Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday September 3rd. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
With me today is Jim Love, IT World Canada’s CIO and chief content officer. We’ll talk about a disastrous attack on a Canadian web hosting company and a report on insider threats. But first a look at some of the headlines from the past seven days:
The gang behind the Ragnarok ransomware has shut operations and released a free decryption utility that victims can use to get their data back. At least one expert speculates the operators will take their profits and return to ransomware with a new scheme.
Meanwhile those behind the botnet distributing the Phorpiex malware seem to want out of the business. They are selling the source code. However, if a threat actor buys the code the botnet can be re-activated.
Another botnet called Mozi was in the news. The operators were arrested in July, but a cybersecurity company called 360Netlab this week argued the botnet – made up of 1.5 million compromised devices, many of them in China – will likely automatically continue. That’s because it uses a peer-to-peer network structure, so even if some nodes go down the whole network keeps infecting other devices.
One of the ways business email compromise scams can be spotted is the imperfect English used in messages. That’s because this type of scam tries to trick victim companies into wiring payments they usually make to a partner or customer to an account controlled by crooks. Some crooks have figured that out grammar flaws can be a giveaway. So, according to a security firm called Intel471, recently threat actors have been looking for help. One person was spotted on a Russian-language cybercrime forum looking for native English speakers. Another person was looking for someone to handle the social media side of an attack, while he took care of the technical aspects.
For years cybersecurity experts have taught computer users that hovering over a link in an email or text is a good way to find out if the link is legitimate. After all, if you expect to go to ‘cheapcars.com’ and hovering over the link displays ‘zxy123.co,’ that’s suspicious. However, Microsoft says a recent scam tries to foil that. It takes advantage of a procedure called open redirects, commonly used by legitimate sales and marketing campaigns to lead customers to a special web page. Customers would see a trusted or expected web address when they hover over a link. However, scammers have found a way to abuse this capability. So remember, hovering alone won’t always reveal a scam. Any time you click on a link, watch the web address of where it goes to. And be suspicious if you get asked to re-log in with your Microsoft username and password.
Finally, IT administrators were reminded to follow basic cybersecurity practices when U.S. wireless carrier T-Mobile briefly described how a hacker was able to steal the data of over 50 million current and former customers. It was done by compromising the carrier’s test network. Details weren’t revealed. But the lesson is an internet-connected test network has to be as secure as the live operating network.
(The following is an edited transcript of my conversation with Jim Love. Play the podcast to hear the full talk)
Howard: I want to first talk about the misery that Montreal-based Web Hosting Canada faces. This is a company that hosts websites and provides backup services. Some companies resell its services. It has perhaps 60,000 customers. But last weekend some of its backup and production servers were wiped. Some of them have been, or are being restored, but many customers who relied on the company to back up their data, their data may have lost everything. That’s there, their data, as well as their website content, unless they had local backups.
UPDATE: On Thursday the company said six of 12 servers had been restored, most data on a seventh had been recovered but there was some data loss. Attempts at data recovery were on going on five other servers. WHC was “cautiously optimistic” data could be restored on three servers.
According to the head of the company, an employee of a third-party service provider used their account to log into one of Web Hosting Canada’s management portals. Whether it was malicious or not, we don’t know.
Jim, what did you think when you heard of this incident?
Jim: My heart just went out to them. First of all, my heart went out to the guy who heads the company, This is the ultimate disaster. And then second, my heart went out to some people. We saw one story – I can’t give all details because cause we don’t have permission — but they had painstakingly created this site over years and years with all this data. And I went, ‘Oh please God, let them have a backup or let them recover it.’
Howard: The company has said some servers are irreparably damaged.
Jim: The last claim I saw was they could recover 50 per cent [of customer data]. That’s an astonishing number. You’ve got to give credit to these people for being transparent in this.
Howard: Have you ever experienced something like this where a provider that you or your firm dealt with had wiped out data?
Jim: Yes. There’s two types of people: Those who will admit it to you and those who [don’t]. I’ve experienced at least four major data losses in my career. Each one I could say I was blameless, somebody else did it. But the buck stops with you [the IT or backup leader]. We had one occurrence with a preferred supplier. They were very knowledgeable, had access to our machines. What possessed them to reformat a disk, or to overwrite a disc, while the backups were connected on this machine is beyond me. Like, it’s beyond insanity. You can’t imagine why anybody would be that stupid, but they wiped our prime copy [of data] and our on-site backup, which then led us to another backup that we went through and the programmer had not tested the backup.
So I’ve been in this situation trying to get a disk restored because of someone that you trusted, someone you thought had the experience and the expertise to do this [but] doing the most radically stupid thing possible. You know, Murphy’s law? Murphy was an optimist. So at that point you’ll pay literally anything to get your disc restored, anything. In fairness, I have saved other people because we’ve had backups as well. So it’s not like I’m sloppy. We’re not. But sometimes the bolt of Zeus strikes you and that’s all there is to it.
Howard: I spoke to one WHC customer who was initially angry and despondent. What he said to me is ‘Everything is gone.’ He told me of years of marketing data that had been collected and relied on the [WHC] online backups … Eventually he cooled down and said that fortunately his firm had done a local data backup three months ago, but any data that he had collected since then was gone, and he wasn’t sure how much of the older data was available. He thought it would take two or three days to get his websites back and running, which is two or three days when he’s not able to do business. So this incident must be terrible for customers.
Jim: I have to tell you how the day that we lost that drive – and that was the only drive — I lay awake at night with my stomach aching. I don’t lose sleep over almost anything [but] it was the most awful experience in my life. And I vowed. It would never happen to me again. Ever … We need to get back to that. Don’t let it happen to you. We can’t change what’s in the past, but the future. Now, if you work for me and everybody knows it, I might be thought of as the jerk of all times [but] I can tap you on the shoulder at any one time and you must be able to restore data. If you can’t, hand in your resignation right there. That sounds brutal, but life is brutal. We [IT leaders] have to have responsibility for the data we have. You can control it in your own world. I’ve seen many times where people you presume have a backup, and they don’t. I don’t trust that anymore.
Howard: So what lessons can IT leaders learn from this incident?
Jim: If you can’t touch a tested backup of your data that is disconnected from the internet and restore it, you’re never sure. And that’s the only thing you can do: Make sure you have your data backed up. That is it. There is an absolute air gap. This is offline, and it can be restored and that’s it. Don’t count on anyone else. The second piece is, test continuously. I did a data center move one time [for] a remarkably big institution. And we had backups for our data. But you would be surprised how many backups were empty. They ran the backup job successfully, just didn’t back up data for many, many reasons. So if you don’t test it, if you can’t see it restored, forget it. Data’s only good if you can restore it. It doesn’t matter where it is or what it is. If you can’t restore it, you don’t have it.
That’s regardless of where you have it. Don’t forget clouds are just somebody else’s computer. I don’t believe that that you know, that [Amazon] AWS is going to fry two regions. If you want to do [backup] between two regions in AWS or whatever, the hardware device is not the issue. The issue is can we restore it? Is it safe? Is it offline? And can we restore it if we need to? So I won’t describe how people do that, but that’s the theory. It’s gotta be offline so nobody can scramble it. You want to make sure that, it’s write-protected so that nothing can touch them. And then you restore them somewhere safe.
Howard: This particular incident [Web Hosting Canada] was what security experts call an insider attack. The security industry definition of an insider includes not only employees, but also partners and contractors and consultants who have login access to the organization’s IT network. By coincidence this week a cybersecurity company called DTEX and the Ponemon Institute released a report on inside insider threats. Tell us about what that report said.
Jim: As if you needed more depressing news. In the executive summary they referred to another report that said there’d been a 450 per cent increase in employees circumventing security controls. We are doing something wrong. And a 230 per cent increase in behaviors that indicate [insiders] might steal data. They also have a list of reasons why security is a problem with insiders, and I don’t really care. I’ve said before, I don’t care whether it’s fat fingers [accident] or sticky fingers [deliberate], if the data’s gone, the data’s gone. If you’re granting too many access permissions to people, then you’ve got to watch what you’re doing.
They go through the list of reasons: Lack of in-house expertise – okay, fair enough. Lack of collaboration between IT security and the line of business – sorry, don’t accept. A shift to the remote workforce — a fact of life. Lack of budget – yep, I get that sort of stuff. And then at the bottom, 20 per cent said it was a lack of leadership. I’m going to reverse that. The buck stops here … I think there’s a wake-up call here, which has nothing to do with technology and has everything to do with culture.
Howard: What’s worse for the organization: The deliberate insider attack or the insider who accidentally makes mistakes?
Jim: When your data’s gone, do you really care? You have to watch both, but they have one thing in common: They have the access to do this, and that’s where you star. Do they have more access than they need? That’s the first thing. Second, do you have a [security] culture with your suppliers and with your employees? Nobody reads a manual anymore. Nobody. Some just obey what the accepted rules of behavior are. But if you’re trusted with access to something, you have to take the accountability to be careful and to exercise great care with that. And then of course you have safety nets. I remember the old days when we used to have a password to get into the main system. It was put it in an envelope, and to get it somebody had to tear it open. So you knew somebody had used it. When that happened you had to write a report – and you had to change that password. That established a cultural moment. You knew if you ripped that envelope open, you were accountable for everything that happened with, with that password. That’s what we have to make sure we go back to.
This 450 per cent increase in employee circumventing security controls, and the lack of collaboration between security and line of business – if you were a leader in an institution right now, you can’t afford that nonsense. You just can’t. And that’s where true leadership comes to draw the line and say this is not acceptable behavior. I would say no matter how big the company I don’t have time for you not to get along [with security rules.] Get along. That’s your job.
As for those circumventing employee controls, you’ve got to look why. Are we making it so hard that employees need to circumvent these to do their job? If so, fix it. And if not, draw the line and say, ‘Sorry, this is just how you have to do your job.’ I think we’re a little wimpy on this stuff. And, you know, executives close their eyes. I remember one time when tablets were first coming in and everybody’s concerned about security, but they’d let the board of directors take all the company information on their tablets. Why? Because they could. Leaders have to lead and say, ‘No, we won’t do anything that’s insecure.’
Howard: So identity and access management is one key to reducing the risk of an insider threat. You don’t let employees have access to sensitive data that they don’t need to have.
Jim: Privilege management is something you should do, but you should reinforce why it’s done. And if you don’t do random audits [of activity] — you don’t have to look through all of your logs — but you have to let people know there’s a chance they’re going to get caught. You have to do random audits. Take a day once a month and go through and ask questions: Why were you there? Is that really part of your job? Why would you be doing that? People assume because IT can’t do everything they can do as much as they can. Build in your culture that people know they could be held accountable.
… You have to watch for the signs of [bad] behavior. This report also gives a good Insider Kill Chain. Before people steal data they’re going to do some things: Reconnaissance [to find sensitive data], Circumvention [of security rules]. People accumulating a lot of data on their machines. Why are you accumulating all this data? Especially if you’re expected to store on a [corporate] server and you start storing locally. That’s not not good. You should have a great reason for that. Then there’s Obfuscation –trying to try to hide what you’re doing.
Howard: In summary, what can IT departments do to help reduce the odds of a successful insider attack?
Jim: One thing we can do is have frank conversations [with employees and executives], a lot of training, explain the reasons for our rules, have a least access privilege [policy] and defend that, and test backups. And again, lead by example: If we [as IT pros] have got rules, make sure we obey them, too.