responsible for overseeing the security of their databases.
Just 20 percent of organizations conduct database activity assessments on a more or less continuous basis. More than half of respondents do so only once per quarter or less, and 6 percent never conduct such assessments.
“We’ve long suspected organizations lack the necessary tools and staff for proper database security,” DB Networks chairman and CEO Brett Helm said in a statement. “This study finally revealed why organizations’ data has become so vulnerable to attack. Simply assigning responsibility for database security and equipping them with continuous and real-time visibility into their databases would be an important first step for any organization.”
DeMarco Morgan, CBS News
Hackers are using ransomware to target everyone, from consumers to businesses big and small, to municipalities, and the payoff is huge.
Plainfield, New Jersey, a town of roughly 50,000 people, fell victim to hackers and is still working to get its files back, reports CBS News correspondent DeMarco Morgan.
Mayor Adrian Mapp said hackers infiltrated their computer systems when an employee clicked on an infected link. City officials scrambled to pull servers offline, but three were compromised, leaving emails and other city files inaccessible.
“We have about 10 years of documents that we are not able to access,” the mayor said.
The hijackers held the files ransom, demanding roughly 650 euros paid in bitcoin. Mapp sought the assistance from law enforcement, but remains helpless in regaining access.
“It’s a very serious problem that cries out for a solution and we don’t have it at the local level,” Mapp said.
“Everyone should be concerned. It’s the number one problem facing the computer security industry and it’s very, very difficult to solve,” said Ryan Naraine, director at cybersecurity firm Kaspersky Lab. Naraine said the malware gets into people’s computers, often with a simple click.
“They prey on people’s willingness to click on the latest viral videos, they prey on people’s willingness to click on Facebook links, they are even sending spam in addition to emails through Twitter,” Naraine said.
Once a computer is infected, it encrypts all files or locks the user out until they pay for the key. Naraine demonstrated how it works.
“I have a music file and like many people, I have photos, often family photos,” Naraine said. “The ransomware is communicating with a server. The server is sending instructions here to start encrypting all these files.”
In just minutes, the ransomware takes hold and the computer is compromised.
“The machine is now ransomed — this machine is now part of the ransomware attack,” Naraine said. “If I try to look at all my photos from my last family vacation, you try to open, it’s nothing. It’s garbage. Imagine an average business — not only on this computer but encrypting every computer within this a network at the same time.”
In addition to a string of hospitals hacked, the village of Ilion, New York paid hundreds of dollars in ransom in 2014 and the police department in Melrose, Massachusetts paid nearly $500 to get back online.
“We are seeing an uptick in this type of activity,” said Ari Mahairis, who heads the FBI’s New York cyber division. “One of the reasons that our numbers are growing is because of the idea that people are paying the ransoms.”
In 2014, the FBI received over 1,800 complaints about ransomware, an estimated loss of more than $23 million. In 2015, the bureau received over 2,400 complaints, and victims lost over $24 million.
“These are just the cases that are being reported. We suspect there are many more out there that haven’t,” Mahairis said.
The ransom demands are often relatively small — hundreds to a few thousand dollars — but the loss to an individual or business can be huge. “It’s a very, very helpless feeling to open your computer and you don’t have your computer anymore,” Naraine said.
Naraine urges users to “back up” information for protection.
“Good user habits, common sense, backups and patching. With those basic things in place, I think you can minimize your exposure,” Naraine said.
A type of malware that holds a user’s computer files hostage has claimed at least a million victims, ranging from individuals to small businesses to, in at least one case, a local sheriff’s department. Security expert say hackers have been using CryptoWall, a family of “ransomware” programs that “lock up” files on a computer, to extort money from computer owners. The Dickson County, Tennessee, sheriff’s office recently paid $622 in bitcoin to hackers who encrypted the department’s criminal case files, making them inaccessible to investigators.
The sheriff’s office had no choice but to pay the ransom to get back access to its files, said Detective Jeff McCliss. “It really came down to a choice between losing all of that data and being unable to provide the vital services that that data would’ve assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data,” McCliss told NBC Nightly News. The department was lucky; it got back access to its digital data.
McCliss said he has since heard from other branches of city and county governments that have been victimized by CryptoWall. “There are a lot of other law enforcement agencies out there that have been affected by this sort of thing and specifically with this malware, that don’t want their names out there,” he said.
Another CryptoWall victim, psychotherapist Valerie Goss, took a different approach when she suddenly discovered that her computer files, including vital client information and tax documents, had been encrypted by hackers who gave her 24 hours to pay a $500 ransom. “I was frantic, you know. I felt like I had a limited amount of time to make a really tough decision,” she told NBC Nightly News. Afraid she still might not get her files back, Goss ultimately decided not to pay. She instead bought a new computer and spent about a month trying to restore all the information she lost.
“If none of us paid the ransom, these guys would go out of business.”
Experts say Goss did the right thing and that victims should never pay computer hackers’ ransom demands.
“Absolutely not. You are likely never to get your files back,” said Kevin Haley, director of Symantec’s Security Response. “On the positive side, if none of us paid the ransom, these guys would go out of business.”
So what’s a computer user to do to minimize the risk of becoming a victim of ransomware?
- Keep your software security updated.
- Don’t click on unrecognized emails and websites.
- Back up your files, then disconnect the external hard drives.
by Joe Fryer and James Eng
Three U.S. hospitals were hit hard this week by “ransomware” attacks that brought down their systems — the latest providers of medical care to be targeted in this way.
The servers for Chino Valley Medical Center and Desert Valley Hospital, both in California, were running normally again by Wednesday after the attack.
Ransomware is a strain of malware that encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.
“The malware disruption did not impact patient safety or compromise patient records, staff records or patient care,” said Fred Ortega, a spokesperson for Prime Healthcare Management, which represents both Chino Valley and Desert Valley.
The state’s Department of Public Health as well as federal law enforcement agencies are coordinating an investigation into the malware attack. As of Wednesday, most systems had been brought back online, Ortega said.
A third hospital, Methodist Hospital in Kentucky, also fell victim to a ransomware attack this week, reported cybersecurity journalist Brian Krebs. The hospital’s information systems director told Krebs that a type of ransomware called “Locky” was to blame. The hospital did not immediate return calls from NBC News.
According to Symantec Security, the ransomware program Locky spreads through spam email campaigns, many of which are disguised as invoices.
“Word documents containing a malicious macro are attached to these emails. If this macro is allowed to run, it will install Locky onto the victim’s computer,” according to Symantec.
In February, a Los Angeles hospital forked over $17,000 to hackers that took out its computer network.
by Connor Mannion
Image Posted on Updated on
This is the time of year that we all tend to clean things out, spruce things up and get ready for the months ahead. While we all concentrate on our closets, garages, and gardens, are you looking at your computers?
There’s an annual check-up for your automobile’s health, one for your physical health, and one for your pet’s health. Why don’t we schedule a check-up for the item that we probably spend more time with than we do our cars or our pets (very sad to say!).
Your home and work computers, tablet, and smartphones are probably the first things you turn on every day and the last thing you turn off. We just assume that they will be there when we need them. But can you remember the last time you had an issue with one of these devices and didn’t have access for hours, or maybe a day? It seems like our entire life is thrown off balance. In a work setting, hours of time are lost, most often resulting in lost revenue
Scheduling an annual review of your business computer systems just makes sense. For those of you not using an automated managed services platform, are you certain that all of your employees are performing updates as they should, or are you on top of those for your servers? When did you actually buy that server that runs your company everyday—might it be time for an upgrade before it dies in the middle of a work-day?
You’ve probably been using the same technology to manage your emails and your spam for some time now, but are you aware of more efficient and perhaps more cost effective ways to handle these? Are your employees accessing your work computers from home or on a tablet or smartphone? Are you aware of the new file sync and share services which are not only easy to use but increase productivity and security?
So, as we jump ahead to Spring you may want to meet with your business technology provider to review exactly what is running your business every day! Such a meeting can save time down the road, prevent lost productivity, and perhaps reduce your costs due to more efficiency.
Millennials are often believed to be the most tech-savvy employees within an organization, but a recent survey from Symantec actually shows that users under 35 are actually less concerned with security than previous generations.
These “digital natives” are sharing information online at an unprecedented rate, but without some of the safeguards used by their older counterparts. With this in mind, could your younger staff members pose a risk to your company’s online security? The Facts Symantec surveyed 1000 people, 500 of which were under the age of 35.
The results of the survey show that among millennials:
72% don’t use security software on their devices (compared to 55% for those over the age of 55)
52% don’t protect their home Wi-Fi password (40% for 55+)
58% don’t run regular security updates (29% for 55+)
48% of millennials don’t use complex passwords
Given that a striking 95 percent of cyberattacks are the result of human error, these figures should be concerning for employers. More and more millennials are accessing secure work files from their personal devices, or reusing passwords across a variety of platforms. These bad habits can be an easy way in for an attacker, seriously compromising your company’s online security.
Fixing the Problem–
This mindset comes from a generation that has seen technological innovation at its finest, and as a result, millennials often incorrectly assume that their devices are protected. Employers must challenge this notion to correct the security problem among millennials.
To ensure that lax attitudes towards security don’t threaten your organization, you should thoroughly train each staff member that joins your team. You might cover: What’s appropriate to share on social media and with others online Which devices they can access work files from Correct password protocols Awareness of current scams and viruses You should set up mandatory password requirements and automatic security updates for each workstation in your office, as well as for company-owned devices that your employees take home with them.
Keep these important policies front of mind with routine reminders and regular training sessions to update them on the ever-changing world of online security. Digital natives are confident in their technical abilities, as well as the built-in security of the devices they use. However, this confidence is often misplaced, and it can actually be harmful in a professional environment. Keep your company safe by reminding millennial employees of the importance of online security, both on social media and internally.
Article from Strategic Staffing/February 5, 2016