0

What Equifax did wrong

Much has been written about Equifax’s poor response to their data breach. But how did they get breached in the first place, and what would have limited the damage?

On the 6th of March 2017 Apache announced a bug in Struts, which is software used in web servers. The following day, a proof of concept was publicly released to the Internet showing how the bug could be used. Three days later (the 10th) Equifax was hacked via the Struts bug. The hackers then install code on a number of servers which they can use to transfer data out of the company.

A patch for the bug had been issued within days of its discovery. Equifax patch their vulnerable servers on the 30th of June (including the ones that had been compromised) but do not notice anything wrong.

On the 29th of July Equifax discover they have been hacked and on the 30th of July they boot the hackers out of their servers. They don’t disclose the breach until the 7th of September, with senior executives selling large quantities of shares in the intervening period (something the SEC is investigating). When they do disclose the breach, they bungle the communication and try to get affected customers to sign away their rights to sue.

But back to the time of the hack. I’m sure that if you are responsible for IT infrastructure you will know how difficult it can be to patch servers. And four days is not a lot of time to do so. What else would have helped prevent the hack, or limited the damage?

  • Security Information and Event Management (SIEM) – these types of logging and alerting solutions look for suspicious events in log files and raise alerts to the IT team that a server may have been compromised
  • File Integrity Monitoring – often integrated with SIEM solutions, this would have raised an alert if a critical system or web configuration file had been changed
  • Network monitoring – the hackers moved a large amount of data from Equifax systems to the Internet. This would have shown up, either in the firewall logs or in the server logs, if it had been monitored and if an alert had been raised
  • Asset management – some of the information the hackers took came from legacy databases that had not been decommissioned. These should have been identified and removed as part of a regular review
  • Access restrictions – the compromised web servers were sitting in a DMZ. Good access restrictions.may have reduced the ability of the hackers to  use compromised web servers to take information from internal databases
  • Honeytokens – these can be made to look like files or be implanted in databases. When a hacker opens the file or queries the database, an alert is sent to the IT team

If your organisation has data that it needs to protect, we would suggest that you start by understanding your assets (where they are, how they can be accessed) and your risks (how valuable are they to others, what would be the impact if they were stolen). With this understanding, you can use a framework such as the CIS Controls to ensure that you are putting the right measures in place and that any investment you make, whether in time or money, is creating the most reduction in risk.

0

NotPetya – what to do

To call NotPetya ransomware is a bit of a misnomer. It is malware dressed up to look like ransomware. The aim does not seem to be monetary (as the payment methods were so poorly implemented and have now been blocked), but instead it has been designed to cause widespread disruption and destruction. It first hit machines in Ukraine via a compromised update for an accounting package, and spread from there.

It looks for a certain file before launching (to see if the machine has already been infected) which means that a vaccine can be created to guard against it (click the link for details). You may also want to get your IT team / partner to block the execution of perfc.dat, perfc.dll and psexec.exe (which the virus uses to jump from machine to machine within a network).

The usual advice still applies – make sure that Windows machines (servers and workstations) have the latest patches (especially MS17-10 which was released in March), make sure your firewalls are correctly configured (including personal firewalls on laptops) and make sure you have backups of servers and critical workstations.

This virus showed a major jump forward in sophistication. Not only did it use NSA exploits (as did WannaCry) but it also incorporated password stealing functionality  (Mimikatz) usually employed by hackers who are after corporate information. This  enabled it to use those passwords to infect patched machines as long as they were on the same network.

Organisations are going to have to invest more time in ensuring that their IT systems are secure, including strengthening the security of accounts, workstations and servers.

This isn’t the only NSA exploit that was stolen, and the inclusion of more sophisticated hacking tools in the virus shows an escalation in the methods that virus writers are employing.  Patching helps, but it’s not the complete answer.

0

Avoiding data breach mistakes

Many data breaches are inadvertent, caused by staff emailing a document to the wrong person. This can lead to embarrassing phone calls, and in the worst cases reputational damage and loss of revenue.

Clearly naming documents helps to prevent this. If a document contains confidential or personal information, its name should show that  – either by including the client name (so it isn’t sent to the wrong client) or the words confidential, internal or private. This provides a visual clue to the person sending the email before they click Send.

Anyone who has tried to recall a message using Outlook will know that it does not work, and can often highlight your mistake to the recipient, ensuring that they will open  the attachment. For increased security, and the possibility of stopping the document being read by the recipient and sent to others, a file sharing service should be used. This allows you to send a link to the document, rather than an attachment. If you realise you have made a mistake, you can stop the link from working, and prevent access to the document.

There are a number of file sharing services which store your files in New Zealand or overseas. If you are using a document management system, it may offer a file sharing module. There are a few important things to consider before choosing a file sharing service, including the security of the service itself. Please get in touch if you’d like some assistance in this area.

 

0

A pragmatic approach to cyber security

Most businesses will have heard about cyber security attacks, or may have experienced attacks themselves. They may also be aware of new attacks that are taregting their industry. But the issues for many businesses is knowing what action to take to reduce their risk of attack. There are numerous standards including NIST and ISO27001, but they take time to understand and implement, do not easily translate into actions that businesses can take, and can be too unwieldy for smaller businesses.

We like to take a more pragmatic approach to reducing cyber security risks for clients, by using the Critical Security Controls from the Centre for Internet Security (CIS Controls). These are a concise, prioritised set of recommendations that are based on combating real attacks that have hit businesses. There are twenty controls, each of which contain a number of recommendations. Implementing the controls significantly reduces the risk of a cyber attack.

The first five controls can be summarised as follows:

  1. Inventory authorised and unauthorised devices. Make sure you know the servers, PCs, mobiles, switches, routers etc. that are part of your system. This includes virtual servers in public/private clouds. Understanding that devices are present will enable you to pick up unauthorised devices, and old devices that have been forgotten and are now unpatched and insecure.
  2. Inventory authorised and unauthorised software. Make sure you know the software that should be running on your servers, PCs etc. This also includes authorised and unauthorised SaaS applications. Understanding the software that should be running will enable you to implement application whitelisting, which will significantly reduce the risk of malware (including ransomware) being able to run on your system.
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers. This includes ensuring that there is a standard and secure way of implementing servers and workstations, that administration of servers and devices are secured, that laptops and mobiles are encrypted, and that Group Policy is consistently applying secure settings on servers and workstations. Failing to do this can lead to workstations installed without anti-virus and servers that allow unlimited login attempts by criminals.
  4. Continuous Vulnerability Assessment and Remediation. This includes making sure that all servers, workstations, databases, applications and websites are patched on a regular basis (using automation if possible) and implementing regular vulnerability scans. Unpatched systems are the cause of over 40% of successful cyber attacks.
  5. Controlled Use of Administrative Privileges. This includes changing default passwords on devices such as firewalls and routers, ensuring that administrative permissions are limited to only those people who need them, that two factor authentication is used for adminstrator logons, and that failed login attempts and the creation of new administrators are investigated. Many broadband routers are installed with the default password unchanged. These can easily be discovered  and compromised using IoT search engines such as Shodan. A compromised router can redirect you to fake websites which steal credentials.

Whilst the first five controls are regarded as essential (and mirror the Strategies to Mitigate Cyber Security Incidents developed by the Australian Signals Directorate) we look at all twenty controls when performing an independent security review for a client. We consider the business assets (information, databases, processes) and likely ways that they would be attacked (ransomware, fraud).  Our clients get a clear idea of their areas of risk, and prioritised recommendations on measures they can take that will have the greatest impact in reducing those risks.

Lessons from the iPhone hack

In August 2016 a serious vulnerability was discovered for the iPhone. A patch was released, and you should install it today by going to Settings, General, Software Update. If your version is 9.3.5 or later you have the patch.

The hack (named Trident) that targeted the vulnerability does not appear to be widely used. It was part of a targeted attack against a human rights activist and was designed to load government level espionage software (named Pegasus) that would have tracked the user’s location, given access to the camera and microphone, and allowed the copying of emails, text messages, contacts and other information.

Whilst this is thought to be a state-sanctioned attack (the UAE is suspected), it has raised concerns that iOS, which was thought to be very secure, is vulnerable.These concerns need to be tempered as:

  • The hack and the malware it was designed to load are very expensive to purchase (possibly a million USD or more) – the average cybercriminal is not going to spend that amount in order to grab information that might lead to a payoff when there are cheaper methods available
  • The vulnerability was patched very quickly – Apple was alerted on the 15th of August, and a patch was released 11 days later on the 26th

Aside from installing the patch, there are a few other things you can do to protect yourself whilst using your iPhone and iPad:

  • Don’t click on links in unsolicited emails or text messages – if you are unsure just delete them
  • Be careful about the websites you browse to. If the web address looks suspicious, it probably is

These good habits should also be applied to the emails your receive and websites you browse to from your computer.

In addition, you should:

  • Set a pin code – it is this that encrypts the contents of your iPhone/iPad
  • Use two-factor authentication – this notifies you when a change has been requested to your Apple account and asks you to confirm it. If you are running iOS 9 you can find this under Settings > iCloud > tap your Apple ID, Tap Password & Security, Tap Turn on Two-Factor Authentication. For earlier versions, it’s called two-step verification, and you’ll need to go to your Apple ID account page (https://appleid.apple.com ) to turn it on

If you have colleagues or family with Android phones they need to make sure that they have antivirus loaded, and have updated their phones to the latest patch. Because of the lower level of security around Android apps (17% of them are malware), many Android phones have been hacked. This enables criminals to obtain copies of emails, text messages and other information.

In regard to anti-virus for iOS, it really depends on how cautious you want to be. There are anti-virus products available, but the locked-down nature of iOS means that they can’t really do much scanning . However, the ones that include a check for malicious websites are worth considering, especially if you are in a corporate environment that requires a high level of security.

If you’d like to learn more about how to secure your firm against cybercriminals, using both technology and training, then please get in touch.

And if you’re interested in the details of the attack against Ahmed Mansoor then Citizen Labs, who discovered the vulnerability, has full details at this link https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

 

How to really protect against ransomware

At the National Security conference hosted by Massey University, Chris Finlayson warned that cyber attacks were a growing, and very real threat, to governments, companies and individuals.

“Because physical borders are one thing but cyber borders are another, and these sorts of things are happening on a regular basis. We’re all told as private citizens, cover your number when you go to the ATM and things like that.”

“But these sorts of things are becoming more common and the effect on a New Zealand company of a cyber intrusion and what one gets these days – cyber ransoming – is actually a very serious matter.”

Professor Greg Barton, a leading Australian expert on terrorism and countering violent extremism, raised the potential for terrorist groups such as Isis to use cyber attacks to further their aims by causing destruction and gaining finance via ransomware and other types of attacks.

This is an interesting twist on what up to now appears to have been a purely commercial venture by cybercriminals. Whether a terrorist group would encrypt files and not ask for a ransom (to cause destruction) or ask for a ransom (to gain funds) the solution would be the same – clean out the infection and restore from a recent backup.

Whilst ransomware attacks are not new, this is a timely reminder for organisations to make sure they have protection in place.

There are a number of steps that should be taken:

  1. Educate your staff to be aware of cybersecurity risks, and how to spot phishing emails that may download ransomware
  2. Test their awareness by running an exercise to see if they will click on phishing emails (using safe examples)
  3. Ensure you have email filtering in place that blocks common types of attacks
  4. Configure your PCs and Remote Desktop/Citrix servers to only run authorised programs
  5. Upgrade from anti-virus on your PCs and Remote Desktop/Citrix servers to intrusion detection and prevention software. This moves beyond looking for known viruses and will look for suspicious behaviour (such as a program contacting a command and control server in another country) and block it
  6. Ensure that you have a solid backup and restore solution in place and that it is regularly tested (we recommend a test restore every month)

Following these steps will considerably lessen the risk of falling victim to an attack, and the last step will mean that if ransomware does get through, you are only facing disruption rather than a disaster.

If you would like to know more about how we can help with any of the steps above  or would like an independent review of your cybersecurity, then please get in touch.

The easy way to stop fraud

On the 16th of August  2016, Brisbane City Council admitted that it had lost over $450,000 to criminals who assumed the identity of a legitimate supplier (a waste contractor), advised the council to change the account that payments were made to, and then sent through invoices which were subsequently paid. Townsville council lost $300,000 to the same criminals, and other councils in Queensland were also targeted. Whilst this fraud appears to be very sophisticated in that the criminals used publicly available tender documents to plan the attack and targeted multiple councils at the same time, it still follows the standard pattern we see in these cases:

  • An organisation is targeted, and the criminals find out who within the organisation makes payments to suppliers
  • Access is gained to a supplier’s email via a phishing attack, or a fake email domain is set up that will pass at a glance
  • The criminals email and/or phone the organisation pretending to be the supplier and persuade them to change the bank account where funds are to be paid. Sometimes a PDF of a deposit slip (that has been amended) is used to create a level of confidence
  • Legitimate invoices are sent through by the supplier
  • The organisation pays them to the amended bank account
  • Eventually, the supplier wonders why they aren’t being paid and contacts the organisation
  • The fraud is discovered
  • The money is gone

There are a few variants to this scheme

  • C-suite fraud – the email comes from the CEO, CFO etc and asks for a payment to be made (usually to a foreign bank account). Despite this type of fraud being widely publicised, firms still fall for it
  • Client fraud – the email and payment instructions appear to have come from a client. Once again these can be sophisticated, especially if the client’s email account has been compromised
  • Seller fraud – the email appears to have come from the seller’s lawyer (or the seller) in a real estate transaction, with an amended bank account

Fortunately, there is an easy way to protect yourself and your organisation:

  • Always confirm any internal payment requests by phone or in person – not by email. If a criminal has compromised an email account (or created a fake email address) they will reply to any emailed queries and will try to convince you that the request is genuine
  • If you receive any request (by email or phone) to change a bank account that you pay funds to then confirm that the request is genuine by calling (not emailing) the supplier/client back, using a number you already have (not the number in the email). If dealing with an organisation, call their main number (not a mobile) and speak to someone you know
  • If you are setting up payment details for a new supplier, or for a new client, then once again confirm that the request is genuine by calling (not emailing) the supplier/client back, using a number you already have (not the number in the email)
  • Educate your staff to be aware of the risks, and to follow good practice. Make sure that they feel comfortable querying payment requests or asking for confirmation – especially if the request is internal
  • If you are an owner or in a similar position of authority you should lead by example. Follow the process you have put in place, and be happy if staff query when they are unsure, or ask you to confirm a request – it means they are being careful

If you create payment policies that include the above elements, your risk of being a victim of fraud is considerably reduced. And the only investment is time.

If you’d like to learn more about how to secure your firm against cybercriminals, using both technology and training, then please get in touch.

Why you need to start using two factor authentication

We are seeing more and more companies move to using two-factor (or multi-factor) authentication to provide additional security for remote access to desktops, applications and email. This move has been driven by the rise in phishing attacks, and the risk that some staff would fall for them and provide their network id and password. These details would then be used by the criminals to either defraud that company or to launch a fraud attempt against that company’s clients. If you have read about business email compromise, it all starts with the criminals gaining access to someone’s email account.

Using two-factor authentication is a smart move, and doesn’t need to be expensive. There are cloud-based solutions that cost less than NZD 3 per user per month. These can be configured to only require the two-factor authentication when you or your staff are logging in from outside of your office.

There are usually a number of options for authentication (in addition to your username and password). These can include:

  • Receiving a phone call on your mobile – you press # to authenticate
  • Receiving a notification via an app on your smartphone – you press the authenticate button
  • Receiving a code via text (SMS) on your mobile – you enter the code into the login screen

The most secure is using the app on your smartphone – as both phone calls and text messages can be diverted. Whilst this might seem improbable, there are a plenty of instances where individual staff have been targeted as part of an attempted fraud.

2 factor authentication shouldn’t only be used to protect remote access to your company systems. It should also be used for any cloud-based applications that hold confidential information or could be as part of an attempted fraud. For example, Xero has rolled out two-factor authentication (they call it two-step authentication) as an option for securing access to Xero accounts. They have chosen to use a smartphone app (Google Authenticator) rather than text messages. If you are storing confidential information in the cloud, it is worth checking to see if two-factor authentication can be turned on, and to choose the app option rather than text if you can.

If you would like to know more about how we can help to secure your remote access then please get in touch.