Welcome to Cyber Security Today. From Toronto, this is the Week in Review for the week ending Friday March 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
In a few minutes Terry Cutler of Montreal’s Cyology Labs will be here to talk about some of what’s been going on. But first a look back at a few headlines from the past seven days:
Few companies in the U.S. and Canada qualify as having a mature cybersecurity posture. That’s according to a new global study by Cisco Systems. Terry and I will look at that report. We’ll also examine a report on the number of people with cybersecurity expertise being appointed to boards of directors. And we’ll have thoughts on a U.S. program allowing federal IT and cybersecurity staff to rotate among departments to spread their expertise.
Finally, we’ll look at lessons learned from a U.S. cybersecurity agency’s penetration test of an organization.
In other news the BreachForums site for selling stolen data is closing. This comes after an administrator was arrested by the FBI. Whether a new site will be constructed isn’t known yet.
Ferrari acknowledged it was hit by a ransomware attack. The attackers got names, addresses, email addresses and phone numbers of customers. The super sports car make said it won’t pay a ransom to get the data back.
Food processor Dole acknowledged employee information was compromised in a February ransomware attack. The brief statement was part of the company’s annual report.
A French data centre provider has been ordered to pay the equivalent of US$270,000 to two firms that lost data in a fire. The companies had paid extra to have their information backed up, but the backups weren’t stored offsite: They were stored in the data centre that burned down. The decision is being appealed.
The Play ransomware gang has posted data allegedly stolen from a Dutch maritime logistics services company. The company was hit March 6th. According to Security Week it needed a week to fully restore its IT systems.
The U.S. published eight industrial control system advisories warning of critical IT flaws in equipment from Delta Electronics, Rockwell Automation, Siemens, Keysight and Hitachi Energy.
And there’s another reason to limit the number of Chrome extensions employees are allowed to add to their browsers. Authorities in Germany and South Korea warned that a North Korean threat group is tricking victims into installing a malicious Chrome extension that steals victims’ Gmail messages.
(The following is an edited transcript of one of the topics is our discussion. For the full conversation play the podcast)
Howard: I want to touch on a report that was issued last month that I haven’t gotten around to so far. It was issued by the U.S. Cybersecurity and Infrastructure Security Agency on a red team assessment of an unnamed critical Infrastructure organization. For those who don’t know a red team is a penetration test team. A blue team is the defenders. The agency produced a very detailed report that shows all the steps that the red team took to get around this organization’s defenses. So for IT and security teams it provides a lot of valuable lessons and I think it’s worth reading.
Terry Cutler: This report really highlights the importance of identifying and addressing vulnerabilities in a timely manner — and that’s the key word: timely — as well as the effectiveness of the incident response and and recovery teams. We have to test all the time. Let’s say a company is being monitored by an outsourcing provider. The company is always on their toes … so when they engage teams to do penetration tests unannounced and starts attacking the IT system they’re expecting a phone call from the managed provider. But often it doesn’t come because they’re not watching the environment properly. A lot of companies invest in traditional technology — a firewall, an antivirus, they encryption and think they’re safe. But they don’t have proper detection technology to know that a hacker bypassed defences and got into the environment and has been lingering in there for six to 18 months prior to being detected. In the worst case they don’t have a proper response plan to get the attacker out. So by performing these types of exercises we’re [penn testers] are going to be able to light up the dashboard to see what’s working and what’s not. Another type of test that would complement or replace a penetration test could be an adversarial test. It’s where we would come in with specialized software That could mimic a ransomware attack, a vertical or lateral escalation in an environment or even privilege escalation attacks.
Howard: Tell us about the three lessons the report outlines that IT leaders should learn from this test.
Terry: First, is that leaders establish a security baseline of normal network activity. That’s the key. Most companies don’t have that piece in place. They also need to conduct regular assessments to ensure that the security procedures in place are actually working and effective. And they also need to enforce phishing-resistant multifactor authentication. A lot of times we ask, ‘Are you using multifactor authentication?’ and they’ll say, ‘Yes, but not everyone has it on.’
Howard: I don’t think enough small to medium organizations think about penetration tests. They’re not inexpensive, but more IT leaders should think about recommending them to their CEOs.
Terry: A penetration test is a very, very important tool for assessing the effectiveness of the organization’s security controls and identifying the vulnerabilities that could be exploited by an attacker. A lot companies don’t even know their risk level. So if you can go in and do a risk report which will give them a score as to how vulnerable they are because the tester found compromised passwords on dark web or their attack surface is vulnerable from the outside or default passwords on devices are still enabled. We actually still came across externally exposed Fortinets with their default credentials. Maybe they change it in the web portal, but they forgot to change it for Telnet. So I think IT leaders can play a really important role in advocating for pentests and other security measures.
