Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday November 12th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Dinah Davis, the vice-president of research and development at Arctic Wolf. But first a review of some of the important stories from the past seven days:
Big Canadian data thefts led the news here. The government of Newfoundland and Labrador admitted that years of hospital admission and employee data from two health regions were accessed by a cyber attacker that has handcuffed hospital treatment across the province. The premier said the data from one district stretched back 14 years. That could encompass data of thousands of people. Meanwhile, the Toronto Transit Commission admitted that the personal information of approximately 25,000 current and former employees and pensioners was stolen.
Dinah and I will talk about how these attacks underscore the importance of data protection techniques so this can’t happen.
A hacker was able to fool a customer support employee at the Robinhood stock trading and investing platform, the company admitted this week. The attacker was able to copy the personal information of 310 people, including their names, dates of birth and zipcodes, plus extensive account information of 10 customers, plus 5 million email addresses of people, plus a list of full names of 2 million other people. Dinah and I will talk about the need to ensure customer support people can’t be fooled.
It was a bad week for those connected to the REvil ransomware gang. The U.S. named two people for their involvement. One was nabbed last month in Poland, which will likely be asked to extradite him to the U.S. face criminal charges. The other, whose whereabouts is unknown, has also been named in an indictment. In the space of five months seven people involved in ransomware gangs have been arrested in the past seven months.
Cyber attackers are hunting for voice-over-IP phone providers to extort. They’re doing it by launching distributed denial of service attacks, essentially overwhelming their websites with traffic and demanding a ransom or it won’t stop. The latest victim is a Chicago-based international provider called Telnyx. Service was impacted. A Canadian and an American VoIP provider were hit in September. Organizations sensitive to providing online services to businesses need to look at DDoS mitigation protection.
The Black Hat Europe cybersecurity conference has been going on in London this week. News reports have summarized a few of the presentations, which don’t speak highly of some application developers. One researcher outlined how he found a vulnerability in the HTTP headers of Amazon’s API Gateway. An attacker could have taken over a victim’s server cache. Another researcher outlined a vulnerability in Microsoft Azure’s Cosmos database.
On this side of the ocean two cybersecurity conferences had interesting presentations. At the CISO Forum Canada a speaker said IT security leaders need to better understand the needs of CEOs if they want to be influential with management. And at a Forrester Research security conference a speaker urged IT leaders to start researching solutions that can resist the ability of coming quantum computers. When they arrive quantum computers will be able to break current encryption protecting corporate data.
Finally, when President Joe Biden signs a $1 billion U.S. infrastructure bill on Monday it will include some $2 billion in cybersecurity funding. That will include $1 billion to help states and local governments upgrade their IT networks.
(The following is an edited transcript of my talk with Dinah Davis. To hear the full discussion play the podcast)
Howard: I’m going to bring in Diana Davis now. I want to start by talking about one of the most damaging cyberattacks in the history of Canada against the healthcare system of the province of Newfoundland and Labrador. It started 13 days ago. This week. We learned that as part of the cyberattack, the registration data of hospital patients and the data of current and former hospital employees were copied by the hackers for patients. That includes basic information that is typically logged in when a patient is admitted or seeing someone for medical service. And that includes their name, their birth date, their healthcare number, their email address, and their mother’s maiden name for current and former employees. The information includes their name, address, contact information, and social insurance number Dinah. A couple of things struck me first. This data didn’t involve credit card or banking data, but it can still be damaging to those affected.
Dinah: Very, very damaging, and never mind that the hospitals’ system was down.
Howard: What I’m thinking of is even if you’ve got like a name and a birth date and a health and a health card number, there’s enough there for impersonation.
Dinah: Absolutely. Especially with the social security numbers. Definitely chances for identity theft.
Howard: What, what also struck me struck me was this isn’t current data that was stolen. From one health district the data went back nine years. For another, it went back 14 years. Shouldn’t data that old be protected?
Dinah: You would think that that should be in backup places where you only need to look at it sometimes. It’s not like that data needs to be at their fingertips. They probably only need a couple of years of data to be at their fingertips. Otherwise, it should be further away.
Howard: And it should be protected. I mean, there’s encryption. You protect data at rest and as well as in transit. Presumably it wasn’t encrypted because the province has warned people to watch their bank account statements and check credit rating agencies.
Dinah: It may have been encrypted but if the attackers were able to get the credentials to unlock the data it could be decrypted.
Howard: That just speaks to the problem of making sure that your employees have proper password protection, like multi-factor authentication, so that even if data were stolen it’s protected. The other thing that struck me is you may not be able to stop an initial compromise, but what IT departments should be able to do is stop lateral movement. So even though you’ve got an initial infection on one or two desktops the attacker can’t move laterally through the organization and find those sensitive data servers. How can you stop lateral movement?
Dinah: I’m going to give an analogy about what a lateral movement really is in the computer world: If you, think about the attackers trying to get their foot in the door someplace, that’s the initial attack. Then they’re going to use that to try and squeeze through and find another way in. Then they’re going to try the easiest things possible. Say they just get into a lobby and they’re going to go around and there’s maybe six doors in that lobby. They’re going to jiggle every door. If they can get in one of those doors we would consider lateral movement.
So you want to make sure every door is closed. And not only every door, you don’t want to allow them to be climbing through the ventilation system, or any other ways could they could get they get through. If you’re looking at this as your technology system attackers find open side doors through vulnerabilities that exist in current assets that you have on your network. The thing you do [as an IT leader] is you patch often, you patch soon, you patch quickly, to keep your software and hardware up to date. That’s going to close any of the known vulnerabilities in there. The other way attackers make lateral movements is through privilege escalation attacks.
They do it with password guessing or dictionary attacks or brute force attacks. How can you prevent that? One is always the principle of least privilege. Let’s assume if one person in your company gets hacked what do they all have access to? They should only have access to what they absolutely must have access to do their job and nothing more, because if they are hacked that limits the lateral movement that the hacker can make. You also want to separate, you know, what privileges you have in each application and only allow certain applications to do certain things. The less amount of privilege you give all around the better. So make sure you’re managing all of your credentials and privileges.
An easy mistake to fall into is that people change in the organization but they still have privileges from their old role that they don’t need anymore. Those credentials are, are ripe for attack. And then the ultimate protection is what we would call the zero trust model. The easiest way to think about a zero-trust model is even though you have the key to get into my house, you don’t have the key to get into any other room. And you always have to keep producing your key to get into the next room, to the next room, to the next room. That’s a really good way to stop lateral movement.
Howard: Can you talk about data segregation and network segregation?
Dinah: Thinking about the Newfoundland hospitals case, they have some really old data that was made available. Did they need that data to be connected to their everyday data? If it’s not something you need to access often, then you should put it in a separate system. That’s data segregation. Network segregation is, for example, separating the hospital booking system on a different network than the system that also hosts all the patient data. And there should be basically what’s called an air gap in between those two things. They shouldn’t be connected in any way, then lateral movement can’t happen.
Howard: I want to bring in the issue of paying a ransom. Toronto Transit has acknowledged that it was hit by a ransomware attack. Newfoundland has all but said it was ransomware. We’ve talked about this before: It’s easy to say don’t pay a ransom, but these are public bodies, which is one of the reasons why they’re chosen by attackers. That increases the pressure on the government to protect the public. So how does a government resist that urge to pay and then get some sort of assurance that the stolen data is not going to be pedaled to other criminals?
Dinah: I don’t think there’s any assurance at all. You could pay and the attackers could still give it [stolen data] out. And that’s the problem. It really depends on the motivation of each ransomware group that’s coming after you. If it is just monetary, then it is in their best interest [to keep their promise]. But there is no guarantee that paying them will result in that. I don’t think you can give a black and white answer. I think if you can recover, if you can mitigate the situation, then the best option is usually to not pay.
But I also do think there are instances where people do need to pay and that’s their only choice. You should bring in a professional ransomware negotiator who knows how to deal with this situation.
Howard: Let’s move on to the Robinhood trading platform attack. Details are scarce, but the company says the hacker tricked a customer support employee by phone and obtained access to certain customer support systems. First of all, why are customer support people an important target for cyber attackers?
Dinah: They interface with the public so that opens them up automatically for social engineering attacks. Anytime you [as an attacker] can get a way to start talking to somebody who’s inside the company and have access, the better it is. They often have access to the company systems so they can fix issues for customers.
Howard: This reminded me of the infamous Twitter attack last year. In that case attackers pretended to be from Twitter’s IT department, and they called Twitter’s customer support people about problems, that employees were having with Twitter’s VPN system. So the attackers then had the employees log into a fake Twitter website, which they thought was going to solve the problem for them. But the employees were really giving away their passwords that are hackers. And then the hackers eventually used that access to get deeper into Twitter’s system, to compromise the Twitter accounts of well-known people and push out bitcoin scams. The teenage attacker behind the scam was sentenced to three years in a Florida juvenile facility earlier this year.
The broader issue is, doesn’t the Robinhood attack speak to the need for a better security awareness training of employees?
Dinah: That’s always the case. Any social engineering attack most likely has to be thwarted by the person, not, not by technology. You have to know you’re being scammed. And so that’s where awareness training comes in every single time. And I think I’ve said it before, but you forget 80 per cent of what you learned within a month if you’re not re-engaged with what you were trained. So you need to do short, regular awareness training or your people are gonna forget this.
Howard: And finally, you came across some interesting research: An article on zero-day vulnerabilities.
Dinah: It was a really interesting piece in the MIT Technology Review. They have been tracking how many zero-days have come up every year, since at least 2014. And one thing that they noticed was that 2021 has more than doubled the zero-days that were found in 2020 already. There were around 53 [so far this year] and there were only 25 all of last year. The question is, is this a good thing? I think it’s a bit of a mixed bag at the moment. People are finding them more often. Governments are spending a lot of money trying to find these holes for espionage reasons.
Then there are the people who want them, like the ransomware gangs, who buy them from other people. So there’s a large market for them. But I think we’re getting better at detecting them. You know, we just had a year and a half where people were stuck inside, so security defenders were looking for more of them. Are there really more zero days last year, or were more of them found? And I think the jury is still out on that.