Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday, September 16th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs, to discuss what’s been going on in security. But first a look back at some of what happened in the past seven days:
A private British bank last weekend urged iPhone and iPad customers not to install the new iOS 16 operating system. Terry and I will discuss why, and why this could have given the bank a black eye.
More about iOS 16: It has a security feature for people worried about being victims of spyware such as executives, IT leaders and reporters. Lockdown Mode reduces the attack surface by limiting functions that might be exploited by malware.
Cisco Systems released updates to fix three vulnerabilities in some of its Small Business routers. But the company made it clear it won’t patch the same vulnerability in older routers. It’s another warning that hardware and software from any vendor that are no longer supported are a security risk.
Microsoft issued a reminder to email administrators that at the end of this month it will start forcing organizations using Exchange Online to adopt multifactor authentication to protect logins. That’s right — users won’t be allowed to log into email with only a username and password. Starting October 1st random corporate users will receive seven days warning that their basic authentication process will be ending.
Alerts on two WordPress plugins were released. There’s a vulnerability in the WPGateway plugin. It’s a utility for managing WordPress sites. The hole could allow an unauthenticated user to add a malicious administrator and completely take over a site. Watch for a patch. Meanwhile, the developer of the BackupBuddy for WordPress plugin has released an updated version that fixes an actively exploited directory traversal vulnerability.
Administrators whose sites use the FishPig extensions for the Magento e-commerce platform have been warned to update or re-install the application. That’s because it has been compromised by a threat actor. The malware allows hackers to get administrator access to their websites, according to researchers at Sansec. Sansec believes all paid Fishpig extensions have been compromised.
Finally, Dutch police arrested a man on suspicion of laundering tens of millions of euros in stolen cryptocurrencies. Police allege the man used the Bisq digital currency exchange for switching bitcoin to monero to make transactions hard to track.
(The following transcript has been edited for clarity)
Howard: I want to start with the story about a private British bank called Coutts. Over the weekend it told customers not to install the new Apple iOS 16 operating system on their iPhones and iPads. Why? Because it wouldn’t work with the bank’s mobile app. Not only were customers told not to install the app, the bank gave instructions on how to turn off automatic updates on their devices. However, on Monday — as iOS 16 was released — another online notice appeared, saying the bank’s Apple app was now compatible with the new operating system and customers could update the app and install iOS 16. Is it just me or was there something wrong here?
Terry Cutler: It’s a clear case of a vendor [afraid to] release software that can break functionality. When you’re a user of these services you can be faced with a choice: If I upgrade the operating system I could still continue working, but not on my banking app. But if it’s not working could prevent me from upgrading? The problem is if you’re not upgrading [the operating system] sometimes opens you up to various cyber risks. And, of course, if your device is linked to your company through a VPN it could allow an actor to hack in through your device and get into your company.
One of the problems we always see in healthcare is software that still requires Internet Explorer 7. You have to go back to the archives of your computer to even find this application. But you see it very often because the vendors that created certain mission-critical software are out of business, or the developers have moved on, and no one’s there to take care of the software. There could be all kinds reasons for application upgrade delays.
Howard: It just strikes me that it’s really unsafe for a company to say to customers, ‘Turn off automatic updates for the operating system’ because that just makes you completely vulnerable to any hacker.
Terry: I agree, because the critical services won’t be installed. But here’s the other kicker, with iOS 16 specifically. Older phones won’t be able to upgrade, so they could potentially be victims of cybercrime.
Howard: This notice by the bank was quickly seen by a number of media outlets in England and on this side of the ocean, and I think it gave the company a bad eye. And by the way, this isn’t a small bank. It reportedly has a number of members of the Royal Family as customers.
Terry: I think because it’s got members of the Royal Family that increased the pressure on their IT department and their development team to find a solution to get this app to work.
Howard: This would be a lesson to all companies: You’ve got to keep your apps up to date with the release of major operating systems — Windows, Android, iOS, as well as Linux if you’re an organization. It just seems in this case the bank’s developers were a little slow and they tried to make the best of a bad situation. Their alternative, I suppose, was to say, ‘Temporarily if you have an Apple device don’t use our app because it’s not yet compatible with iOS 16’ — except that wouldn’t have been very good for business. But on the other hand it wouldn’t have posed a security risk to their customers, which is what you do when you tell them ‘Geez, don’t upgrade the operating system at all.’
Terry: The thing is, they’ve had months to prepare for this. iOS 16 doesn’t just show up out of the blue. Developers get access to beta versions and they get to see what’s changed. I suspect there must have been some systems in the [bank’s] back end that weren’t ready for the new features of iOS 16. Maybe they had to wait for another fix to happen. Maybe they had to get hold of new developers. We can’t really fully speculate, but there was time to prepare for this for sure.
Howard: Is there any excuse for a company that offers mobile apps for not being up to date with an expected major release of an operating system?
Terry: That’s a great question, because as you know I came from a software vendor, Novell. Whenever we released a new operating system a lot of customers came back saying, ‘I don’t want to be the guinea pig for this new software.’ There are obviously some pros and cons. Security updates help secure your devices … and you might also get is added functionality. But when things go wrong, there’s a lot of inconveniences — different software won’t work together properly or some of the features are no longer available. Some updates can be risky because sometimes they fail. All that has to be taken into account.
Howard: Okay, let’s move on to item two: New ransomware numbers for Canada. Trend Micro questioned 103 Canadian IT decision makers about ransomware attacks on their organizations. There was no surprise: 60 per cent said their organization had detected a ransomware attempt in the past three years. Of those 77 per cent said that they were victimized. Which, I hope my math is right, means roughly 40 per cent of all firms surveyed were hit.
Here’s more numbers: 38 per cent of the survey groups said that their supply chain partners were victims of ransomware. Of those that were hit by ransomware and had their data stolen 60 per cent said that data had been publicly leaked by the attackers.
Terry: I’m not surprised at all. Phishing and ransomware are the number one ways that hackers are getting in [to IT networks]. And the worst part is it’s very, very difficult to attribute. Who are these attackers? But consumers and clients don’t care. They don’t blame the hackers. They blame the company because they didn’t have the proper detection technology in place … Some of these scammers are are they earning over a billion dollars a year. It’s gotten easier to launch these attacks because now attackers have more ways: They can harvest infected botnets, ransomware kits can be bought and come with 24 by 7 support from cybercriminals, they’ll even provide you a list of targets to go after. What’s even more difficult is that if your company is not running the latest technology like EDR — endpoint detection and response — it won’t catch polymorphic malware. So it’s really really difficult to keep up with these threats.
Howard: The thing when I asked a Trend Micro executive what companies are doing wrong, he said the same thing experts have been saying for years: Organizations still aren’t following the basic rules of cyber security — employees and customers are allowed to use weak passwords, employees don’t have to use multifactor authentication to to protect logins, there’s poor patch management and they aren’t locking down the attack surface, especially allowing misconfiguration of servers routers and the like.
Terry: This has been a problem for years. If you go back and look at interviews I did in 2006 I was preaching about the same stuff about the basics not being done. A lot of companies are still thinking, ‘Who’s going to want to attack me? I’m small fish.’ But they don’t realize that small businesses are the number one target for cybercriminals.
Let’s talk about what you could do before, during and after a ransomware attack. The one thing you want to do before any ransomware attack is to test your backups and restore procedures. How fast can you get your data back up and running? How fast can you get your company back up and running? But if you’re dealing with cyber insurance they want to know how this happened, so that investigation piece will hold you back at least a hundred hours. The IT guy wants to try and get you back up as quickly as possible, but when he does that he risks destroying evidence — and if you destroy the evidence you’re not going to get a payout from cyber insurance. You also want to make sure all of your systems are updated and patched. Definitely train your users in cybersecurity, because they’re ground zero. Look for technologies like EDR, network and cloud security monitoring. And of course the number one thing to do is get a security audit done. Get a penetration test done, get a gap assessment done.
Before a cyber attack make sure all hardware and software assets are inventoried. Make sure you have a law firm on call and work with a breach coach. When a breach is detected your cyber insurance will, hopefully, have an incident response firm that’ll come in and start deploying EDR agents to try and collect evidence to see how it started. A ransomware negotiator will to try and lower the payment demand. And once a dust settles and you’ve lost hundreds of thousands of dollars, that’s when you’re really going to see where all the vulnerabilities are in your network and what to improve on.
Howard: Meanwhile every week there are new reports about successful ransomware attacks. Microsoft issued a report about a group it gives the nickname ‘Nemesis Kitten,’ which is looking for vulnerabilities that haven’t been patched in Exchange Server, in Fortinet’s Fortigate VPN and in Apache Log4j and and like. Security updates and patches have been issued for for all of these products, but they’re still being exploited. This again shows how vital patch management is.
Terry: Vulnerability scans and searches [by attackers] are happening all the time, and if your system is internet-facing It will be attacked — and if it’s vulnerable it will be exploited. So it really comes back to the basics of cybersecurity. The other thing is cybersecurity and IT are two separate divisions. But they have to work together to help ah protect your network. You have to have an inventory of what’s running. There’s patch management. You need to heavily invest in cyber security training because your users are on the front line. Employees need to know how to create a strong password and to spot social engineering attacks. The need password managers. There are a lot of moving parts.
Howard: One of the things that Canadian listeners may not have heard was that over the Labour Day weekend the Los Angeles public school district suffered a big ransomware attack. This week ah the district gave its superintendent authority to enter into support contracts with cybersecurity and remediation experts without public bids because they they have to keep dealing um with the residue from this attack. Among other things that happened the school district had to reset more than 600,000 usernames and passwords of of employees and students. But then technicians discovered the password reset system had been partially compromised by the attackers and that slowed down the reset process. By now 92 per cent of middle and high school students have successfully changed their passwords and all elementary students have been issued temporary passwords. This goes to show it’s not a matter of you’re going to be hit by ransomware and within 48 hours the company can be back up and running. The effects can stretch out into months.
Terry: This is where I’m so happy I’m no longer working on an IT help desk. I can just feel the stress that these guys would be going through right now. We had to deal with a similar incident in the middle of last year where 400 school computers got ransomed … The hackers were charging $40,000 per computer to sell the decryption keys.
Howard: Item 3: With the economy slowing down in many countries, what should IT leaders do if they’re asked to cut spending? This comes after Forester Research issued a report saying IT leaders need to be prepared for this. For example I noticed a recent story saying a software company got rid of the application security team that vetted its software, with the security functions of that team now being folded into the existing development team. Are you hearing about companies doing similar things or cutting back on their it security spending?
Terry: I am. That’s probably one of the reasons why our managed security services has been growing because it’s so much cheaper to outsource now. Companies are dealing with continuous attack surface expansion. There’s so many ways that attackers can get in now that the in-house staff can’t keep up… There’s been a lot of pressure on IT budgets because the management team thinks they’re covered because they have one cyber security expert on staff. Well, that’s why on a Saturday at 2 a.m. he’s looking at logs. It’s far more cost effective to outsource some things.
Howard: The report says cost-cutting risks reversing advances in an organization’s security culture in addition to risking its cyber security posture. I think the suggestion is if you as an IT leader can show how IT security leads to customer satisfaction and therefore presumably increased business then the CEO won’t lean on you too much for cost savings. Would you agree with that argument?
Terry: Not really, because it’s there’s no real clear return on investment for cybersecurity.
Howard: Or the executives don’t perceive that there’s ROI.
Terry: Correct.
Howard: Another thing that this report says is that money can be saved by reducing the number of security vendors an organization buys products from. In fact, a Gartner survey released this week said it’s already seeing that. Seventy-five per cent of the companies it surveyed earlier this year said that they’re cutting back on the number of security companies they deal with as a way for to save money.
Terry: I agree, but here’s the issue I’m seeing: They’re trying to find the lowest price. So they’ll buy endpoint protection from Microsoft for desktops, and for the servers use another vendor and another for network monitoring. I’ll tell you a real story that happened in healthcare. This institution had three different groups monitoring their respective endpoints. When an attack happened they had to engage three different groups who may have different sets of logs. Things were dropped. It’s not co-ordinated. It doesn’t tell the full story. It’s very, very important that you have full visibility into your network, so it helps to have one vendor.
Howard: So what’s your advice to IT security leaders if they’re told they have to find savings?
Terry: If you don’t have the time or money, outsource. An outsourced team can look at threat hunting, make sure there’s protection against your Windows, Linux and Mac systems.