The Bad News Is, Cybercrime Is Growing

cybercrime logo

Since 2011 the cybercrime industry has grown from $114 billion to an estimated $600 billion in 2016, and is expected to exceed $2 trillion by the year 2020. These dollar amounts, which are a rough estimation due to the fact that many instances of cybercrime go unreported, represent the amount of money that has been extracted from companies either by way of identity theft, extortion, or the cost of making repairs to systems and hardware, and do not include figures that represent lost wages and productivity. On average, 1.5 million people each day are effected by cybercrime, which includes ransomware, phishing, and stolen identities, and sadly many of these crimes could be avoided if IT best practices were followed.

The recent global ransomware attack (WannaCry) highlighted two things; one) that corporate networks are still incredibly vulnerable and unsecured, and 2) that this attack was avoidable. This attack worked by scanning the Internet for computers and took advantage of a known vulnerability within the Microsoft operating system that had been identified – and had a patch released to address the vulnerability – two months prior. Unified Threat Management devices, as well as end-point protection devices, had been automatically updated as early as the first week in April.

The widespread, global scale of this attack reveals that there were many organizations that did not deploy the appropriate patches in a timely manner, thus leaving their systems vulnerable. It is, quite frankly, concerning that enterprise organizations – especially those that deal with healthcare, banking, and package delivery – were armed with the tools and the notice to prevent such an attack and yet, they took little-to-no pre-emptive action.

Interestingly, non-business home-users were the group that was least affected by WannaCry, due to the popularity of Windows 10 and its automated patching process. At this point in time, Windows 10 holds a much larger market share within the home-user space versus the business space, therefore automatically protecting home-users, whereas small business and enterprise level organization are still mainly relying on Windows 7.

However, home-users are not immune to the threats of cybercrime and have suffered significant monetary loss. Mobile ransomware is up 225% in Q1 of 2017. The focus of many ransomware campaigns is on the home-user, since corporate devices can be easily wiped and redeployed, rather than having to paying the ransom to retrieve the data being held hostage. Home-users should also be employing IT best practices, such as backing up their data to the cloud using a service like Dropbox or Apple’s iCloud.

It is undeniable that cybercrime comes at a cost; an enterprise organization is expected to pay $3.4 million per cybercrime incident in 2017 and upwards to $150 million in 2020. Unfortunately, small businesses on the other hand – which represent the majority of businesses – are generally unable to absorb the costs inflicted by a cyber-attack, and 60% of them end up going out of business within six months of a substantial attack.

Regardless of the size of an organization, there are a few steps that most businesses can take to protect themselves from falling victim to a cyber-attack:

  • Properly training the end user is key. Employees need to understand the threat, what is looks like, and how to protect themselves from it. Traditional security awareness training no longer works – IT departments should consider working with a marketing team to make security awareness training more social and interactive, rather than simply sitting an employee in front of a computer to watch videos.
  • The simplest solution, in this case, is probably the most important – devices should be patched in a timely fashion. Come up with a schedule that works and be aggressive. Critical patches should be applied within days of the their release, while low impact patches can be applied within 45 to 60 days of their release. The biggest risk is relying on the end-users to deploy the patches to their systems themselves. IT departments should consider thinking about implementing a cloud-based solution that can force patches and account for those patches such as Microsoft InTune.
  • Deploy modern operating systems such as Windows 10 Enterprise with the Advance Threat Protection added on. Although Windows 7 is still being sold (we’re going to skip over Windows 8), it is end of mainstream support as of 2015.  All new deployments should be Windows 10, and a strategy should be developed for deploy/upgrading Windows 7 devices.
  • An oldy but a goody – use least privileges. At this point, it seems like everyone is an administrator of their own computer. While this may be more convenient for the IT department, it is fundamentally not a good idea. Access should be restricted on local and network devices.
  • Segment networks to prevent the spreading of worm time threats such as WannaCry.
  • Lastly have a good, tested backup of your data and use hybrid solutions that includes both local and online backups. This is your last line of defense.

Taking these measures will not ensure you are bullet proof, however they will help to reduce your attack vector significantly.

 

 

Two-Factor Authentication and Self-Service Password Resets Recipe for Disaster and a Hacker’s Dream

aaeaaqaaaaaaaas4aaaajgu5zjg2njq2ltrhyzetngy5ns04nwi0lwzlngi2nzk2nty5mq

The Technology

Two-factor, or multifactor, authentication has become the standard for authentication and is now used globally for access to secure networks, banking accounts, email, and even Amazon. The idea of multi-factor authentication is easy to understand and execute and is fundamentally sound. Essentially, a user logs on to a web site or VPN and enters their user name and password. Once that’s done they are then required to enter a secondary password that is typically only valid for one-time use. The delivery of this password typically has been in the form of a random number that changes every 30 seconds from a token device (a small usb drive sized device that displays a random numbers every 30 to 60 seconds), however technology has now advanced to a point that the one-time password can be sent to the user via SMS or via ann app (on mobile devices). Once this secondary information has been entered the user is granted access to their account or network of choice.

Another trend has been self-service password resets. This tool has enabled users to change and recover their passwords without the assistance of IT departments, 24 hours a day. In most cases a user would pre-enroll by providing secondary information that would be unique to them and hard for others to identify, such as the make and model of their first car, their maternal grandmother’s maiden name, or the name of their first pet. In many cases at least four questions are asked upon set-up, and are then are later randomized when being used to gain access to an account to reset a password. Over the past few years, vendors have also implemented SMS password resets as they’re typically more convenient for the end-user since they don’t require remembering multiple challenge and response questions.

These technologies and approaches have increased security exponentially over simply requiring a single user name and password, however in some cases the implementation has become flawed over the years. The cardinal rule of IT security is to never weaken security for the sake end-user convenience. Unfortunately, although we are increasing the security footprint by implementing these technologies, we are weakening the effectiveness by implementing “convenience measures” such as SMS messaging.

In the “real world” a police officer simply being on patrol will deter 90% of crimes that may potentially take place – but 10% of crimes will happen regardless of the security present. IT security is no different, 90% of potential hackers will walk away from a multi-factor authentication hack, but 10% will see their mission through.

The Hack

There are 2.1 billion smartphones in use globally, of which 207.1 million are being used in the United States, making SMS messaging a convenient method for secondary authentication and identification. That also means that there’s 207.1 million devices that are vulnerable to being hacked. Although most hackers like automated process as millions of devices can be exploited one at a time, it is important to point out that targeted hacks – although simple to execute – do require manual intervention.

The hack is simple:

  1. The target individual is identified. Most targets tend to work at the C-Level of small businesses (under a few hundred users), as these businesses tend to have gaps in security and processes.
  2. Identify the email system or computer system being used. This can be easily done with online tools such as https://mxtoolbox.com/SuperTool.aspx.
  3. Review DNS records for the target. Most companies that have remote access make it simple to identify the host by using URLs such as remote.xxx.com, vpn.xxx.com.
  4. Send an email to the target that will elicit a response – even if it’s an out of office reply. The information that the hacker is looking for is typically the cell phone number associated with the account and these days many people now include their cell phone numbers on their signature. If this does not work the hackers will then try getting the information the good old fashioned way – with a little bit of research via Google, LinkedIn, or the Wayback Machine (https://archive.org/web/).

Once the hacker has the necessary information, it’s time for the attack, which is fairly simple to execute at a high-level. First, the hacker will transfer the targets phone number to a different provider. Because phone numbers are now portable, you can transfer to any one of a thousand providers – the key is timing and the ability to receive text messages. Cell phone providers require basic information that is easily obtained to move from one service to another. Keep in mind the target still has their device in hand (this is why timing is critical) and the attacker will only have a small window of opportunity (in most cases 12 hours) to complete their objective, which is why most of these attacks come from over-seas.

When the hacker has control of the cell phone, they will refer back to the information obtained in the prior steps. They will start with resetting the corporate email password and, if they’re lucky, the password reset is done by sending an SMS message. Figuring out the user name is simple as, in most cases, it’s the target’s email address. Once the hacker has access to the email account, everything else is a matter of data mining, and unfortunately users often mix business and personal email together (this is truly the case with C-Level executives), which means that sensitive information such as their personal bank accounts may now also be accessible to the hacker.

Mitigation

As with everything else, the risk versus the reward must be weighed, and a risk assessment if fundamental to this process. The benefits of implementing strong security measures versus the likelihood that an organization or individual will be hacked – and the detrimental effects that the hack could have on the organization/individual – should be considered. Generally, a hack that is targeted and manual requires effort, and the benefit of self-service and multi-factor password resetting far out ways the risk of having no other security measure in place.

However, by taking just a few simple measures you can almost eliminate attacks completely.

Cell Phone:

  1. Have a limited number of cell phone managers. These are the people that can make changes to the accounts – such as transferring the service from one carrier to another. In many cases the individual employee that is assigned to a specific cell phone number has the ability to make changes to their accounts (whether a company realizes it or not). These privileges should be removed immediately and granted only to members of the IT department.
  2. Changes to the account should require the use of an account password as well as a call back to the company’s primary phone number so that they can be verbally confirmed/denied by someone with the appropriate authority.

These two steps will eliminate transferring of accounts.

Two-Factor:

  1. Require users to use an app rather than an SMS messaging, this will eliminate a huge amount of the risk, since even if the cell phone number is switched to a different carrier the hacker will not have access to the apps on that particular device.
  2. Install a mobile device management tool for greater control and insight to the end points. Thinking ahead when a device is lost or compromised, the ability to remotely wipe all data from the device is critical.

These steps will increase the strength of your two-factor authentication and align with the original principles of providing access via something you know (the password) and something you have (the unique token).

Self-Service:

  1. Eliminate SMS password resets all together.
  2. Restrict challenge questions to non-public information, i.e. mother’s maiden name, place of birth, marriage date or location. All this information is easily obtained from www.ancestry.com or other public search services. The questions should reference things that only the user would know, such as the name of their first pet, the place they went on their first date, etc.
  3. Use technology to monitor geographic usage and connections. Microsoft offers a service (Enterprise Mobility Suite + Security) that does just that, as well as MDM and password resets. This will allow your organization to recognize if changes to a device are being made from across the globe – or even just the other side of the state.
  4. Monitor user names and password to ensure they have not been compromised.

Simple yet effective.

The User

  1. Users should keep personal and business interests/accounts/etc separate at all times. If they are using their business email to handle their online banking and their corporate email is hacked they are not at even greater risk.
  2. User should not use the same password for business accounts as they do for personal account.
  3. Have users routinely check to see if public services that they use have been compromised by visiting https://haveibeenpwned.com/.
  4. Education your users – it’s the most simple and effective way to avoid potential security breaches. Take the social approach to education. https://secureshell.info/2016/11/16/information-technology-should-embrace-marketing/

Millennials Changing the Face of Information Technology

aaeaaqaaaaaaaak-aaaajgy4yzbmmty5ltc3ztutngjmnc05mjhilta5nzcwnjq2zdmxnq

As the workforce changes over the next five years, Millennials will represent 40% of the total working population . The methodologies and processes used to manage IT services today will not necessarily work tomorrow, and as managers and service providers we must evolve to accommodate the changing face of the workforce, as well as the IT delivery model.

One of the largest generational shifts that the workforce

is currently experiencing is that Millennials prefer not to be held to the traditional shift model and are drawn toward opportunities that promote a healthy work/life balance or integration and schedule flexibility – including the ability to work from home.

Intelligence group studies of Millennials found that:

  • 64% of Millennials say it’s a priority for them to make the world a better place.
  • 72% would like to be their own boss… But if they did work for a boss, 79% of them would want that boss to serve more as a coach or mentor.
  • 88% prefer a collaborative work-culture rather than a competitive one.
  • 74% want flexible work schedules.
  • 88% want “work-life integration,” because work and life now blend together inextricably.

The challenge is a catch-22 for most IT departments. The end-users that fall into the Millennial age-range tend to expect 24x7x365 availability to support services to accommodate flexible work schedules and work-life integration. The workforce is shifting from scheduled based to task based; meaning Millennials do not want to be held to the traditional 9 to 5 model, but rather a task based model that holds them responsible for a deliverable, but not within the parameters of a traditional work schedule. Add in the desire to work anytime anywhere, as well as the interconnectivity and globalization of today’s business markets, and it’s not uncommon for employees to be working non-traditional and sometimes seemingly random hours throughout the day and night. Because of this, most IT departments are challenged as their workforce is increasingly made up of Millennials expecting the same flexibility and work-life integration.

How does the modern IT department address these changes? There are a few approaches but fundamentally your start with recruiting and finding the right people. Employees need to be willing to work as a team, take ownership of their individual projects, and contribute to the overall mission and goals of the department. IT departments tend to focus on skill sets rather than personality traits such as dynamics, character, and capacity. When all things are equal, however, a successful employee will exhibit strong social attributes.

Companies should also work to ensure that their employees are on a path of success. Putting people in the wrong position or not providing a growth path will lead to unhappy employees and a high turnover rate. A perfect example of this would be regularly assigning desktop support tickets to a system administrator – eventually, this individual may feel as though they aren’t being challenged enough and they may seek employment elsewhere. Mentoring and coaching is also critical to employee satisfaction and retention, and is time well spent. Millennials tend to respond well to leaders who will facilitate, rather than dictate, and who emphasize collaborative management versus directive management. Again, Millennials want to feel that they are part of the process and their input is important and counts.

Once your organization has hired the right people how do you integrate them into a rapidly changing deliver model? Start by looking at the model itself and transforming it. As more and more services move to the cloud, there is an opportunity to shift the delivery model to ITaaS (information technology as a service). This model shifts the focus from onsite services to cloud based services which results in increased up time, better overall performance, and less backend support, thereby allowing IT departments to focus on the end-user versus the infrastructure systems. ITaaS models also allow support staff to be flexible and remote, which is top on the list of what Millennials are looking for. By design this model reduces not only the advanced skill level required to maintain the backend infrastructure but the workforce itself (this also holds true for SaaS services; however, IaaS requires the same level of support and expertise).

There will, of course, be organizations that cannot transform their delivery model to align with Millennial expectations, for example an organization that provides outsourced IT as a Managed Service Provider (MSP). An MSP can replace or supplement and existing IT department with some services including on-call, after-hour support, as well as the technical expertise needed for backend support. As more and more companies move to a hybrid cloud solution, a hybrid staffing solution utilizing an MSP to supplement staffing, will allow for complete coverage solutions that provides Millennials with the opportunity to meet their expectations both from a staff and delivery model.

Key Take Always:

  • Find the right person, fit is more important than skill set
  • Be flexible with working hours and days, change from hour based to task based when possible
  • Transform the delivery of service, moving to an ITaaS model whenever possible. This model fosters collaboration and terns an IT department into a provider of services
  • Empower staff to make decisions, Millennials what the opportunity to lead and not just follow
  • Mentor versus manage your employees
  • Outsource to supplemental support services, this could be the high-level skills set or remote support

Shadow IT, Powered by the Cloud The Good, the Bad and the Ugly

aaeaaqaaaaaaaaf0aaaajdcxodg3owqwlwnjytytngvini1iytc1lwq5njczmdvhn2i3oa

Although traditional threats – such as rouge access points, removable media, unauthorized printing, etc., – still exist, one of the most prominent new IT threats is the cloud itself and the emergence of what is being referred to as Shadow IT. Shadow IT refers to IT devices (such as USB drives and external hard drives), software, and services outside of the control and ownership of an organization’s IT department. It’s been around as long as IT departments have been providing services, but as technology has transformed and evolved so have the threats and risks that Shadow IT presents.

Shadow IT, unfortunately, presents a difficult challenge for most enterprise IT departments to manage and is almost impossible for the average SMB. With the explosion of smart phones, tablets, apps, and Internet-based services such as OneDrive, Gmail and others the threat of Shadow IT is imminent and real. In the majority of cases, these risks come to light due to a desire for convenience and efficiency, notintentionally malicious behavior – although even the most innocent behavior can put company data and resources at risk.

As “Millennials” begin to enter the workforce, they bring high expectations for their working environment that includes a work-life integration and the ability to work anytime and anywhere. The reality is that these employees will find a way to enable themselves to do their jobs on their terms regardless of whether the IT department deploys safe, proven solutions. They do this by taking actions like downloading items to work on at home to a USB drive or sending documents to themselves via their personal cloud-based email address so that they can access them at another location. With every staff member – from HR to marketing – working independently of the IT department and using various applications to store, sync, and share content, the company incurs significant risks for data loss and possible legal implications.

Areas to consider when dealing with Shadow IT:

  • Storing protected information on a cloud service that is located outside your country of origin. This is a regulatory nightmare both in the US and EU/UK
  • Protected information being stored on an untrusted service.
  • Unreported data breaches or losses (lost USB device, stolen laptops, or compromised data storage)
  • Loss of control of data and resources. This is a common problem; a department will move data to an outside service and not notify and/or discuss with IT.
  • Employee separation, not fully understanding what access the employee has. Moving data to the cloud empowers the employee to manage the data even after the employee has left the company.

Some quicks statistics from Cisco:

  • 80% of end users use software or services (cloud) not officially cleared by their IT
  • 83% of IT staff admit to using unsanctioned software or services
  • Only 8% of all enterprises know the scope of Shadow IT risks within their organization

These threats are real and increasing every day, however they’re not impossible to mitigate. As with any risk assessment, you need to identify the threat and what the associated risks are with those threats. Below are simple steps that can be put in place without conducting a formal risk assessment, which is always advised. Risk assessments don’t need to be a long drawn out process, in many cases, they can be done in a few days for the average small business.

Reduce the Risk: The Human Factor

  • Start off with a written security policy that addresses Shadow IT and the use and management of company data and resources. This is the first place to start, you cannot hold employees responsible if they are unware of the risk and associated policies.
  • Educate; if an employee is unaware of their responsibility then you cannot expect them to understand how to identify, manage, and avoid risks when dealing with company data.
  • Listen to employees and department managers. If employees are working outside the scope of currently available tools that IT has provided, there is a reason for it. Understanding why they’re taking such actions helps identify a solution that meets everyone’s needs.

Reduce the Risk: Technical Controls

  • Deploy a next generation firewall that can block applications such as OneDrive, Gmail, Dropbox, etc. In a business environment, the need for public services such as email and storage is not needed. If an employee cannot access these services, they won’t be tempted to use them.
  • Review firewall logs and evaluate what people are accessing. Insight into the habits of the end-user is key to identifying and blocking unauthorized services.
  • Deploy advanced end-point controls (AV) to block removable media, restrict access to web sites and services, as well as blocking attachments to public mail services. These are some of the controls found in most end-point protection clients, not to mention anti-virus and malware software.
  • Deploy device management software such as Microsoft Intune, which allow a business the ability to inventory (looking for authorized applications), patch, and push applications to ensure systems are up-to-date, as well as restrict data transfer and employ selectable wipe data as needed.
  • Block external access to unapproved devices to corporate data. For example, if you are using Office 365, block access to things like email, OneDrive, SharePoint, etc.
  • Force Multi-Factor Authentication to access resources. This ensure people cannot access data without the proper credentials, and increases security against cyber-threat.
  • Take the position of deny by default. This means securing the data and only granting access as needed. Take this philosophy and apply it to cloud computing, internet access, and mobility.

The goal is not to prevent people from doing their jobs, it’s to ensure the data is safe and maintained. Leveraging cloud services can help the average IT department to provide a highly available, secure computing environment and should be embraced.

Why the NSA and Hackers Love Amazon Echo and Google Home

A quick three minute video
Echo and the NSA

Voice Active IoT Collects Too Much Information, Including Your Voice Biometric

This year’s hottest IoT devices are the personal assistants from Amazon and Google. These devices connect to your wireless network and within minutes are communicating to Amazon or Google to provide an unprecedented level of service… which is exactly the problem.

As a rule, IoT devices lack security and these are no different. Unlike other IoT devices, these personal assistants compromise your security in even more ways they you may think. In general, most users don’t read the Terms of Service (ToS) associated with IoT devices or software being installed. Users have a basic understanding that Amazon and Google will maintain your profile information, such as what music you listen to, when you turn off your lights, or even the coffee you order, in an effort to provide a better over-all experience. Over time these devices learn your preferences; the more intuitive and responsive the device, the more we tend to use it.

What is more alarming is what you don’t think about when using these voice activated devices including those from Apple and Microsoft. There has been a lot of discussion around the security and privacy of these devices over the past few months. One of the biggest concerns is the question of whether the devices are always listening. Both Amazon and Google say the devices listen for hot words that activate them, such has Hello Google or Echo/Alexa, but because these devices are controlled by and interact with by Amazon and Google, the hot words and or the device itself can be easily manipulated to allow for an always on “listening mode” by the vendor at any time by the way of a crafty term of service:

Amazon: In order to keep the Amazon Software up-to-date, we may offer automatic or manual updates at any time and without notice to you.

Google: When a Service requires or includes downloadable software, this software may update automatically on your device once a new version or feature is available…

In addition to the vendor maintaining access to the device, it isn’t unfathomable that cyber-criminals could gain access as well. These are, after all, IoT devices and are just as vulnerable to being pwnd (geek speak meaning owned/or controlled) as any other IoT device. Both devices have indicators when they are in listening mode, however this can be easily disabled by a hacker. A hacker could be listening to your every word and you would not be aware. This, however, is not the most alarming part of the story. These devices and associated services keep track of your likes and dislikes, what you purchase, what you listen to as well your location and your voice patterns (biometrics). That’s a lot of information to freely turn over to a private company.

Oddly, we protest about government surveillance programs such as PRISM in the US and GCHQ in the UK – programs that are designed to protect a nation and its citizenship, but we freely give more identifiable information to private companies for the benefit of playing music, getting traffic reports, and ordering coffee.

Now that Amazon and Google has all your information what do they do with it, or what can they do with it?

Amazon Terms of Service

Voice Services: You control Alexa with your voice. Alexa streams audio to the cloud when you interact with Alexa. Alexa processes and retains your voice input and other information, such as your music playlists and your Alexa to-do and shopping lists, in the cloud to respond to your requests and improve our services…

Business Transfers: As we continue to develop our business, we might sell or buy stores, subsidiaries, or business units. In such transactions, customer information generally is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy Notice (unless, of course, the customer consents otherwise)…

Google Terms of Service

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content…

Based on the terms of service, these vendors can sell or use your personal information including your voice biometrics, which is alarming. If this information could theoretically be stolen or transferred to a governmental agency, such as NSA or GCHQ. The NSA surveillance programs collect communication data globally, if you were to combine the data they already gather with voice biometrics from Amazon, Google, Apple, and Microsoft they would now be able to identify users and locations with much greater accuracy.

Unlike the majority of IoT devices where threats can be mitigated, these voice command devices such as the Echo or Google home are designed to capture information including voice biometric and cannot be mediated. You must rely on the vendor (Google and Amazon) to keep your data secure and hope it’s not stolen or shared with any governmental agency which, unfortunately, there is no guarantee of that.

If you use these devices you must accept the risks. These risks are increasing every day with every use of Siri, Cortana, Echo, and Google home, and the risks are significant.

Update 12/28:

Arkansas PD requested informaiton from Amazon regarding Echo and voice records. Amazon twice refused the requests from Bentonville law enforcement. Amazon said: “Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.” What this is saying is get a proper subpoena and we will provde the information.

A couple of great fiction books that aren’t too far from the truth and put things in perspective are Digital Fortress by Dan Brown and The Shadow Factory by James Bamford and Data and Goliath by Bruce Schneier. These books were written in 1996 and 2009 and 2015 respectively and are still relevant.