Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday July 30th, I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
My guest this week is Terry Cutler, who heads Montreal’s Cyology Labs. We’ll look at some of the interesting news from the past seven days. But first a summary of the highlights:
Configuration mistakes by employees can be embarrassing if not costly. One of latest examples in Canada was revealed this week when the city of Calgary admitted a server that monitors the municipal parking authority’s online system was left open to the internet without a password. The server captures technical information, but also payments and parking tickets with a driver’s personal information. That included peoples’ names, dates of birth, phone number, email addresses, postal addresses and more. None of the data was encrypted. The parking authority told the Tech Crunch news site that the server had been open since the middle of May. It isn’t known if a crook was able to find the database as easily as a security researcher did.
The average cost of a data breach continues to climb, according to IBM’s annual global study. Over 530 breaches around the world were investigated. Participants estimated the incidents cost their companies an average of US$4.24 million. Among the 26 Canadian incidents studied the average cost of a breach was US$5.35 million.
An insurance firm called Coalition said the monetary demands by ransomware gangs has gone up substantially this year. The average demand made to its policyholders in Canada and the U.S. over the first six months of the year went to $1.2 million, up from $450,000.
President Joe Biden is sending another message to the world that cyber attacks are dangerous. In a speech to intelligence professionals this week he worried that cyberattacks involving severe security breaches could lead to what he called “a real shooting war.”
One of the themes of today’s discussion will be vulnerabilities in websites and applications. This comes from two reports issued this week: Cybersecurity agencies in several countries issued a list of the top 30 vulnerabilities routinely exploited by attackers. These can all be closed if IT departments are fast to install patches. And NTT issued a report saying it still takes over 200 days for developers to fix a vulnerability before issuing a patch.
But here’s something else: Websites with vulnerabilities are about to become easier for hackers to find. That’s because two researchers are about to re-release a tool they created to find vulnerable sites. Called PunkSpider, it’s a publicly available search engine that identifies sites with hackable vulnerabilities. The developers hope it will smarten up website administrators.
(The following is a condensed transcript of my discussion with Terry Cutler. To hear the full talk play the podcast)
Howard: I’m going to bring in Terry now. There were a couple of really interesting reports this week illustrating trends in cybersecurity, like the IBM cost of data breaches report. But first I want to talk about the Calgary parking authority incident. That’s a classic mis-configuration error, don’t you think?
Terry: My heart goes out to this poor soul. We see this all the time. Basically what happens is that the IT administrator will be tasked with putting an online platform online. And so a lot of times he’ll test it in a system first with maybe no patching, no credentials, no nothing. And it all works, but he forgot that he didn’t set a password and he puts it online. And now the system is misconfigured. And when cybercriminals will scan their network, they’ll find that and allow them to gain access to pretty much everything that’s in there. In this case it found everything from a full name, last name, date of birth payment information, license plates. Administrators need to learn some of the cybersecurity tools that they can use to scan their network, to see what’s available in potentially vulnerable, or even go out and hire an outside ethical hacking team to come and scan their system.
Howard: The other thing that caught my eye was not only was this un-encrypted personal data. It was really personal. As you said it had people’s dates of birth. I wonder if the IT department knew that this type of data was on that server. This again raises the point that every organization needs to know what data it holds and where it’s being held.
Terry: That’s a common misconception about IT: People think it’s its handling everything from making sure the systems are up and running to securing them. And it’s far from the truth. Most it folks don’t have the proper cybersecurity training to help protect or defend themselves against cybercriminals. And also a lot of times, you know, they depend on the operating system encryption to do the job. But if it’s misconfigured attackers are going to get access to it.
Howard: But isn’t it up to the IT department to do a data audit, to find where the data is?
Terry: Absolutely. But the problem is it comes down to who’s the person doing the audit. Does he have all the training? You don’t know what you don’t know. And a lot of times organizations don’t have the budget to go out and hire outside firms or they feel they don’t need it, or [they feel] who’s going to want to hack me? What I hate is that whenever a data breach occurs for something so simple, that the common phrase is, ‘We take cyber security seriously. We’re going to get to the bottom of this.’ But why didn’t you do that before the breach? I’m trying not to knock the IT department, because remember there’s no silver bullet to stop a hacker from getting in. You could only make it as most difficult as possible.
Howard: And I want to also say that certainly mature organizations ought to have a data privacy officer who would work in conjunction with the IT department to help find where data is being held.
I’m going to move to the IBM survey. It’s probably no surprise: The average cost of a data breach keeps going up. But what stood out for you in this report?
Terry: A lot of this is because of the whole work from home, especially starting in 2020. You’re moving from corporate firewall security to a home consumer router, which doesn’t have nowhere near as protective layers. So the IT departments had to do with what they had, they had to rush to push digital transformation and make sure that the users were up and running. Obviously when things are rushed like that, things are missed – users didn’t have the proper training, for example, to fend off phishing attacks. And they re-use passwords. The other thing we saw in the report is that companies that were not prepared, paid the biggest price — close to $5 million versus the folks that were pretty secure using the zero trust model, who were paying about 1.3 million if I remember correctly. But remember that’s the cost of everything from bringing in a digital forensics firm to analyzing what happened to notifying regulators and victims and post-breach response.
Howard: One of the things that I noticed in this report was stolen user credentials were the most common method used as an entry point by attackers. Yep. That’s still in 2021. Security leaders and IT departments have known this for at least 10 years, but it’s still a prime way that attackers can squirm their way into it networks.
Terry: And that’s a big problem that’s plagued IT department for generations. A lot of folks[employees] create really weak passwords that can be broken in moments. It’s because users want convenience. They don’t want to go to two-step verification and then they can’t sign in. They get discouraged. And then they try and find ways to circumvent the system. And what’s worse is that they use the password everywhere. So they use same password for their corporate email and their Facebook account. Once a cybercriminal gains access to that password because there’s a data breach on some site that they forgot to change their password on, they got breached. And now this cyber criminal’s going to try and reuse this password on every account that they have.
… When we talk to organizations about their [security] posture, they say they have two-factor authentication turned on, but only for the executives. Not for anyone else, because they’re still rolling it out — but it’s been almost a year that they’ve been rolling it out. They need to have this on for everyone … If you’re not using 2FA by now, you haven’t even entered 2007 yet.
Howard: And the interesting thing is I’ve heard the reverse: I’ve heard where there are companies where two-factor authentication is used for all employees except the chief executive, because he — and some of the senior executives — don’t want the hassle. Another thing the report shows is firms that have incident response plans have lower breach costs.
Terry: [Firms] think that because have a firewall, they have encryption [and] they have strong passwords that they’re safe, But they don’t realize that once a hacker bypasses this traditional security, they’re in your system for months or years … So you have to have the proper response plan in place — what do you do first, then what you do second, who do you contact? You have to have all the steps planned out. We’ve seen organizations where they say they have a SAN [storage area network] protecting their backup, but then they have another session right next to it. So if ransomware gets in both, both backup systems will be encrypted in one shot. So there’s a lot of planning to have to be put in place.
Howard: Also issued this week was a list of the top 30 routinely exploited website and software vulnerabilities. This alert was issued by the US the UK and Australia. Four of these 30 vulnerabilities can broadly be described as exploiting the shift to working from home that was caused by the pandemic. And that’s because they related to recently discovered bugs in Windows and devices like VPNs that are supposed to help remote workers, securely connect to applications. But these RDPs, the VPNs are being exploited when hackers find the vulnerabilities. There are bugs that date back to 2017, such as one affecting Microsoft Office. By my count of the top 14 of those 30 vulnerabilities, three dated back to 2018, five dated back to 2019. The most exploited vulnerability last year was one in Citrix’s Application Delivery Controller, which is a load balancing application. The point that this report makes is out of all of these 30 vulnerabilities that are most commonly used by attackers, they all have patches issued and therefore exploitation shouldn’t really be an issue. What did you think when you saw this report in this list?
Terry: I think I also pointed to possibly lazy [IT] administrators, and it could also point out to complex integration issues. A lot of times it goes back to the point where you had IT administrators who don’t know what [a patch] is going to break. So if you’ve got 200 users working from home and you want to apply this fix you need remote management and monitoring systems, where they can access the computer regardless of their VPN. A lot of companies don’t have that in place to do mass updates or mass fixes for these machines
Howard: One of the reasons why organizations may not have remote management apps on the computers of their staff is that they had to rush people to work from home because of the pandemic and they weren’t prepared for that kind of migration.
Howard: And then there’s the PunkSpider website vulnerability scanner that seems to be about to be publicly released.
Terry: This is a really controversial tool. We’ve been advising companies and organizations for years to at least fix their low-hanging vulnerabilities, especially in websites. So what these [security researchers] have done now is create a scanner that crawls pretty much every website on the web and finds vulnerabilities and then puts them in a public list.
Howard: It’s not like it’s been created by crooks. But on the other hand, somebody has already created the Shodan search engine, and that’s a search engine for finding things that are connected to the internet. And while Shodan can be helpful to security researchers for that, it’s also obviously used by crook in their search for vulnerable websites. So, one could argue why shouldn’t PunkSpider be released as well?
Terry: Because it reveals all your vulnerabilities. It does allows the company go and fix [a vulnerability] right away. But what happens if the company can’t get it fixed? Let’s say the the developer of the site is no longer with the company. Or they don’t have the funds to fix it. But now what you’ve done is you’ve publicly named this company and the exploits that that’ll be available to get into their system, the cybercriminals can also use this information to hack into the company. It’s going to cause lawsuits.
Howard: I would argue that you’re in really big trouble If somebody tells you there’s a vulnerability in your website and you can’t find money to fix it.
Terry: That’s why this tool is so controversial because it’s a double-edged sword: It’s there to help you. You obviously, you don’t want to be on that website or shame, but at the same time cybercriminals can leverage this information to get to you before you have time to fix it.