Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, October 6th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes guest commentator Terry Cutler of Montreal’s Cyology Labs will be here to discuss cybersecurity awareness training as we go into the second week of Cybersecurity Awareness Month. As part of that we’ll look at a Canadian survey of infosec pros suggesting fewer than half of companies here make awareness training mandatory for all employees.
But first a look at some of the headlines from the past seven days:
Organizations that leave web links to Zoom videoconferencing meetings open on the internet run the risk that a hacker will take advantage and find their way into the firms’ IT network. That’s the warning from security reporter Brian Krebs. The problem is these so-called Zombie links include a permanent user ID number and an embedded pass code. If your organization allows these links, make sure the meeting organizer creates a pass code to join a meeting, and only allow registered or domain-verified users to attend.
More malicious code has been found in the open-source NPM repository of packages available for application developers. One, found by researchers at Reversing Labs, is like other examples of typosquatting in that it closely mimics the name of a legitimate package. In this case the real one is called node-hide-console-window. The phony one is node-hide-console windows. What makes this one dangerous is it leads to downloading a rootkit on the victim’s computer.
Separately researchers at Fortinet said they found 35 malicious packages hidden in NPM.
It bears repeating — make sure you know what you’re downloading, especially if you’re a developer.
A security researcher reported finding a huge database of information open to the public internet that belonged to a British company called Really Simple Systems. It’s a customer relationship management application provider. The incident is apparently another example of a configuration error, or forgetfulness, by an employee.
A U.S. cybersecurity firm called Human Security says it disrupted the money-making mechanism of a criminal operation that compromised off-brand mobile phones, tablets and internet-connected TVs. It believes tens of thousands of Android and Apple devices were repackaged in China with malware that linked to an advertising botnet. The goal is to steal users’ passwords and create fake email accounts for fraud. The compromised devices were sold around the world.
Finally, there were a lot of important security updates released this week. In case you missed it, Linux administrators were told to update their operating systems to close a 16-month-old vulnerability. Developers with applications using the open-source TorchServe package from the PyTorch framework were told to install the latest version. Exim issued an email server update for new zero-day vulnerabilities. Apple issued its third operating system update in two weeks for iPhones and iPads, while Google issued patches for 51 vulnerabilities in the Android OS.
(The following transcript has been edited for clarity)
Howard: Since 2004, October has been marked as cybersecurity awareness month, when corporate and IT leaders should look at how and how often they train employees to be aware of and respond to cyber threats. This discussion part of this episode is entirely about awareness programs, what makes them tick — and what makes them fail.
Terry, IT spends a lot on technology to prevent attacks. So why is a cybersecurity awareness program needed in every organization?
Terry Cutler: It’s only one piece of the puzzle. A lot of companies right now are investing a lot in firewalls and such. But hackers aren’t spending all their time trying to hack firewalls and get detected, when all they have to do is send a crafted email to an employee and have them click on a link. The human element is the number one reason why hackers are getting in. It’s the weakest link … [Organizations] need to start implementing some behavioural change where upper management is going to advocate for having cyber security programs so they can help train their employees on what to spot in a phishing email.
The other thing is that there’s also regulatory compliance [required], especially with dealing with cyber insurance. Cyber insurance companies are tired of losing $5 for every dollar they’re getting in [in premiums] and a lot of times ransomware attacks are occurring because somebody clicked on a [malicious] link … So the more employees know about these types of threats and how they’re being done will help save the company from a cyber attack.
Howard: What should a cyber security awareness program include?
Terry: [Organizations] need to start with setting their cybersecurity policies and procedures. Here’s a fun fact for you: Out of 40 customers that we audited this year I would say easily half of them didn’t have their playbooks at all. They didn’t know what a user-acceptable policy was, if they had a proper incident response program. A lot of companies don’t have these playbooks. Because it’s not a matter of if you’re going to be hacked but when you’re going to be hacked and how fast you can recover make sure you’ve got your playbooks.
The other thing you need is a phishing and training awareness program. Then users are going to understand how these attacks are happening. It’s going to be easier for them to spot attacks and not be victim. They also need to understand password management. I get this question all the time: ‘What password manager do you recommend?’ Password managers will create really, really, really powerful passwords. But if you’re trying to remember them it’ll never work. We’ve seen cases where a customer comes to us because their their password manager got hacked and they don’t have access to 800 passwords. That’s craziness. If you can think of song lyrics or phrases that can help you on your way [because that’s better than a mix of letters, numbers and symbols].
There should be some social engineering training and testing. We ran a phishing test on a company that never had awareness training before … and we sent out test emails to 400 of them. [Editor: Terry didn’t detail, but the phishing test likely pretended to be from IT support and asked employees for their passwords.] We asked [management] how well do you think you’re going to do, and they said, ‘We’re going to pass.’ But over 270 people submitted passwords to us. That blew management’s mind.
Awareness training also has to include patch management policies. We’ve seen an update that’s been applied to a computer and requires a reboot, but because the user’s documents are open it could take them days or weeks to reboot their PCs. Users have to understand how software updates work.
Another thing that has to be included in training is physical security. Sometimes strangers show up in an office and nobody asks questions. I once walked into a retail outlet [for a penetration test] and went to an employee who was stocking shelves and said, ‘I’m from IT and doing an upgrade on your server. Can you let me to the server room in the back?’ And he takes me there. Never asks me who I am, or what I’m doing there. Within three hours my team compromises the whole company. We were even able to move the IT manager’s mouse, and even write to him. He wrote back, ‘Please get out of my system.’ and shuts down and goes home.
Howard: How can leaders ensure that cyber security training is engaging and and relevant to employees at all levels? Employees often say that awareness training is boring, regimented and predictable.
Terry: I’m going reveal the secrets of how I get things done. Training needs to be educational and entertaining. It has to be really engaging to work. For example, we use a lot of real world examples when do [test] phishing or social engineering attacks. The users get get a sense of what it could be like to be a victim. We do a lot of hands-on learning, including gamification. For example, I did a one-hour presentation in virtual reality. We also do escape rooms, where we show the users how cyber attacks happen and what they could be doing. You’ll need to also customize the content. We’ve seen a lot of boring content around. If it’s not tailored to the organization it’s not going to work …
Some of the feedback I also get is, ‘I don’t have time to watch your 10-minute videos. I need to be in and out as quickly as possible.’ So micro learning is gonna be key here. Pop in a one or two-minute video, show them to watch out for, so they can stay up to date.
Howard: What’s your sense of cyber security awareness in companies that you go into? Is employee awareness improving or is it getting worse?
Terry: Getting Worse. We’ll call it a work in progress. Training programs are extremely effective, but some organizations are struggling because the the training is not engaging and relevant. Here’s an example: I’ve seen a lot of videos that say [to employees] ‘Make sure you use two-step verification,’ ‘Make sure you create a strong password’ — but they don’t show how to do that. The users don’t always have a clue about what’s going on. So the training. It needs to have a flow of how to get the user secure and how it makes sense. It has to be easy and digestible for them to take action.
(To hear more of the discussion, including management’s role in creating effective awareness programs, play the podcast)