Over the weekend, 23 towns in Texas were hit by a coordinated ransomware attack and only a couple of months ago, Baltimore and a North Carolina city fell victim to ransomware known as "RobbinHood". Often times the only way to unlock encrypted data is to pay the criminal who encrypted it significant sums of money ($2.5 M is being requested in the Texas case and the Baltimore attack could cost more than $18 M - a combination of lost or delayed revenue and direct costs to restore systems). To pull this off, the perpetrators had to deploy code into each of these networks, gain the right level of access and go undetected until they were ready to strike. Cyberattacks such as this are becoming more common and sophisticated leading to bigger paydays for the hackers and complete disruption for those that are impacted. Unfortunately, like all crime, there is not a 100% foolproof solution that can prevent it, but there are things that we can do to keep our data safe, and to limit the damage when an incident occurs. This blog will explore 3 of the most common ways crime rings can gain access to corporate networks and what measures can be done to reduce risk.
How does it happen?
Sometimes it is a crime of chance and other times the attacks are more targeted. Either way, the enterprise has to try and stay ahead of criminals that spend far more time thinking about your security weaknesses than the average end-user. Below are some of the ways malicious code makes it into the enterprise:
1. Infected sites and graphics
Humans navigating web sites, clicking on emails or in some cases providing sensitive information remain a top risk for any organization. All of the security in the world can be undone if someone innocently lets malware in by clicking on links.
- Infected sites – Certain websites can have pictures and code that can overwhelm the basic browser security and download malware to the desktop without the user’s knowledge. This is much less likely around commonly accessed sites because they have a vested interest in keeping their readers safe. However, it is still possible, so the risk needs to be managed at all times. Virus scanners are useful in preventing or detecting this code.
- Pictures in email – Have you ever wondered why many email programs block images? It is because there have been multiple instances where hackers could have been able to exploit security flaws by causing buffer overruns and then deploying a payload onto the machine. This is why pictures should only be downloaded from sources that the user trusts.
2. Social engineering
Social engineering is when the perpetrator interacts with a user in a way that causes them to willingly give up sensitive information (e.g. ids and passwords). The perpetrator can then use that information to gain further access, deploy code or commit a fraudulent transaction. Emails are a common tactic and can take many forms:
- Impersonating a coworker – These can be randomly sent out or target specific organizations or people. A common approach is for the perpetrator to send an email to an employee while pretending to be someone more senior in the company. This is not hard to execute because the perpetrator only needs to guess the email naming convention and guess the hierarchy using publicly available information from the company website or linked-in. If the user begins to unknowingly interact with the perpetrator, they can give away sensitive information which opens up them and the organization to an attack. Other forms of this include, “A document for your review”, or “Please give me your personal cell so I can have you work on something urgent”.
- “Official” emails from well-recognized service providers – An official-looking email that says “Microsoft needs to verify your username and password. Please click on the link…” is a fairly common approach that sometimes makes it past the junk or filtering rules. If the user types in their actual credentials, then they have just opened a door for the criminal to begin their work. Other forms of this include “Your bank needs to verify your information”.
- Forwarding rules – Forwarding rules can be added to an email account which will then forward emails to other accounts. These rules can go undetected and give criminals access to all the target’s email traffic. A criminal can then insert themselves into a conversation by responding as a “spoofed” counterparty. “Please find our updated banking information” can allow a criminal to get the unsuspecting target to redirect funds to the destination of their choice. No code has to be deployed to execute this scheme, but the criminal would need to have access to the user’s email using their credentials or as admin of the domain.
3. Exploiting vulnerabilities in enterprise architecture
While users are a common entry point for criminals, enterprise architecture can also be exploited by taking advantage of various hardware components or software vulnerabilities.
- Out-of-date devices – Networked multi Functioning Devices (MFDs) such as printers and scanners and unprotected Wi-Fi access points can be hacked to gain access to the network. Wireless printers and IoT devices create vulnerabilities that need to be managed.
- Poorly architected software – Systems that have access points that are not secure. Recently Zoom released a client for MACOS that deployed an unprotected web server that could be used to gain privileged access to the user’s machine (when used as not originally intended by Zoom). Corporate Wi-Fi networks that are not bifurcated for guests and employees could be used by a guest to get access to internal systems.
- Infected device accessing the network – We use our laptops in our homes, hotels, coffee shops, airplanes, and other public places. Even if the enterprise is vigilant, a user could bring an infected laptop onto the network and create a vulnerability. Virus scanners and other software are good at catching common threats, but they are not perfect.
- Overshared passwords, simple passwords or no passwords at all – People tend to write down passwords or store them in a file. Each program may require a unique password and this fear of too many passwords cause people to adopt a common one. The ADMIN password must be a closely guarded secret.
Be aware that criminal organizations share/sell email lists, user ids, passwords, data extracted from corporate networks and other information gleaned about corporate network entry points on the black market.
Things that can be done to keep data safe
As said above, there are no full-proof tactics against criminals, however, there are some techniques that can be done to greatly reduce and manage the risk. We have organized the tactics into Good, Better and Best with the complexity to implement increasing along the way.
Many of these tactics fall into the category of “don’t leave your valuables in plain sight and lock your doors”. They can deter criminals who are looking for easy targets and are simple enough for any individual to perform. Some of these tactics include:
- Encourage vigilance – Training and information sharing for new known defects and ways to keep data safe. Employees should be reminded to be on the watch for suspicious activity and have some type of direction for when they encounter it.
- Install malware scanners, virus scanners and firewalls on all company machines – While it may not be perfect, it sure beats no protection at all.
- Limit access rights at all times for all users – Create a separate local-admin from the primary user on company machines. This gives the user the ability to install needed programs and does not allow malware to run as admin and install something silently.
- Take regular updates and patch as early and often as possible – Although very necessary, all new patches need to be tested in non-production environments. Otherwise, an update can create unintended side effects by breaking something that is working in the network.
Better (in addition to Good)
Many of these tactics take prevention to the next level but may require a dedicated IT professional to preform scheduled maintenance. Some of these tactics include:
- Have cybersecurity team plugged into cybersecurity news sites – Professionals can learn what is happening in the cyberworld and apply those learnings to the enterprise. Proactive communication of risks and nefarious tactics are a great defense.
- Update firmware regularly – Devices attached to the network should have firmware updated on a regular pattern.
- Actively monitor network communications – Harden security and personnel responsible for keeping an eye on suspicious activity.
- Enforce multi-factor authentication – Force application log-in through multiple authentication paths that require a second device to perform any action.
- Encourage single sign-on – Where not supported users can manage passwords using tools like a password keeper.
- Periodically update threat lists from known good sources – You can then block any activity identified as a threat source.
Best (in addition to Better)
Many of these tactics are typical of a robust enterprise security architecture. An enterprise IT team may consist of multiple people with deep expertise. If terms such as SIEM and SOAPA are completely foreign, then it is time to engage a consulting firm for education and to develop a plan. More dedicated resources also means the ability to real-time monitor and react. That's something individuals and a lot of smaller organizations don't always have the luxury to do. Some of tactics at an enterprise level include:
- Require multi-factor authentication – At the enterprise level, this is not considered optional.
- System managed password keeper with computer-generated passwords – Simple password keepers allow for human-generated passwords but it’s good practice to use computer-generated passwords at large enterprise levels, in addition to requiring single sign-on and secondary passwords.
- Forcibly limit what sites people can access through the network – A network administrator will need to identify and limit sites that can impose a threat.
- Create a limited visibility design architecture that is a trustless network – This will minimize effects from cybercriminals having access to a small footprint. (e.g. local laptop).
- Live monitor “new” or unexpected activities – Immediate reaction to suspicious activity.
- Live update threat lists from known good sources – You can immediately block any activity identified as a threat source.
- Actively test security defenses – The security team routinely performs penetration testing of the environment.
Staying ahead of cybercriminals requires a combination of education, good design and proactive steps from the enterprise. This is a reality of a more digital world and just like all risks to a business, it needs to be managed on a regular basis.
At Veritas Total Solutions, we help educate clients and design architectures to help prevent cybersecurity attacks. We offer a range of technology solutions across the business spectrum. If you are interested in learning more about our specific capabilities, contact us or subscribe to our blog to stay connected.