No Silver Bullet for the Cyber-wolves

The majority of individuals and businesses are sold a bag of goods regarding cyber security.  They hear marketing pitches for security software, appliances, and managed services, and are told that "this product" or "that service" will secure your business or secure your home computer, and at the end of the day, it is giving them a false sense of security.

While these products and services can help reduce your risk of a cyber incident, they are only a small piece of your overall security program.  There is no silver bullet that can keep hackers at bay.  To do this, you need to employ a Defense in Depth security program.  While this sounds like a daunting and expensive task, it can actually be done very inexpensively and with a few simple steps.

Risk Assessment - "If You Can't Measure It, You Can't Improve It." - Peter Drucker
The first step is to have a security risk assessment performed.  This informs you where your information security risks are, what controls you have in place, and what control gaps/weaknesses you need to shore up.

Polices, Plans & Procedures - "Those that fail to plan, plan to fail."  - Alan Lakein

• Information Security Policy - This should cover, at a minimum, access control/user management, anti-virus, patching, password management, data classification and handling, use of encryption, remote access, change/configuration management, software acquisition/licensing, logging, and use policy.
• Incident Response Plan - You need to have this before you have an incident.  Don't worry about trying to identify every single type of incident to deal with, just get it down to high level impact, ex. network outage, server outage, application outage, security breach, malware infection, etc.  Have written procedures on how our staff should respond to each of these types of incidents. 
• Business Continuity Plan - If there is an electrical outage, fire, or natural disaster you need to have a plan of action on how and where you will resume your business.  Also have all your employees, contractors, and vendor contact information in the plan.  Keep the plan in multiple locations, including a hard copy at your home.  If there is no power, your cloud or PC may not not be accessible.  Do not get hung up on the type of disaster, focus on the fact that your office in not accessible, and the plan needs to answer the question "What do I do now to stay in business?".  Do a paper walk-through with your management team at least twice a year and update contact info.

Anti-Malware (Anti-Virus, End Point Control, Patching)
Having anti-virus and end point protection is not optional.  Make sure they are actively running, updated daily, scans are daily (off hours), and that only an Admin can disable or change the settings.  Also, no user on your business network should have Local Admin, and the IT guys should have an Admin account for doing things that require Admin access, and a non-Admin (normal user) account to surf the web and check e-mail.  Malware is most dangerous if it can execute using Admin privileges, and whoever clicks on it,,,executes it.   Patching needs to be done timely on operating systems, database management systems (MS SQL, MySQL, Oracle), and application software (Apache, Adobe, Office, etc.)

PC & Server Hardened Standard Image
Your PCs and servers require certain services to operate.  Over time, as you add software, more and more services are activated, and usually set to run at startup (when most do not need to).  Besides slowing down the machine and providing a poor user experience (takes forever to start up and to shutdown), having unnecessary services running is increasing the attack surface for a hacker or malware.  You should have a standard image for your organizations PCs and servers in which you deactivate all non-essential services (daemons if in the Unix/Linux world).  Also, remove all no-essential user accounts.  Most operating systems and applications come with Test or Guest accounts.  Either remove them or disable them.  If you have to keep any default accounts, then change the passwords and make them complex (10-14 characters, alpha-numeric, caps, and special symbols).  this is called hardening.  Once you have a hardened image, copy it, and that is what every machine in your organization gets as a baseline.  And as you are not letting your users have Local Admin, they will not be able to install software which will ensure that only approved, malware free, and licensed software is running on your network.

Network Security
You should have multiple layers of firewalls/routers/switches.  Keep these patched timely too, and all default accounts and passwords need to be changed.  You should have some type of Intrusion Detection or reporting system in place to sift through the firewall logs and report the critical alerts so you know if you are under attack, and can follow your Incident Response Plan as noted above to prevent or stop an attack.

Security Awareness Training
While listed last in this post, it is by far the most important low cost security measure you can do.  Cyber Criminals have figured out that it requires a lot of skill and hard work to hack your network.  It is much easier to trick your employees into giving them a userid and password, your customer/employee data, or wiring money out of you business bank account.  Your awareness program is not a once a year video or PowerPoint slide deck.  It needs to be ongoing and use a number of mechanisms to stay at the top of mind of your employees.  Monthly security tip e-mails, security posters in the break room, mock phishing exercises, having a security expert come in quarterly for live or web based training, having your IT or security team do monthly brown-bag lunch presentations will have a big impact on your employees' security awareness.

To sum it up, there is no silver bullet, and information security is not a menu to choose from.  You have to do all of these things, and more to have a defense in depth security architecture.    You need to put up enough barriers to frustrate them which will encourage them to leave your organization alone and go hack someone else...(hopefully your competitors who don't take my advice).

Gone Phishing

Phishing, or the act of trying to deceive folks into thinking you are someone else in the hopes of scamming either user credentials, data, or money out of them, is occurring at an alarming rate.  This is also becoming a delivery mechanism for ransomware.


Some popular ones over that last few weeks to be aware of:

DocuSign Document is waiting for you

UPS Quantum Shipment - About a recent attempt to deliver a package to your address.

accounting@<yourcompany>com - An invoice or statement from a vendor that was sent to your company's accounting department.

"You have a fax message from RingCentral"

USPS HoldMail - The email is letting you know that your mail is on hold.

E-mails from your social media contacts whom you don't usually get emails from.

AppleID - A supposed receipt from Apple about some recent purchases you didn't make.

LinkedIn Connection Requests from fake LinkedIn profiles posing as if they worked at the same company as you at some point.   The tells are a low number of connections (under 50) and usually no profile photo.  Best practice is if you don't know them, don't connect with them.


Remember, if you are not expecting an e-mail, don't open it, and always be suspicious of attachments or links.  If you are not sure if it is legit or a scam, call the company from a verifiable phone number, don't click on anything in the e-mail.

Be secure!

You are Only as Secure as Your Service Provider

Many businesses recognize the need to handle sensitive customer and employee information in a secure manner.  They may be using encryption on their hard drives, masking data fields like credit card numbers and social security numbers, and using secure methods to send data to their service providers for processing.  Where most organizations fall short is their lack of due diligence in finding out if their service providers treat their data with the same level of care that they do.

In banking, the federal regulators mandate that banks must perform upfront vendor due diligence before contracting with a vendor who will be handling customer information, specifically NPI, or Non-Public Information.  This is credit/debit card information, social security numbers, dates of birth, drivers license or passport information, bank account information, and user login information such as userids, passwords, security questions, or PINs in combination with identifiable information such as customer name, address or phone number.

The bank regulations also require that the banks perform ongoing vendor monitoring, even to the extent of sub-contractors who may have access to the banks sensitive data.

Businesses of all sizes need to hold their vendors accountable just as the large banks do.  As a small business you of course do not have the time or resources that a bank has to do vendor risk management to the same level.  But at a minimum, the following are some quick and easy tips to give you some comfort that your service provider is employing reasonable security measures regarding your data:

1. Ask for and read their Information Security Policy.  (And yes, you should have one too.)
2. Ask for and read their Data Backup Process as well as their Business Continuity Plan (BCP).  Make sure their backups are encrypted.  Is their BCP tested at least annually?  Can you get a progress report on the issues noted during the last BCP test.  If they don't have a BCP, then you need to make sure you can switch to a secondary provider in the event this vendor can't service your needs due to a business disruption.
3. Do they have either an employee, or a contractor that is responsible for Information Security?  You should have a brief conversation with them to see if they are a knowledgeable security professional, or just a management person that got a title CISO because someone need to be listed to make it look good.  (Yes, this does happen more than you know.)
4. Does the vendor have a network penetration test performed (at least annually), by an independent Ethical Hack firm?  They may not want to provide you with the entire report, and that is fine, but they should be able to give you the Executive Summary, and a progress report on resolving any issues noted during the exercise that could affect the security of your data.
5. Insurance coverage (E&O and general liability)  Make sure you get an Evidence of Insurance certificate.  And ensure that the coverage amount is adequate given your business and your data.
6. Make sure there is contract language that holds the vendor responsible for maintaining reasonable security practices regarding the storage, processing, and transmission of your data.  If possible, spell out what your definition of "reasonable" includes.*
7. Does the vendor have any type of third party controls review performed, ex. SOC1, SOC2, SOC3 or PCI?  If so ask for a copy of the report and read it.
8. Does the vendor use encryption for the transmission and storage of your data?
9. Are user account entitlement reviews performed quarterly?
10. Do they have a Security Awareness Program in place to train their employees about good security practices?
11. Do they perform quarterly vulnerability scans of their computer environment?
12. How are you sharing data with the provider?  Is it a secure method?


*For item #6, this is a requirement by the Maryland Personal Information Protection Act.  So if you have any customers or employees that are Maryland residents, this new law (effective 1/1/18) mandates that you have security language in your service provider contracts if you are sharing customer or employee NPI.

For more details visit:
http://www.marylandattorneygeneral.gov/Pages/IdentityTheft/businessGL.aspx



Be Secure!

Computer Kidnappers Are Charging a King's Ransom

Well, if data breaches and phishing weren't bad enough, an emerging cyber threat that came about early in 2016 is Ransomware.  A few months ago an episode of the TV show "Grey's Anatomy" had a Ransomware plot whereby the hacker locked out the staff from their access to the hospital computer systems and wouldn't return control unless a large ransom was paid.  The irony is that the writers of the show only had to be as creative in writing the script as doing a Google search on "Ransomware" to get all the material they needed to write the show's script.

Ransomware is in essence a computer virus that infects a computer network, but instead of disrupting or destroying software and data, it encrypts it, and only the hacker has the key to decrypt it.  If you want the key to get your computer(s) and data back you have to pay the hacker a ransom.

So the question on your mind right now is "How do I defend against this?".

Follow the tips below to reduce your risk of having to deal with Ransomware:

Defensive

• Anti-Virus: Ensure you are running anti-virus software on all of your computers.  The anti-virus software needs to be set to automatically update the virus definition file (which should occur daily).  Ensure that Real-Time Protection is active and schedule a Full Scan daily.  Not having these settings makes your anti-virus only marginally effective.  This should be in addition to Windows Defender (formerly Windows Security Essentials).  This tip goes for Apple, Linux, and Unix computers too.  While there are not as many viruses written for these non-Microsoft operating systems, there are still some out there.  The small annual expense you pay is well worth it.

Preventative

• Operating System Patching: For small businesses and home users running a Microsoft operating system we call it Windows Update. This keeps your operating system up to date with the latest bug fixes, many of which have a security impact.  Windows Update should be set to update automatically on every computer you own (PCs, laptops, tablets, servers).  And then your computer (including servers) need to be restarted after the update is done to have it fully installed on your computer.  Patching needs to be done on Apple, Linux, Unix computers as well.  Also, if you are using VM instances (ex. VMWare or Hyper-V) make sure your virtual operating system instances are also patched, as well as the physical machine that is running the Hyper Visor console.  This is often overlooked.
• Application Patching:  Like the operating system patching, purchased off the shelf software also needs to be kept up to date with patches.  Applications like Apache, Adobe, MySQL, push patches out regularly.  Microsoft applications use Windows Update for your convenience.

Corrective

• Back-ups - At a minimum, on a daily basis you need to backup your critical systems, applications, and data.  Back-ups, if electronic (ie. not to tape, DVD or some other physical media) should be stored to a separate server / storage device, that is on a separate network segment (is walled off from your production network by a switch or router and a firewall).  This will, at a minimum, ensure you can restore a 1 day old back up of your production environment should Ransomware get past the anti-virus and your network security controls.

Keep in mind, the above is not a cafeteria plan.  You need to be doing all of the above processes for this to be an effective defense.

FYI - Earlier this week, a hospital in Indiana had to pay $55,000 in Bitcoin to a hacker due to Ransomware.

http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/

Be Secure!

 

Vishing, It's not Just for Kids Anymore.

When I was a kid, it was common practice to phone scam your grumpy neighbors.  Calling and asking; "Is your refrigerator running?", and getting the response "Uh yes it is.", and then saying "Then you better go catch it!", was something that gave us hours of childish joy at the expense of our severely annoyed neighbors.

I had thought those days were behind me, but I guess not.  So in addition to phishing, another attack vector that scam artists and hackers are starting to employ with greater frequency is Vishing or Voice Phishing.

The common approach is that they get a list of names and phone numbers and will call folks and pose as their electric utility, their cell phone provider, or the water company.  They will be calling because they either didn't get your last payment and now have to shut off your service, or have some other urgent matter to speak with you about.   I have also seen where this is automated using a phone dialer and a recorded message instructing you to call another phone number immediately to resolve the issue.  They will then try to get you to provide them with your personal information in order to "verify" who they are speaking with.  They will structure the call in a way so they get your information in pieces so it doesn't raise any suspicions.  They may try to get your banking or credit card information in order to "pay your overdue balance".  Remember, if one of your service providers is calling you, they should already have your information as they are calling your phone number of record.

Red Flags to look for:

1. Your utility companies will give you multiple late notices and you will need to be 2+ months late on paying your bill before they shut off your service.
2. If you get one of these calls and are not sure if it is a scam, hang up and call the phone number on your last bill.  This way you will know if it's legit.

Another popular vishing scheme is to call posing as the IRS.  This scam has been targeting businesses and individuals alike.  The "agent" will claim that you have an outstanding tax debt and it has to be paid immediately or you will be taken to court, lose your house, business, car, and bank account.  As with "turning your service off" above, this scam preys upon most people's fear, and who isn't fearful of getting into trouble with the IRS?  In some cases the scam is more about getting your social security number and date of birth rather than payment.  Either way, don't give any information over the phone.

Red Flags to look for:

1. The IRS will never call or e-mail you about a tax debt, they will send you notice via certified mail.
2. The IRS will never ask you to pay your tax debt using Western Union, Money Gram, or by getting a prepaid debit card at your corner drug store.

While the above two schemes have been known to target both individuals and businesses, the last one I'll be discussing is just focused on individuals.  

In this scenario, the caller will tell you they are calling from the local courthouse, and you had been sent a notice for jury duty months ago, but you did not show up to court today, so you are now in contempt.  If you want to get out of going to jail, you need to immediately send money to pay the fine using Western Union (or one of their competitors).  Again the fear factor is used to create panic and a sense of urgency.

So the lesson here is you need to authenticate the person on the other end of the phone.  When in doubt, hang up and call back using a phone number you know is legitimate.

If only my grumpy old neighbor could see me now.

Be Secure!

How long it takes a Hacker to notice your website?

Like most small business owners, I did all of the SEO things one does when they have a new business website up and get noticed by search engines and clients.  I set up my descriptions, keywords, signed up for Google My Business, and created a profile on Manta.  With my website up for only 1 day, per Google Analytics I got my first visitor.  Can you guess from where?  You guessed it, Russia.  Not really part of my geographic profile, but what the heck, a website visitor, is a website visitor.  The individual had spent about a minute on each of my pages.  That’s great, I’m getting noticed the first day my website is up. 

And then on day 2, it happened.  I had an e-mail in my Spam folder.  I looked at the subject line, and sure enough, it was a phishing e-mail.  The e-mail was in the name of an individual and the subject line read “Your Monthly Statement document is ready for review”   Keep in mind, my website had been up for only 2 days.  My website and the listing websites were the only places my newly created company e-mail was posted.  And when I hovered my cursor above the displayed e-mail address, yes you guessed it, it had a .ru domain. 

A week later I got my first spear phishing attempt.  This e-mail was also displaying the name of an individual and the subject line read; “Please DocuSign: Order Form for tjmprofessional.com” and the body stated; “ accounting@tjmprofessional.com has sent you a document to review and sign. “.  Ironically, I don’t have a separate generic e-mail address called “accounting”.  But to give credit to the hacker, it did look more enticing and believable.  And yes, again the e-mail had a Russian domain.

So if you are wondering if your a 6 month old startup, or your 50 year old family business is at risk for a cyber attack?  The answer is most definitely "Yes!".  My business was found, researched, and attacked within 2 days of its online existence. 

Now if only my clients could develop these hacker skills, and find my website as easily.  Who would need to pay for Google AdWords?   J

Something smells Phishy

My alternative title for this post was " The IRS, a Nigerian Prince, and your CEO walk into a bar."

As you may have guessed, my last blog post of 2017 is about phishing.  We have all received these e-mails.  Usually written in either poor English or proper English (UK version), has typos, and written as a generic situation so the same e-mail can be sent to thousands of targets.  In most cases, the average person can spot them pretty quickly and don’t fall for them.  Although, you have to imagine that a certain percentage of folks must fall victim to them, or else the criminals would stop using this tactic.  Over the last few years as more people have become aware of these scams, and as their success rate has declined, the cyber criminals have begun to do their homework.  They are now having Americans write the e-mails to get around the language barrier (George Bernard Shaw would be proud), and more and more have changed their approach to spear phishing combined with Business Email Compromise or BEC for short. 

Spear phishing, or targeted phishing, is where the criminals attempt to learn as much as possible about you online in order to gain your confidence.  While this is used against individuals, it is more commonly used against businesses, schools, churches, and other not for profits.  The reasons are many.  First off, businesses and not for profit organizations have more money than the average individual, so it is more profitable to target an organization.  Secondly, businesses and not for profits tend to be very verbose online about their organization, events, officers, employees, board members, what software they use, etc., so the attackers can quickly accumulate a lot of intelligence on their target with a few Google, LinkedIn, and Facebook searches.  Thirdly, let’s face it, human nature is that we all want to be seen at work as cooperative and helpful to our executives.  This plays into the social engineering aspect of phishing.  An additional factor is that very few small to medium sized organizations provide their employees with security awareness training, mock phishing exercises, or have procedures in place to counter phishing attempts.  Given these reasons, small businesses and not for profits are becoming the target of choice by cyber criminals.

So how has this occurred historically?  Below is an actual scenario that I observed (the names have been changed for privacy purposes):

The CEO and his/her spouse goes to Europe for a 2 week vacation.  While there, the CEO checks in on Facebook at various tourist attractions, and posts photos every night of the places they visited that day.  Meanwhile, early in the month the company issued a press release about a new location that they will be breaking ground in the coming month to expand their customer footprint.  Details include the name of the general contractor, and specifics about the square footage of the office space and amount the company is investing in the building.  And the final piece to the puzzle, Mary the controller is very descriptive of her cash management duties for the company on her public LinkedIn profile.

The attacker spoofs the CEO’s e-mail (this is where BEC plays it's part), and sends Mary an e-mail stating:

========================================================================

TO: Mary@VictimCorp.com

From: CEO@VictimCorp.com

Subject: Need to Wire Construction Deposit ASAP!

Hi Mary,

I need you to do me a favor while I’m on vacation.  I just got a call from <name of general contractor firm>, they need us to wire a deposit to XYZ Co. so they can order the HVAC equipment now to ensure there will be no delays in the construction of our new Pine St. office.  Please wire $50,000 to ABC Bank, <routing number>, and <account #> for the benefit of XYZ Co.  Please send ASAP!

Thanks,

CEO 

PS:  We are having a great time in Paris.

========================================================================

So do you want Vegas odds on whether or not Mary quickly wires the money without calling the CEO to verify the transaction?

Every day, small businesses and not for profits are being spear phished in a manner similar to the above scenario.  And every day, a number of these organizations are robbed of millions of dollars.

Do you think your organization could fall for this? 

Are your employees trained in how to spot these? 

Do you have procedures in place to verify any unusual banking transactions?

This is why security awareness training needs to be a key part your overall information security program.  A cyber criminal can steal thousands, possibly millions, or get your customer and employee data without ever having to crack a password, infect your systems with a virus, or bypass your firewalls.  They can get your own employees to send them money or data using low tech methods that I regret to say, have been very effective during 2017.

Be Secure in the new Year!