Here are the stories of three dangerous—and common—information security incidents. The common thread? One relatively simple security control could have stopped each one.
1. A bank discovers that someone has emptied a customer’s checking account without their knowledge. Upon investigation, the bank discovers that the customer’s username and password, which the customer reused for numerous other websites, were stolen from a hacked WordPress site for the customer’s book club. Then hackers included the customer’s information in a credential stuffing attack. (In credential stuffing, hackers throw thousands of stolen usernames/passwords at many websites, hoping that some will unlock accounts.)
2. An organization discovers its confidential intellectual property (IP) available for sale on the internet. An investigation reveals a phishing attack as the culprit. Hackers acquired an employee’s VPN account credentials via a fraudulent e-mail, then downloaded the data from an internal server to an IP address overseas.
3. On the Friday before a long weekend, a company gets hit with a ransomware attack. Its internal production server with customers’ personally identifiable information (PII) has been encrypted, and attackers are demanding a payment to unlock it. After several sleepless nights of incident response and investigation, company IT leaders discover that a hacker initially compromised a poorly patched Windows server in the DMZ and then installed keystroke logging malware to harvest credentials from an administrator logging in to the server. The hacker then reused these administrator credentials to establish a Remote Desktop Protocol session to the internal production server and install ransomware.
Each of these stories highlights everyday dangers rooted in the fact that the traditional approach of authenticating a user’s identity and system access with a username/password has mostly broken down. It has fallen victim to an explosion in the huge numbers of account usernames and passwords that the average individual must keep track of to function in modern life. (My personal password vault currently has 492 unique accounts). That leads to most people using easy-to-remember passwords or reusing a handful of passwords across many accounts. One report says that 73% of all online accounts use duplicated passwords.
In this environment, businesses and organizations must provide their users with tools to simplify good security practices. The answer is not requiring ever-longer and more complex passwords, but to implement additional or different factors to authenticate users to systems beyond just passwords and PINs.
Each of the attacks described above would’ve been stopped in its tracks by multifactor authentication (MFA). This tool (sometimes called two-factor authentication or 2FA) provides a powerful defense against most attacks—especially those involving access or passwords. In fact, Microsoft, which is spending more than $1 billion on security annually, is on record as saying that MFA can block more than 99.9 percent of account compromise attacks.
In a recent Pratum webinar, cybersecurity expert Terry McGraw of PC Matic said, “The one thing I would do today if I hadn’t already done it is implement MFA. I need to make sure everyone touching my environment is authenticated from the system they’re working on.” (For all the tips from the webinar, click here.)
A secure system incorporates at least two of the following factors when authenticating users:
Each factor has pros and cons, but, in general, using any of these in addition to passwords improves the security of the system or application in question and provides an additional layer of defense desperately needed in today’s environment.
At particular risk are systems, applications, and users that are exposed to the Internet, as well as privileged users and users of sensitive systems/applications. These types of systems should be the priority for MFA/2FA implementations because they are at the highest risk of attack.
Returning to our initial three examples, let’s explore how some form of MFA could have prevented or lowered the impact of these incidents.
1. A bank account hacked through credential stuffing - Even if the hacker stole the username/password, they wouldn’t get very far. The web banking system could be configured to require the user to enter a one-time password or code from an app before providing access to the online account. In this model, the user would have been notified of the unauthorized access attempt when they received an unexpected code. The attacker could get into the account only if they also compromised the user’s phone so they could receive the code.
2. IP stolen through a VPN - Even if the phishing attack successfully harvested the username and password from the employee working at home, the company could stop the hacker by requiring the entry of a code from a hardware token before allowing access to the VPN. In this setup, the user gets the code from a device such as a fob specifically set up to deliver unique codes for logins.
3. A ransomware attack carried out via password logging - Even if an attacker successfully compromised the DMZ server and captured the administrator’s credentials, MFA or 2FA can stop the attack. Without the unique code sent to the administrator, the attacker would not be able to successfully log into the production server in order to install malware.
When considering your MFA setup, remember this key concept: Authentication factors should be separated from the system the user is authenticating from. For instance, a user should not receive an e-mail with a one-time password (OTP) as an MFA factor for accessing a VPN through the same e-mail account they use to access the VPN. A hacker who compromises that e-mail account has access to both the MFA factor (the e-mail delivering the OTP) and the user’s password. This bypasses the additional level of defense that the MFA implementation was intended to provide.
Moreover, the added security provided by MFA is only as good as the secrecy of the additional factor being used. For example, consider the rise in cell phone SIM swap attacks, where a malicious hacker uses a victim’s personal information to take control of a victim’s mobile phone number. A successful SIM swap allows an attacker to masquerade as their victim for any account tied to the victim’s phone number. This also subverts the security of any systems sending SMS OTPs to the victim’s phone as an additional authentication factor.
The increase in SIM swap attacks in recent years highlights the risk of using SMS-based OTPs as an additional authentication factor. While SMS OTPs are probably still sufficient for some individuals and organizations, those with a low risk tolerance will probably want to invest in a more robust MFA implementation to secure systems or data. (For a deeper drive into MFA guidelines from NIST, see this article.)
Obviously, no security control is a silver bullet. But if you are looking to make a big impact on risk reduction for your organization, MFA is a great place to consider investing. To talk with one of our experts on how you can implement MFA in your organization, contact us today.
Executives tend to fall into three camps when it comes to understanding cybersecurity’s strategic advantages.
Right now, the third category remains a fairly small club. It’s not quite a first-mover advantage anymore, but activating a proactive information security strategy as a marketing tool certainly puts you ahead of much of the pack. So forward-thinking leaders still have a window for using cybersecurity as a business advantage.
Pratum’s consultants help clients do exactly that. Jim Sixta, a senior information security consultant, advises clients to ask themselves: “If you’re in your future clients’ shoes, what are they going to require of you? When that client comes knocking on your door, you won’t be able to say yes unless you start working on it now. Customers won’t give you time to comply. They want to get a quote and go.”
Here are five areas where information security plays a central role in planning for your business’ growth:
1. Industry-specific requirements – Longstanding regulations like HIPAA may already be part of your business operations. But as the cybersecurity industry matures, sweeping new standards are on the way. Beginning in late 2020, for example, the Department of Defense will begin adding CMMC compliance to its contracts, with every contract including this requirement by 2025. In all, that means about 300,000 companies must earn this certification through a third-party auditor like Pratum in order to win or renew work with the DoD.
2. Government privacy standards – We may be nearing Peak Outrage over how titans like Facebook and Google have been handling all of our personal data. In response, multiple countries and states are passing new laws controlling how companies collect, store and use personal data. If you’re not already clarifying how laws such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act affect your operations, Wayne Gretzky’s puck is likely to hit you in the face soon in the form of mandated operational changes and fines for those who fail to comply. (For an overview of recent changes in this area, see our blog on privacy laws.)
3. Current client requirements –Even if you’re taking a “let’s see what the government makes us do” approach, many of your best clients aren’t waiting around.
Throughout the private sector, detailed information security questionnaires and grids have become standard due diligence components for many companies selecting vendors.
Pratum CEO Dave Nelson says, “Wal-Mart, for example, has been pushing aggressive security requirements onto its direct suppliers, which are being pushed down through the supply chain. Wal-Mart wants to know that if they accidentally send out a confidential file, they have one response, not 50 different responses in each state. You can be three customers away from Wal-Mart and still be part of the ripple effect.”
Nimble companies can respond quickly to requests from potential customers because they keep updated statements about their cybersecurity posture and workflows. Imagine how it affects your chances of winning a deal if it takes you two weeks to fill out a security information matrix and your competitor sends theirs back on the day it’s requested.
Customer requirements may include elements such as earning a SOC 2 certification, which can take up to 18 months if you’ve never done it. If a competitor coming after your customers already has that certification and you haven’t even started on yours, you may quickly find out just how loyal your key clients are.
4. Dream client requirements – This is where another favorite motivational slogan comes into play: Luck favors the well prepared. If a client appears on your Big Hairy Audacious Goals list, they’re almost certainly on the front edge of information security. When your dream customer reaches out with the opportunity of a lifetime, will you have the security game to close the deal? Multiple Pratum clients brought us into the picture only after they had to turn down work from clients like giant national retailers because they couldn’t meet the security requirements. Next time, they’ll be ready for the deal that transforms their company.
5. A new selling point – Based on all the points above, if your information security stance is ahead of the pack, you have a marketing advantage. You can take that into all of your pitches with the message that you’re ready for secure business on Day One, which also speaks to your company’s overall position as a savvy market leader.
One of Pratum’s industry partners, Baker Group in Iowa, has identified a robust cybersecurity stance as a key way to separate from other building services contractors when it bids on new work. “We’re engaging Pratum to create a competitive edge,” says Daryld Karloff, Baker Group’s executive vice president of building services.
Upgrading your information security posture needs to start immediately. If you haven’t focused on creating a future-ready information security plan, you may have already lost opportunities that you won’t even know about for a few months. But the good news is that this world is still young enough that you can turn your company into a leader.
To start creating an information security plan that positions your company for growth, contact a Pratum consultant.
Every advance in security technology reinforces a favorite industry cliché: It’s easier to hack people than servers. Clever code exploits may earn hackers bragging rights, but it’s a lot simpler to trick one user into clicking a bogus link and letting you in the front door.
That’s why social engineering continues to be the leading vector for cybersecurity incidents. Industry sources estimate that 80% of security breaches stem from phishing attacks and that 94% of malware arrives via e-mail.
It’s basic math for hackers. A bad actor can easily send out 1,000 e-mails at a time. If you assume an average ransom of $40,000, a success rate of even 1% yields $400,000. And in reality, phishing attacks can work 25% of the time.
Why do so many people fall for phishing e-mails every week? Human nature explains a lot of it. We’re baited with messages that threaten the loss of a service, promise a financial windfall, hint at an important message from our employer or play off our basic confusion about technical terms. All this is dangled in a familiar-looking message promising resolution with a single click.
And we shouldn’t stereotype all phishing victims as that co-worker who just doesn’t get it. Hackers have honed their game massively since the days of foreign princes asking you to help transfer money. Modern phishing e-mails often include your company logo, a trusted partner logo (such as Dropbox), your colleague’s authentic-looking e-mail address, details about your specific business unit and more. In some of our phishing tests, for example, Pratum uses this convincing-looking Dropbox knockoff:
To stop e-mail phishing attacks, you must continually train your team to keep a wary eye on their inbox. That requires a combination of ongoing training and phishing simulations that keep everyone sharp. The first time you test employees with an internal phishing campaign, the results may be surprising. Pratum’s phishing campaigns often hook 20% of the recipients into clicking the link, and we regularly see 10-15% of recipients giving up their credentials in a simulated attack.
Here are some key questions to help you plan an effective phishing campaign:
Once you’ve planned the test logistics, it’s time for the art of the project. Your phishing campaign is all about testing users’ ability to spot a fake, which makes the quality of test messages central to the process. Here are several tips for effective test messages:
A good phishing campaign report includes a detailed summary like this:
Some phishing solutions include an Outlook extension that users can click to report a phishing e-mail. Your IT team can track how many users report the test message as potential phishing, letting you measure their growing participation in spotting the problem. This kind of detailed information also lets you provide training targeted at the groups and individuals in your organization who are struggling to spot bogus e-mails.