Welcome to Cyber Security Today. This is the Week in Review edition of the podcast for the week ending Friday September 30th, 2022. From Toronto, I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Terry Cutler, head of Montreal’s Cyology Labs, to discuss what’s been happening — or about to happen — in cybersecurity. Most of our discussion will focus on Cybersecurity Awareness Month, which begins tomorrow.
But first a look back at some of the headlines from the past seven days:
A hacker managed to break into the content management system of the news site Fast Company and alter stories with obscene and racist remarks. The publication had to temporarily take the site offline to fix the problem. The hacker claims they were able to figure out a password used by a number of employees that had a shared element. Terry and I will discuss this incident.
Last week I told you that the encryptor code for the LockBit ransomware has been stolen and leaked. It hasn’t taken long for another hacking group to take advantage. There are multiple reports that the B100dy ransomware gang has already adopted this code for an attack on a victim in Ukraine.
Crooks continue to target medical offices and healthcare service providers in the U.S. According to SC Media, some of the latest victims include Physicians Business Office, which provides practice management services for doctors. Just under 200,000 patients are been notified their personal and health data was likely stolen in a hack last April. A Tennessee walk-in doctor’s office is notifying just over 58,000 patients that their data was stolen after a hack that started in July. A Texas hospital said it has nearly finished recovering its IT systems after a ransomware attack earlier this month. And a medical provider has acknowledged that a security configuration error at a third-party provider in May led to the theft of data of over 22,000 patients.
A criminal gang has made tens of millions of dollars since 2019 by using stolen credit card information on some 200 fake dating and adult websites they created, researchers at ReasonLabs revealed.
Finally, Australia’s attorney-general is pondering changes to the Privacy Act following the huge data breach at the country’s second-largest wireless carrier. Optus, a subsidiary of Singapore Telecommunications earlier this month. After the attack the hacker dumped the data on 10,000 customers — including Medicare numbers — on the dark web.
(The following transcript has been edited for clarity)
Howard:Â The Week in Review often gets caught out by the calendar for certain events — Fraud Awareness Month, Password Awareness Day — which inevitably happen a day early or a week ahead. But not this time. Tomorrow starts the annual October Cybersecurity Awareness Month. Yes, people still need to be shaken from complacency and reminded to be aware of cybersecurity and to follow cybersecurity best practices. This includes individuals at home, employees at work, IT security teams and senior management.
Organizations should, of course, be conscious of cybersecurity every day. So how should this year’s Cybersecurity Awareness Month be observed by organizations? Are there things they can or should be doing differently that they do every day, every week, every quarter?
Terry Cutler: Here’s the challenge: We’re seeing attacks are increasing and we’re trying to defend against all attack surfaces. There are phishing and spearfishing attacks, ransomware, employees copying out data to cloud storage, websites are being attacked, employees that are losing or getting their devices stolen, they click on links they’re not supposed to, there’s no visibility to know if a hacker is in your environment and you don’t have an incident response plan, there’s outdated software, passwords are stolen, there are IT guys who are not trained in cybersecurity so they’re often giving wrong advice — and companies think their cyber insurance will take care things but they’re also having a hard time qualifying for cyber insurance …
So my advice to everyone from the CEO down to their IT teams is they need to sit down and ask this question: Can we identify, protect, detect, respond — and especially recover — from a cyber attack? Recovery is vital because if gets destroyed how fast can you recover from a backup?
There’s a couple of tips to share: The big one is around passwords. Use a password manager [across the organization]. But here’s my take on password managers. They can create really strong passwords that are somewhat unbreakable but remember the LastPass hack a month or so ago. If your passwords have been corrupted or are made unusable there’s no way you can remember what password that was to this or that account. [Editor: Unless there is a safely protected written or digital backup]. Password managers are useful but you’ve got to be careful with them.
Second, use multifactor authentication. If an employee’s password is leaked on the dark web and a hacker tries to use it they’ll get an alert. However, there are ways to bypass multifactor authentication …
You also want to make sure your data is backed up.
Employees have to be taught to hover over the links in email before clicking on them.
I think one of the most important things senior leadership and IT department should do this year is get a penetration test done. See how strong your defences are — is IT receiving the proper alerts to know an attack happening? Pen tests can also testing users as well.
Another thing companies could be implementing is server message block signing. It’s where workstations and servers have their communications encrypted so no tampering or man-the-middle attacks can happen.
And get rid of outdated software and operating systems.
Howard: My take on Cybersecurity Awareness Month is that it shouldn’t only be thought of as something that should be aimed at ordinary employees. So I want to talk about three events that suggest organizations and infosec leaders still have a lot to learn. First, the recent American Airlines hack, news of which um was only revealed this month. In July customers notified the airline that they received phishing emails that had come from the hacked email accounts of airline employees. So first of all, the airline didn’t know that these employees’ accounts had been hacked.
Terry: The hackers got access via a couple of ways: Either they sent phishing emails to the employees and they clicked on it and gave away their access, or could be passwords that leaked onto the dark web and were reused. And either multifactor authentication wasn’t turned on or it was bypassed … What’s interesting is that the airline didn’t have technology in place to know that there was suspicious activity happening. Maybe they didn’t turn on geo-fencing to know that people who usually log in from Canada are logging in from somewhere in the Middle East or Africa.
Howard: The second thing about this incident was the hacker used an IMAP protocol to access the employees’ mailboxes. And then using that protocol the hacker may have been able to synchronize the contents of the mailboxes to another device that was controlled by the hacker. Explain what IMAP is and why organizations shouldn’t be using it today.
Terry: IMAP has been around since the mid-’80s. It enables remote users to view and manage their messages that are stored on a server. But IMAP has become very insecure when it comes to enterprises. We’re moving away from IMAP and using webmail. One of the problems with IMAP is that it’s designed to accept plain text login credentials, which could be intercepted. But a lot of companies still have IMAP enabled. It’s very, very challenging to defend. This is a perfect example of how backward compatibility is still enabled. You want to eventually kill off the IMAP service and use webmail. The other problem with IMAP is it doesn’t support strong authentication, so you can’t necessarily enable multifactor authentication. That’s why everybody moving towards an Office365 or Gmail approach where you can enable all of these stronger functionalities. Also, IMAP uses port 143. You want to switch over to port 993, which encrypts email transmissions.
The point is move away from IMP as fast as possible.
Howard: And the third segment of this hack that I want to talk about is the hackers were able to copy a lot of sensitive data of about 1,700 people from the email accounts. Those airline employees’ accounts they hacked into included people’s names, Social Security numbers, driver’s license numbers, passport numbers, employee numbers, dates of birth, mailing addresses, phone numbers. This is all the sort of stuff that an attacker can use to to create a phony ID. Aren’t there ways of protecting data held in employees’ inboxes like attachments that hold sensitive data?
Terry: Whenever we travel and we have to deal with our travel agent, they need information to avoid any problems. We typically send copies of our passport and whatever they need to get us up and running as quickly as possible. But once this data leaves our inbox we no longer control it. We’re hoping employees on either side of the airline will actually delete the email afterwards to protect the data. As an airline employee there’s not too much they can do to protect their inbox except for things like paying attention to email phishing attacks, and creating a strong password. But on the IT side they should be implementing things like geozones in order to block access from other countries that are trying to access these inboxes. They also want to make sure they’ve implemented multifactor authentication for all of their users. How many times have we discussed where companies say, ‘We’ve implemented MFA already,’ and then you ask the question, ‘Well for all your users, or just the executives?’ They need to have it on for everybody.
Howard: The second incident I want to bring up to illustrate this point that IT administrators have a lot to answer for is the hack this week of the website of the news site Fast Company. Hacker defaced several news articles, which went out to Apple News subscribers — who as you may imagine were surprised at the wording in the news stories. Apparently several employees who had administrative access to the website were given, or allowed to have, a similar access password with a variation on the word pizza. So it sounds like one employee had the password ‘pizza123’ and another had the password ‘pizza456’ and a third employee may have had the password ‘pizza789.’ That would be pretty easy to guess if the hacker had figured out one employee’s password. This is a violation of cybersecurity 101.
Terry: This is a perfect example of [doing something for] convenience. They probably set up a default password but expected each user to change it.
Howard: The third incident I want to bring up regarding Cybersecurity Awareness Month and the responsibilities of senior management and IT administrators is the recent Uber hack. The cause of this hack was an employee of a third-party contractor who fell for a trick. They gave into the repeated messages on their smartphone asking for a verification of their multifactor login. These messages were being sent by a hacker who was trying to get around the multifactor authentication protection. The employee got tired of seeing these messages. That’s a matter of bad cybersecurity awareness training. But this incident also spawned a column in The New York Times by security expert Bruce Schneier, who argued that the hack is another example of how companies skimp on security because they have no financial incentive to tighten up. He said only strong government regulations are going to change that attitude. Do you agree that companies are skimping on security because they have no financial incentive to tighten up?
Terry: Absolutely. A common theme I hear is, ‘Who’s going to want to hack me? I’m small fish.’ But they don’t realize — especially the small and medium business guys — that almost 80 per cent of all small businesses are being targeted by cybercriminals. because they know that they don’t have the time, money or resources to do cybersecurity. They’re hacking into smaller businesses and using them as a jump point to attack another company … One study 60 per cent of small businesses that get hit with a cyber attack will go bankrupt within six months. We’ve seen a lot of cases where a firm gets hit with ransomware and if they have to dish out $300,000 or a million dollars to get their data back. That could be a death sentence for a small business.
The other challenge is we’re 3,000,000 personnel in the cyber security industry. There’s not enough experts to help protect everybody.
Howard: One of the problems I have is that some cybersecurity pros want to have it both ways: They say no combination of technologies can stop a cyber attack if a threat actor has the time and the money and the determination. They’re going to hack you, and your job is only to lower the risk. But at the same time there are complaints that organizations don’t take cybersecurity seriously every time that there there is a big hack in the news. Am I wrong to say there’s an inconsistency here?
Terry: That’s a tough question, but the answer is no silver bullet to stop a hacker. You only make it harder for them to get in. So if you have enough defences in place to thwart off a hacker he’s going to move on to somebody else. But like you said earlier, if these guys have the financial means and the expertise they’re going to get you. We’ve seen cases where you could drop in millions of dollars of cybersecurity technology and expertise, but it just takes one mistake …
Howard: I want to emphasize to chief executives and IT security leaders that no organization can be prepared for a cyber attack unless it has a written and implemented cybersecurity strategy for reducing risk. Can you go over what that plan would include?
Terry: First, have a proper inventory of all the hardware and software currently in the environment. What versions do you have, what operating systems do you have [on every device] how old are the machines?
Second, how much valuable information do you have on computers? We’ve seen cases where employees have copied sensitive information from the server to their workstations and forgotten about it. Data needs to be prioritized for protection.
Third is creating a great patch management system.
Fourth is having antivirus anti-malware and firewall technology — although I have a problem with that. These are traditional cybersecurity technologies. You also need behavioural analytical technology and other advanced technologies.
Fifth is access control. Remove all default administrative passwords. General employees shouldn’t have administrative access on their systems, but we often still see that. We also want to make sure employees create strong passwords and have multifactor authentication turned on.
Sixth is a user awareness training program that regularly tests the employees — at least once a month or every three months — to see how they’re doing.
Seventh, you want a policy to take care of data that’s at rest or in transit
Eighth, create a strong backup and recovery plan. This is one of the most important takeaways — make sure your backups are safe and tested.
Ninth, have a proper incident response plan in case of a disaster. My strong suggestion here is to work with a consultant or IT firm that will have fresh eyes on your environment.
Howard: I want to close by saying for organizations that don’t already have a cybersecurity plan there are lots of free resources. The Canadian government’s Canadian Centre for Cybersecurity has a set of baseline cyber security controls for small and medium-sized organizations. The United States Cybersecurity and Infrastructure Security Agency has similar resources. If you are in the United Kingdom the UK National Cyber Security Centre has free resources. The Center for Internet Security has its Critical Security Controls.
Not only that, big IT vendors probably have free resources for their customers.