Welcome to Cyber Security Today. This is the Week in Review edition for the week ending October 22nd. From my studio in Toronto I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler of Cyology Labs will be here to discuss some of the week’s news. Because Cybersecurity Awareness Month continues, Terry and I will be talking about what small businesses can do to better protect themselves from cyber attacks.
But first a summary of what happened in the past seven days:
There’s no end in sight to ransomware attacks. Among the victims we learned about this week were Ferrara, a Chicago-based manufacturer of candies like SweeTarts, Nerds, Atomic Fireballs and Pixy Stix. Another was American-based Sinclair Broadcasting Group, which has 185 TV stations as well as 21 sports networks.
There’s more evidence that IT departments still aren’t doing the simple things to stop ransomware – or any cyber attack. For example, a cybersecurity company called Axio released a study that looked at organizations that used its ransomware assessment tool. Most of those firms admitted they don’t have tough controls over privileged accounts, which are for employees who have special access to sensitive systems. These include IT managers and executives. Remember, the main goal of hackers is to compromise privileged accounts so they can spread malware widely. These accounts in particular need the extra protection of multi-factor authentication to prevent anyone from logging in by guessing or stealing passwords.
Meanwhile the REvil ransomware gang suffered another blow after its payment site went down this week. It also submerged in July, only for the gang to resurface in September. Who knows if it’s really out of business.
One of the reasons the gang may come back is because ransomware is so lucrative. How lucrative? The U.S. Treasury department released a report that calculates ransomware gangs may have collected $398 million in the first six months of this year from victims in the United States alone.
Computer maker Acer is having trouble with cyber attacks. It was hacked twice in the past seven days by the same threat actor. Acer said one attack hit its customer support systems in India, while the latest attack hit an IT system in Taiwan.
A report this week highlighted the problem with employees installing unapproved internet-connected devices on company computer networks. IT leaders told Palo Alto Networks of finding internet-connected pet feeders, smart lightbulbs, heart rate monitors, coffee machines and game consoles on corporate computer networks. One of the points is having employees working from home brings cybersecurity risks to organizations. That’s another topic Terry and I will delve into.
(The following is an edited transcript of our conversation. To hear the full version play the podcast)
Howard: First, because it’s Cyber Security Awareness Month let’s talk about what small businesses have to do to improve their cybersecurity maturity. One of the problems is a small business can be one person. Or, according to the Canadian government, it can have as many as 100 employees. If you exclude self-employed entrepreneurs, there are 1 million small businesses in this country. Tell me about the cybersecurity problems of some small companies you’ve had to handle.
Terry: This list affects pretty much any business, no matter what industry you’re in: You could be a flower shop with three people, or you could be a hundred-person company. All of these threats are, are relevant for all of them. The biggest problem we’re seeing right now is around password leakage. A lot of people are using the same password everywhere. So instead of using their personal Gmail accounts, for example, to register for an online service, they’re using their corporate email. And a lot of times they’re using the same password everywhere. So when that social media site or something gets breached, that password is leaking onto the dark web and being reused and that’s causing business, email compromises, ransomware attacks and such. So that’s the biggest one: Password leakage.
A lot of times we’re seeing a big issue with misconfiguration. A lot of small companies don’t have an in-house it department. It could be Bob, the owner’s brother-in-law that comes in and installs a server or misconfigures it. He turns on too many functions and allows cybercriminals to get in and breach it. Obviously the biggest problem is around lack of cybersecurity personnel. We are 2 million personnel short in our industry [globally]. There’s not enough cyber folks to help everybody. So it’s important that they get the proper training. So what we’re seeing often now is that [companies] take an overworked and under-trained IT guy to keep costs low. Another big problem of course is phishing attacks or spear-phishing, where users aren’t properly trained and they’re just clicking on links they’re not supposed to and getting the company infected.
Of course you got ransomware. A lot of companies are not prepared or not set up correctly to protect themselves against ransomware. So we often see that they have no disaster recovery plan in place. They think they’re doing backups, but their backups are in-house and their backups are on the same network as the compromised network, which means their backups now got encrypted. They’ve got no disaster recovery plan in place.
We see issues with cloud storage, for example, where employees are copying sensitive information from their computer into their One Drive or their Google Drive. And it gets synchronized outside the company and the it department has no visibility into, you know, what’s leaving the company and it could be very sensitive information, you know, intellectual property.
They have no way of knowing issues like compromised or lost or stolen devices. We see this a lot in the bring-your-own-device era, or as I like to call it, bring-your-own-disaster, where people bring their laptops in and it’s, it’s infected and they plug it up to the network and there’s no monitoring in place to detect a new computer. There’s a big list here.
Another problem is poor response when cybercriminals will bypass the corporate firewall. Once they’re in the network most companies, especially small businesses, don’t have any monitoring in place to know that there’s a hacker in there. And worst of all, they have no response plan to get the hacker out. We often see things with software. We still, we still come across Windows XP or Windows 7. Companies think, ‘If it’s not broke, don’t fix it.’ So they lug around this old technology.
Howard: And one of the things that’s important, I think, is that small businesses have to realize is you’re never too small to be a target.
Terry: That’s right. Especially when you put a service online. If it’s publicly facing the internet, it’s going to be a target. And if it’s vulnerable, it will be exploited at some point. So you got to make sure you have the proper things in place to know that these attacks are happening
Howard: There are a lot of small organizations that don’t realize what they have may be important. You may not have a huge database of credit card numbers of customers, but even your human resource database, if you’ve got 10 employees you’ve got all, a lot of sensitive information there, just including two things: Their dates of birth and their social security or social insurance number. With those two things crooks can do a lot of damage by impersonating people.
Terry: Companies may even have employee bank account information if they do direct [salary] deposit.
Howard: So if you only have a couple of employees and you can’t have a full-time it person, what should you be doing?
Terry: This is a perfect opportunity for looking at outsourcing, working with a specialized [security] team that will keep the costs low and keep on keeping an eye on things for you. A lot of companies don’t have the basics in place, like two-step [login] verification, or device encryption is not turned on. They have no asset inventory, so they don’t even know what they’re protecting. I know a lot of companies that still use the free antivirus products but it’s just not enough to protect against today’s threats. You need to have like EDR [endpoint detection and response] in place. You have to have also even log monitoring to make sure that if there’s ever an event you’re going to know what happened because insurance companies are going to stop insuring you at this point
Howard: Certainly leaders of small businesses have to be disciplined in their cybersecurity. You’ve got to have a cybersecurity plan that follows certain procedures, like auditing your hardware and your software devices, and making sure that you regularly update applications things like that. So in a lot of ways, what a small business has to do for cybersecurity are exactly the sorts of steps that a big company has to take.
Terry: Yes. The interesting issue here is that a lot of business owners think old school. They’ve been told that if they have an antivirus solution, if they got a firewall, if they have encryption, that they’re safe. But they don’t realize that these are old world. You need to have advanced stuff in place to be able to stop today’s threats. Some they think that because they have cyber insurance they’re covered. But insurance companies now are realizing that many firms don’t even have the basics in place. So why should they pay out?
Howard: And if you use a cloud service and, and many organizations use, Gmail for example, you have to remember that you’re responsible for backing up your data.
Terry: We actually had a customer that came to us at beginning of the year where some of their data was deleted by a disgruntled employee. And when they called up the cloud provider they found out that they weren’t paying for the additional backup services. So unfortunately, that data was lost. The other thing you want to do is make sure you can extend your [cloud provider’s] audit log capability. If you can, pay the extra and get it extended for a year. This is going to really help out the incident responders. Because when we get called in for an incident in a lot of cases the logs are gone.
Howard: We’ve talked a bit about what do you do if you’re a small business owner and you don’t have a full-time it person What if you have one it person, or if you have the luxury of having two, what should their responsibilities be to help cut down risk for a small company?
Terry: I think the number one thing or advice I would give to them is to not be afraid to ask for help. The IT guys are very territorial, right? They think that, you know, if a cyber security guy comes in we’re going to get them fired. That’s not the case. We’re there to, to work together.
Howard: I want to mention here that if you want to know how to be disciplined, there’s a great resource provided by the government of Canada’s Canadian Center for Cyber Security. And that’s called the Baseline Cybersecurity Controls for Small and Medium Organizations. There’s also the CyberSecure Canada program for small and medium-sized firms that allows organizations to prove to a certification body that they meet certain minimum standards. And those that pass are able to use a logo on their websites or promotional material attesting that they’ve met the standard.
For our American listeners, the U.S. Cybersecurity and Infrastructure Security Agency has a Cyber Essentials guide for small businesses.
There was also an interesting report this week about people adding unapproved internet-connected devices to their corporate networks. Can you tell us why these are a risk to accompany?
Terry: I think the biggest thing is that nobody’s looking after the security controls of these devices. A perfect example is that a lot of companies don’t have any alerting or monitoring in place to say a new device was just added to the network. There’s that infamous story of the Las Vegas casino where someone decided it would be great to have a fish tank cleaner where we can monitor it over the internet. And next thing hackers were able to hack through the fish tank water monitoring system and got access to the casino network …
Employees don’t like the IT department because we always say, ‘no,’ but there’s a reason for that. Because we have to help lower the risk to the company. So what happens usually is that employees will find ways to get their job done in their own way. And they add cloud storage stuff or set up their own WiFi. We had a real case years ago where the development team was setting up a test environment to do their work. And they had set up a lot of, a lot of infrastructure with the default username and password of ‘admin’ and ‘admin.’ But the cybercriminals were able to gain access to it and then compromise a network. They didn’t change the default password because it was a test network.
Howard: And this brings us back to working from home, and, in a way, back to the small business, because when you’re working from home there’s all the things on your home network that are possibly hackable, and therefore hackers can use those to tunnel in and get into your your employer’s network. Those devices you have at home have to be protected as well with separate passwords. And perhaps you’ve got to set up a segregated network at home so that your employer’s network isn’t put at risk.
Terry: Those are pretty standard practices, but a lot of times the employee is not the IT guy. In his mind, he’s too small to get hacked. No one’s going to want to get in. Another example is an employee installs a home surveillance camera system but leaves the default ‘admin admin’ credentials. If criminals can get in maybe they’re going to get footage of the employee doing inappropriate stuff. This is where extortion comes into play. Another famous example is these babycams [watching baby cribs]. They’re often being left with the default credentials.
Howard: So the bottom line for all the people who are working from home, you’ve got to make sure all the devices that you have at home — your surveillance cameras, an internet-connected television, your routers — they’ve got to be secure. And, and if you’re really worried, ask your corporate IT department for advice.