fbpx
Preloader
Ubiquitous Wi-Fi Protocol (WPA2) Broken

Ubiquitous Wi-Fi Protocol (WPA2) Broken

This is HUGE news. The popular Wi-Fi protocol WPA2 has been broken.

The KRACK (key Reinstallation Attack) attack affects pretty much everyone using Wi-Fi. We won’t get into all the nitty gritty details (you can find those here), but we will give you a summary of what is going on:

Summary

  • This attack affects pretty much all devices that have Wi-Fi.
  • Changing your wireless password won’t fix this problem.
  • The KRACK attack allows attackers to decrypt your internet traffic to see what you’re doing online.

What Can I Do?

  • Don’t switch to WEP (another wireless security protocol–it’s REALLY insecure)
  • Install all security updates for your devices (phones, computers, routers)
  • Use HTTPS wherever possible
  • Consider using your data plan instead of wireless
  • Consider using a reputable VPN service. This adds an additional layer of encryption and privacy

Can I see this attack in action?

Yes, see the video below:

Is this issue being tracked?

Yes – here are the CVEs:

  • CVE-2017-13077: Reinstallation of the pairwise encryption key (PTK-TK) in the 4-way handshake.
  • CVE-2017-13078: Reinstallation of the group key (GTK) in the 4-way handshake.
  • CVE-2017-13079: Reinstallation of the integrity group key (IGTK) in the 4-way handshake.
  • CVE-2017-13080: Reinstallation of the group key (GTK) in the group key handshake.
  • CVE-2017-13081: Reinstallation of the integrity group key (IGTK) in the group key handshake.
  • CVE-2017-13082: Accepting a retransmitted Fast BSS Transition (FT) Reassociation Request and reinstalling the pairwise encryption key (PTK-TK) while processing it.
  • CVE-2017-13084: Reinstallation of the STK key in the PeerKey handshake.
  • CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake.
  • CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
  • CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame.
Devastating Equifax Breach Affects Everyone (you too), what now?

Devastating Equifax Breach Affects Everyone (you too), what now?

Chances are good you’ve heard about the recent Equinox data breach. This data breach is not only one of the biggest data breaches ever, it is also likely to be one of the most damaging. For the sake of brevity we have condensed this article down to what you NEED TO KNOW:

  • 143 million people affected (mostly US, but also UK and Canada)
  • Social security numbers, birthdates, addresses, driver’s license numbers
  • Breach detected July 29, 2017 — was reported to public September 7, 2017
  • Unknown who is behind the breach

Most importantly, YOU ARE MOST LIKELY AFFECTED BY THIS BREACH!

What now?

First off, determine if your information was obtained in this attack by clicking here.

NOTE: there was some backlash against whether you could sue Equifax by signing up for their TrustedID identity monitoring service on September 7. This was updated on September 8, 2017:

In response to consumer inquiries, we have made it clear that the arbitration clause and class action waiver included in the Equifax and TrustedID Premier terms of use does not apply to this cybersecurity incident. (Equifax September 8, 2018)

NOTE 2: Krebsonsecurity reported that this site was not functional when it was launched. This has since been fixed.

My Personal Information Was NOT Impacted

Consider yourself lucky. Regardless of your data being breached, it is still a good idea to take steps to protect your identity. All of the data that was stolen constitutes highly sensitive information, especially social security numbers. Consider taking the following steps to ensure that your identity is protected (after all, wouldn’t you want to know if people are opening credit cards and mortgages in your name???):

Change your passwords
At the very least you should change your most sensitive passwords:

  • Email
  • Bank
  • Credit Cards
  • Retirement / Investment accounts
  • Healthcare

If possible, setup multifactor authentication. This makes it harder for people to break into your accounts, even if they know your password.

Contact your banks/credit card companies
Speak to a live person, tell them your account is at risk of fraud. Ask to be notified of any suspicious activity on account. You’re likely get issued new cards. YOU MUST NOTIFY BANKS ASAP OR YOU MAY BE LIABLE FOR CHARGES.

Contact credit report bureaus
Even if you aren’t affected, keep in mind that this is a massive data breach. Let the credit reporting bureaus to put a fraud alert in your name. You can also request a credit freeze, but keep in mind that this could cause unforeseen complications when you apply for new cards, mortgages, or other day to day expenses.

Contact information below:

Sign Up for Credit/Identity Monitoring
Equifax is offering TrustedID free for 1 year following this incident, whether your personal information was impacted or not. Not feeling trusting of Equifax, take a look at some alternatives here.

My Personal Information WAS Impacted

Take a breather and prepare to start making some calls. Identity theft can take multiple years to resolve and you must take the following actions to ensure that you have a legal basis for any disputes that may come up in the future.

Document EVERYTHING
Every email, phone call, letter, conversation you have should be logged somewhere. If any legal disputes come up you’ll want to be prepared with lots of documentation. When making notes, include the following at a minimum:

  • Data of event
  • Type of event (letter, conversation, phone call)
  • Notes of event (phone number called, conversation notes, any id/confirmation/report numbers, additional personal notes about the event)

Worried about losing this file? Consider creating a Google spreadsheet or similar.

File report with local police
This is VERY important. Filing a report establishes a legal basis for identity theft. Let the police know that your social security number was stolen.

File report with federal government
You can do this online by visiting: https://www.identitytheft.gov/Assistant.

File report with IRS
You can do this online: https://www.irs.gov/identity-theft-fraud-scams/identity-protection

Report theft of SSN to Internet Crime Complaint Center
You can do this online: https://www.ic3.gov/complaint/default.aspx/

Contact Credit Bureaus
Let credit bureaus know that your your social security number has been stolen. You also might want to consider a credit freeze.

Contact information below:

Keep track of fraudulent accounts
It is probably a good idea to sign up for identity/credit monitoring services ASAP. This will notify you when new accounts are opened under your name. If you notice a new account open, make sure to contact the company opening the account AND the credit bureaus–let them know that the account is fraudulent and that it needs to be closed.

Remember, Equifax is offering TrustedID free for 1 year following this incident, whether your personal information was impacted or not. Not feeling trusting of Equifax, take a look at some alternatives here.

Contact information below:

Massive Worldwide Cyberattack: What You Need to Know

Massive Worldwide Cyberattack: What You Need to Know

A new piece of ransomware is taking the world by storm. Here’s what you need to know:

Attack Details

This HUGE cyberattack is based on code that was once part of the NSA’s Surveillance Toolkit. That exploit (named “EternalBlue”) was leaked online on April 14th. The attack going on right now is called “WannaCry” and is based on the EternalBlue exploit.

More information about who is getting attacked / exploit specifics can be found at:

Who Is Affected?

74 countries and counting! Here’s a map showing which countries have been affected:


source

Is There A Fix?

YES. Microsoft patched this vulnerability on March 14 (see security bulletin). If you have not installed this patch, do so ASAP.

How Can I Protect Myself?

Start by practicing good cyber hygiene. Did you know that implementing the first 5 controls of the Critical Security Controls (CSC) protects you from 85% of known threats? The first 5 controls are:

  • Control 1: Inventory of Authorized & Unauthorized Devices
  • Control 2: Inventory of Authorized & Unauthorized Software
  • Control 3: Secure Configurations for Hardware & Software on Mobile Devices, Laptops, Workstations, & Servers
  • Control 4: Continuous Vulnerability Assessment & Remediation
  • Control 5: Controlled Use of Administrative Privileges

Installing security patches regularly…that’s number 4.

Need help coming up with something more comprehensive for your business? Check out our security services and then drop us a line.

Security Roundup: Issue 1

Security Roundup: Issue 1

Welcome to the security roundup, a collection of security news for the week in a curated (and hopefully easy-to-read) format:

In the News

Security Awareness

Tools of the Trade

Security Misconceptions that Will Drive You Out of Business

Security Misconceptions that Will Drive You Out of Business

On November 24, 2014, employees of Sony Pictures Entertainment arrived at work, put their lattes on their desks, and turned on their terminals. Instead of their normal home screens, they were greeted with this creepy screen.

gop-hacked

During this time, many computers were inoperable, several of Sony’s twitter accounts were taken over, and the hackers claimed to have stolen over 100 terabytes of data using a Server Message Block worm tool. The attackers leaked unreleased films and confidential data that included personal information of some Sony employees.

Threats were made against Sony and their film, The Interview, which was one of the factors that led the FBI to accuse North Korea for the attacks. Security expert Kurt Stammberger described the attack by saying that Sony was “essentially nuked from the inside.” The repercussions were so severe that in 2015, the company allotted $15 million to cover its associated costs.

Anyone can be attacked. Maybe you haven’t provoked North Korea. You probably don’t work with Seth Rogen. Still, that doesn’t mean that your business is safe. Whether you like it or not, there may be some misconceptions about security that you hold dear to your heart:

“Breaches Only Affect the Big Boys”

The big corporations may have the biggest targets on their backs–they have the most power, influence, and media attention–but that doesn’t mean that they are the only ones being targeted. The sheer scale of these businesses allow them to have seemingly airtight security, whereas small- and medium-sized companies simply don’t have the resources or personnel to protect themselves adequately.

If someone has a wall that’s 20 feet high while their neighbor has no wall at all, a burglar will likely opt for the easy option, even if the first house has nicer things. It’s the same with hackers targeting companies. Large corporations may have the most valuable treasure troves of data, but their security is often just as impressive. Many attackers will aim for businesses with a lower profile because they still have things to steal, often with far less effort and little chance of getting caught.

Look at the hacking group theDarkOverlord. They’ve been targeting medical service providers of all sizes. That’s right, not just the large targets, but the smaller ones too. According to Symantec, this is hardly an isolated incident, with 43% of all attacks now targeting small businesses.

“We have really secure systems”

This is just wishful thinking. You spent all of this money, so the least you can hope for some semblance of safety. Otherwise, it seems kind of pointless. Unfortunately, cyber threats are complex and constantly evolving. While a good security plan won’t make you bulletproof, it will definitely aid in protecting your business and reducing the severity of attacks against your systems.

Just like great policies, having the best physical infrastructure isn’t enough to keep you safe. Even if you’re using Secure Sockets Layer (SSL) and have the world’s best physical security in place, you are still susceptible to weak credentials and social engineering attacks. Your business needs to understand the boundaries of protection provided by its infrastructure and provide additional security controls to fill in the remaining soft spots.

“We have a security plan”

If good security plans were all we needed, we’d all be sipping piña coladas on the beach. Unfortunately, a security plan doesn’t do much good if you don’t adhere to it. This is where regular auditing and monitoring comes into play. The auditing process is useful for confirming what parts of your security plan are being followed and identifying where remediation is required. Similarly, monitoring (and responding when necessary) is critical to ensure that your organization is able to respond to the first sign of trouble. As technology advances, so do the threats we face. In turn, security plans need to adapt: think of them as living documents. Need help coming up with a security plan and ensuring that you are sticking to it? We can help.

“We use antivirus software”

Antivirus programs are important, but they can’t do everything to keep your business secure. You are still susceptible to zero-day attacks, certain forms of adware/trojans, and any intruder who knows your password. One of the best things to keep in mind with security is that it should be incorporated everywhere: this is known as defense in depth or the Castle Approach. Not only should there be layers of security before you ever login to your computer (hiring process, vpn, encryption, identity/access management, etc.), but once you are logged in, there’s even more layers of tooling designed to work in tandem with antivirus software to keep you and your business protected. This includes, but is not limited to: password management software, encryption software, and backup software.

“We use ‘secure’ passwords”

We all hate remembering passwords. Some will just need four digits. Others will want eight or more characters. Some need a mix of upper and lower case. Some need special characters. It wouldn’t be surprising if the passwords of the future require the meaning of life or the Ark of the Covenant.

We all deal with this system, because we think it keeps us more secure. What if you were to find out that the complexity often causes people to use less secure passwords? This is because they either recycle old ones or use personal information that is easy to guess. After forgetting so many passwords over the years, you may not be pleased to hear that these requirements are range from unnecessary to unsafe.

Example: let’s look at a 4-digit pin. If you were to brute force this password (try all possible combinations), how many tries would it take?

10^4 (or 10 * 10 * 10 * 10) = 10,000

That’s 10,000 combinations to try. For a computer this is trivial to break. By increasing the number of possibilities for each character you can drastically alter the number of combinations needed to guess a password. For example, if you include all lowercase/uppercase letters and numbers that’s 62 possibilities for each character (26 lowercase letters + 26 uppercase letters + 10 numeric digits). So the a password like ‘asD1’ would require 14776336 combinations to guess (62^4).

From a complexity point of view, “asd2313JDiJDk194jHy69S!3” and “moosechairsneakerlight1!” would both require the same maximum number of guesses to crack (it’s a lot of guesses—there’s even a fancy word for this called intractable). Anyway, the difference between these passwords isn’t the complexity of the password, just a greater chance that the former password would probably be taped under your keyboard.

For those of you unacquainted with Randall Munroe of XKCD, you should definitely check out his comic about this topic.

“We use encryption”

Uh, no. If encryption is used properly, it is great at keeping your data secret. But there are caveats:
– You data must be decrypted at some point. An attacker is much more likely to steal the data while it is unencrypted (perhaps via an unencrypted communication channel or an application vulnerability).
– Failure to secure your encryption keys could lead to their loss. That could allow an attacker to successfully intercept and decrypt your encrypted traffic, all while you think your data is perfectly safe.
– You may be using outdated algorithms. The once-safe DES block cipher is just too short these days and can be brute forced. Or you might still be susceptible to CVE-2014-0160 (aka “Heartbleed”).
– Social engineering attacks can still retrieve information that can be used to decrypt data.

Given these caveats (there’s a lot more out there), you can’t simply rest thinking you are safe because your data are encrypted.

So there you have it, some of the most common security misconceptions floating around our digitally connected world. Check out our security assessment tool to see if you are taking the right steps to protect your business.

Phishing: Just Because You Don’t Go Outside Doesn’t Mean You Can’t Get Caught

Phishing: Just Because You Don’t Go Outside Doesn’t Mean You Can’t Get Caught

An accounting executive gets a hurried email:

We have a problem.

The McGowan Deal is held up. Now we need to pay $600,000 in customs fees! Otherwise the whole thing is over and the last eight months will have been for nothing. I know this is the eleventh hour, but please push this through for me or this deal is dead. I will send the wire transfer details over shortly.

You’ve always gone the extra mile for me and I know you can save us now.

Regards,
James Snuggleworth
CEO, ACME Corporation

It’s from the big boss, an old college friend and long-time mentor. Time is of the essence, the executive is under tremendous stress, and he doesn’t know what to do. Releasing the funds straight away is against company policy, but this is a time-sensitive matter. The executive needs to step up…rules are meant to be bent sometimes, right? Twenty minutes later, the wire transfer details come in. The money is transferred and the executive takes a sigh of relief.

Just one problem: there was no customs fee. Shit.

What happened? Phishing.

No, your grandfather wasn’t involved and there wasn’t a rickety wooden boat. This was a phishing attack. This particular type of scam is known as a Business Email Compromise (BEC). Criminals will impersonate high-profile targets and send messages trying to trick their victims into wiring large sums of money to their account. These scams often rely on feigned authority, timeliness and sometimes even social pressure to trick victims into sending money overseas. By the time the victim realizes what happened, the money is already gone and the victim is scratching their head, wondering what happened.

The FBI estimates that more than $2.3 billion has been lost since October 2013 in BEC, but that’s just one piece of the phish pie. BEC scams come under the umbrella of phishing attacks, which use deceitful emails and other communications to extract sensitive information from people. All said and done, phishing attacks are estimated to cost the world $4.6 billion, according to an RSA report. Sadly this phish pie is part of an even greater pie (all these layers are starting to remind us of the movie Inception) called social engineering. Unlike rhubarb, social engineering uses psychological manipulation to get people to divulge personal details or restricted information.

Social Engineering – The 10,000 Foot View

When discussing social engineering, it’s best to use a common language when talking about the different types of social threats that we face.

Phishing

Phishing is any attempt to acquire sensitive information through electronic communication, such as credit card or login details. There are many different types, but the most devious ones are:

Spear Phishing

This is a more crafty type of phishing than those mass spammed emails that we are so used to. It involves the attacker obtaining private information, then sending tailored emails to a small group of people. Spearphishers use these personal details to convince the victim that they are legitimate. Although it takes much longer to craft these attacks, those impacted are much more likely to fall for the attack in comparison to a standard phishing scam. These messages are less likely to be caught by spam filters, because they aren’t mass emailed. The BEC scam mentioned above is an example of a spearphishing attack, but it is also referred to as whaling because their sights are set on high profile targets.

Deceptive Phishing

In this type of attack, you will receive a message pretending to be from your ISP or another service provider. It will ask you to log in through a different portal or send through some personal information. Often, they include an element that makes them time-sensitive, such as the recipient receiving benefits or incurring charges. Your actual providers will never ask you for information in this manner, so that’s the first red flag. Other easy giveaways are IP addresses in hyperlinks or really generic greetings.

Pharming

A cousin of phishing, pharming involves a hacker taking over a website domain name and directing users to a fake site. Upon arrival, potential victims are asked to hand over personal details or other sensitive information. Many internet security products will block these kinds of suspicious websites, but sometimes they slip through.

Pretexting

Pretexting is the act of tricking people into divulging personal information under false pretenses. One example of this might be someone calling you to complete a survey—one that acquires seemingly harmless information. Other versions of pretexting will assert that the scammer needs additional information to identify the victim. Whether you are divulging seemingly innocuous information or sensitive information, the information garnered from pretexting can be used to steal your bank accounts, credit card numbers, medical records, and much more.

Baiting

Everyone likes free stuff, and that’s where baiting catches us. A baiter will offer something like free downloads if victims enter their username and password. These attacks aren’t limited to the online world either, as giveaways are a tried-and-true way of getting people to willingly hand over information. Why do you think so many companies hold competitions as part of their marketing?

Tailgating

Do you have restricted areas? You might think that you are being helpful by letting the UPS guy in, but it could also be a conman who is trying to break inside your building. This is called tailgating and it’s a common method for tricksters to enter secure areas.

Quid Pro Quo

Be skeptical of someone offering you help that seems too good to be true. It could be a quid pro quo attack. These often come in the form of someone offering you a service, like a scammer offering to fix an IT problem. Instead of fixing it, they will use their access to install malware.

How Can Your Organization Guard Against Social Engineering Attacks?

Have A Solid Security Plan

This is where it all starts. There are so many different attacks that your organization is susceptible to, so you need a comprehensive plan to be able to manage your risks effectively. This involves analyzing your risk profile and the particular scenarios that are most likely to play out in your environment. For example:
– Do your employees have remote access to critical systems?
– Are employees allowed everywhere in your office, or just specific areas?
– What does your screening process look like?

Train and Educate Your Employees

People are the weakest link in your security plan. Contrary to popular belief, it’s not the systems that compromise your data, it’s the employees. This isn’t to say these people have malicious intent; often they are too kind or helpful and are thus more likely to be taken advantage of. Learn more about our training programs to help keep your employees diligent when it comes to managing risk. Knowing the difference between who you let into your building and which links you shouldn’t click on might make the difference between a rolling of the eyes and a newsworthy breach.

Use Proper Disposal Techniques for Sensitive Materials

Most people never consider how much information is in their trashcan. Think about all of the things we throw out that have our personal information scribbled all over them. Companies do the same thing. If you don’t want that information winding up in the wrong hands you’ll need an effective waste management system that includes shredding sensitive documents and locking your garbage.

Test and Monitor Your Security

You will often be shocked how easy it is to breach your security perimeter. One of the classic stories of network security involves Steve Stasiukonis, of Secure Network Technologies, and his team scattering a bunch of USB drives in the parking lot of a client. Curious employees picked them up and plugged them into the work computers. They weren’t aware that those USBs had keyloggers, which soon meant that Steve also had their login details.

Feeling concerned that you may be more susceptible to attack than you originally thought? We’re happy to work with you to find out if your sneaking suspicions are true.

The Underwhelming Security of the Internet of Things (IoT)

The Underwhelming Security of the Internet of Things (IoT)

On September 20, Krebsonsecurity.com, the blog of renowned cyber security journalist Brian Krebs was overwhelmed by a huge distributed denial-of-service (DDoS) attack. It was initially fought off by engineers from Akamai, the content delivery network managing his site. Unfortunately, this attack was the largest Akamai had ever seen and the resources required to fend it off continued to grow at an alarming rate. When the performance finally started to affect Akamai’s other customers, they had to uncouple Krebs’ site and withdraw their protection.

Krebs’ site was down for several days while he sought out a new relationship with Google and their Project Shield, which protects organizations from DDoS attacks. During the onslaught, his site underwent an estimated 620 Gigabits (~16.5 DVDs) per second of traffic. While this may not be the biggest attack ever, it is still massive. The curious thing about it is that a large portion of the traffic was formed to appear like Generic Routing Encapsulation (GRE) data packets. This is a protocol that allows two peers to share information directly, instead of over a public network.

Most of the largest DDoS attacks had previously used DNS reflection. These types of attacks work by sending spoofed packets to a victim computer. The packets have a spoofed return address set to a specific target computer, which results in lots of victim computers all responding to a target computer simultaneously. Given enough victims these types of attacks can bring down even the most well defended targets. Unlike these attacks however, GRE traffic can’t be spoofed. This means that the attack against Krebs’ site required a large amount of hacked systems. The culprit turned out to be a botnet of compromised Internet-connected devices. Why hack a computer that is more likely to be secure when you have an insecure connected device just begging to be broken into?

Several days later, Hack Forums revealed the source code for this IoT botnet. Named “Mirai,” the malware spreads through devices that are protected with hard-coded or default usernames and passwords. These devices are infected with malicious software and turned into “bots,” which can be commanded by a central server to launch DDoS attacks—which are much more difficult to defend against.

According to Verisign, DDoS attacks increased by 75% in the first half of 2016, and the largest single attack in 2016 was more than double the size of the previous year. The Mirai botnet has given us a glimpse at how destructive unsecured devices can be. With the number of connected devices on the rise (estimates range from 20.8 billion to 1 trillion by 2020…it’s going to be a lot), we realistically expect these attacks to only get worse from here.

There Are Many Insecure IoT Devices Out There

For many connected devices, security is often added as an afterthought, if it all. If you have a device connected to your network it is entirely possible that it could already be part of a botnet. One of the primary reasons for this is that many devices ship with the same default passwords…and they don’t require owners to ever change them. That’s like being able to open every door in your neighborhood with the same key!

It gets worse. Some of the poor hygiene highlights of these devices include:

  • Hard-coded passwords in the device firmware: think changing the password means you are secure? Nope, those hard-coded passwords still work too.
  • Painted-door login mechanisms: that login screen you see isn’t actually enforced. Nope, you can just go to any admin page you want and skip that annoying login page. The device won’t even both to confirm that you’re an authenticated user.
  • Unencrypted Communication: many devices pass along information in the clear. This makes it incredibly easy to tamper with or intercept data from the device. Scary.
  • Susceptible user interfaces: this includes weak credentials and cross-site scripting (XSS) attacks.

Some devices can’t even update their firmware because of storage constraints–even if a security flaw has been identified. Other devices lack the processing power to host security software. This is very concerning, considering that these devices typically collect at least one piece of personal information. Think about how many devices you have and how much personal data is floating all around you.

Flawed security implementations and authentication mechanisms are also common in IoT devices. Samsung’s RF28HMELBSR Smart Fridge has an insecure SSL implementation that doesn’t validate certificates. This allows for MitM (man-in-the-middle) attacks. Boom, there goes your social media credentials–is having the Internet on your fridge really worth a Facebook hack?

It isn’t just fridges being hacked. How about your car? Security researcher Troy Hunt discovered a weakness with the Leaf Smartphone app that didn’t authenticate users. This allowed hackers to control multiple parts of the car, including the cooling system. An attacker could use this vulnerability to drain the battery and strand the user, but because the Leaf has such short range, this attack is limited.

There is a worrying lack of security standards when it comes to IoT devices. If these devices are unable to communicate their errors with the rest of the network, why are the connected? The connected device scene is very similar to the problematic times of the 90’s–the days of cowboy code. Rather than improving upon common libraries, many manufacturers are reinventing the wheel. Standardization is still a long way away, but we need better security protocols now. Until that day comes, it’s important to be educated about the limitations of your devices and what you can do to protect yourself.

How can I protect my devices now?

The best way to keep yourself safe is to minimize the damage that can be done if one of your devices is compromised. Someone breaking into your smart TV is likely using it as a foothold to penetrate further into your network. Some advice to stay safe:

  • Change the password on your devices: like many exploits, the harder target you make yourself, the less likely you are to be broken into.
    Read the fine print of the devices: understand what information is being gathered by your devices. This is the information that is at stake if your device becomes compromised.
  • Determine if the device is necessary: every device you put onto your network opens another potential attack vector. Choose secure reputable IoT devices whenever possible.
  • Update your software: bug fixes and security patches are typically covered in software updates. Once a threat is known, it’s likely someone may use that attack against you. Staying up-to-date ensures that you are not prone to outdated hacks and script kiddies.
  • Network considerations: do your devices need to be connected to the public Internet? Should they be on the same network as the rest of your infrastructure? Do you have a firewall and IDS in place (or one of these)? By configuring your network properly, you are able to help offset many of the security considerations to specialized hardware and software that helps protect against threats before a connection to the device is ever established.
  • Deprovisioning: before you get rid of a device remove your personal and business data. If this is not done, there may be enough sensitive information left to exploit you in the future.

Which Devices Are Most Susceptible?

While a range of devices could potentially be used to form a botnet, these were the most common ones involved in the DDoS attack on Krebs’ website:

  • Routers
  • Printers
  • Digital video recorders
  • Security cameras

Some brands that popped up in Krebs’ analysis included:

  • Dahua
  • HiSilicon
  • Panasonic
  • Realtek
  • Samsung
  • Xerox

Is My Device Part of a Botnet?

Even if you don’t own anything listed above, you may still have a device that is part of a botnet. All it takes is one device to compromise you. Use the following steps to clean a device you suspect may be infected:

  • Reboot Your Device: this will typically wipe Mirai (and other malware that may be present). If possible, restore the device to factory settings.
  • Go to the Administration Panel of Your Device: you may need to consult vendor documentation for this.
  • Change the Password: use a strong password that would not be easy for someone to guess.
  • Install firmware updates: you may need to consult vendor documentation on how to do this.

The Future of Botnets and the IoT

Because their security is woefully inadequate, IoT devices are excellent targets from which to stage large-scale DDoS attacks. There has been little to no regulation of manufacturers, which means companies often produce insecure products simply because it is cheaper to do so. On the bright side, the industry is moving towards standardization and has recently proposed a security labeling system to better educate consumers.

Is Your Business Ready to Fight Off an IoT Botnet?

These attacks are relatively cheap to stage and incredibly expensive to defend. Even the 800-pound-gorilla Akamai had to drop Krebs’ blog to protect their bottom line. Now that this code is readily available to anyone with an Internet connection, these IoT attacks are set to become more common and evolve even further (see?).

As the threat landscape continues to change, it is important to keep up with developments and respond accordingly. If an attack like this can bring down an esteemed security journalist for a few days, imagine what it could do to an unprepared business. Are you prepared?

Mobile Devices: Managing the Threats to Your Business

Mobile Devices: Managing the Threats to Your Business

It’s 2016. Your parents and grandparents not only have smartphones, but they are incessantly texting you and liking all your posts on Facebook. It seems that just about everyone has a smartphone these days. If you go to the developing world, you will be surprised just how common they are, even with people who don’t have much else. A Statista report estimates that there will be 4.77 billion mobile phone users in 2017, with even more tablets. Mobile devices have truly swept across our world.

Why this explosive growth? Perhaps the simplest explanation is that they have immense practical value and are available at a cost that is accessible to many (even more so than computers). From basic math to history to cutting edge science and memes, we can learn anything we want, whenever we want. Our devices enable us to keep in constant contact in ways we never thought possible and ways we probably don’t need (Snapchat). But don’t think being able to use your phone to waste a Saturday night Facebook-stalking people from high school comes with no sacrifices. Despite the convenience and wealth of information that mobile devices bring us, they also come with considerable risks.

What Are the Vulnerabilities of Mobile Devices?

The Device Itself

Your phone records a lot. It has a camera (in some cases two), a microphone, and a GPS. Most of our lives go through them, whether through calls, messages, or other miscellaneous apps. You can even link up your credit card. In the wrong hands, this is a goldmine of information. The “Metaphor” exploit earlier this year reminded us that not all vulnerabilities can be addressed with software changes alone.

Dodgy Apps

There is an app for everything. Even one that replaces every word with Hodor. Some of them are extremely useful, others not so much. What many have in common is that each app brings increased amounts of risk. Some are poorly coded and can leak your data, while others are susceptible to malware.

Websites

The internet is rife with malware, whether you are on your desktop or mobile. Devices are just as vulnerable to drive-by downloads, browser exploits, and phishing. In some cases, an innocent-looking website link can turn your phone into a digital spy.

Insecure Connections

Every day we are inundated with a massive amount of wireless networks. The scariest of these are the untrusted networks that we know nothing about. How do you know that “FREEAIRPORTWIFI” is actually free airport wifi and not some honey-pot wifi node? By making the assumption that every connection is legitimate and safe, we put ourselves at risk of allowing our sensitive information to fall into the wrong hands. The information gathered can be as innocent as our browsing history, or as sensitive as our banking and medical records.

How Are Mobile Devices Affecting Businesses?

Gone are 9-5 desk jockey jobs. Many positions require people to be available near 24/7, regardless of where in the world they are at any given moment. While this can be great for boosting business productivity, it comes with problems and complications.

Bring Your Own Device (BYOD) Policies

A BYOD policy involves allowing employees to link their devices to the company network. For many businesses this is a necessity, not just something that’s nice to have. Every device in a BYOD business is a bundle of unknowns (existing malware, access to insecure networks, weak passwords, etc.). If an employee’s device is compromised, then problems can easily spread to other parts of the network. This can lead to data breaches, network issues, and ultimately, loss of productivity.

An effective BYOD environment requires significant management to ensure that the core if the business stays safe. Steps need to be taken to limit device privileges so that they only have access to the business functions they require. Giving more access than necessary just opens a network up to greater risk. Just because BYOD policies allow employees to work from their own devices, it does not preclude management from mandating the use of critical business software, such as VPN clients and antivirus software.

Mobile Devices Create More Data

A lot more data, in fact. Incorporating mobile devices into your organization will result in a huge jump in the amount of data being produced. Are you prepared to handle it all? Will your network be able to cope with the increased load and at the same time effectively monitor and control it? Do you have adequate storage systems? You must plan for this increase before moving toward a more inclusive mobile device policy; otherwise, you might end up with denial of service (DoS).

DNS Attacks

As we pepper ourselves with more and more devices, we are opening ourselves up to attacks that use our devices against us. DNS attacks target not only our devices, but they can use them to attack other devices on the network. Depending on how the rest of these devices are networked, this could also have a ripple effect and bring business to a halt. To prevent this and other similar types of attacks, it is important to ensure that your devices are configured correctly and that company infrastructure is kept up-to-date with the latest security patches.

What? It Wants Permission For Everything?

Have you ever gone to install an app, only to stop and look the permissions it requests? A photo app will want to use your location for some reason. A puzzle app wants all of your contacts. A co-working app wants your social security number. So many applications seem to want permission for everything, even if it is only tangentially related. The issue with this is that giving unnecessary permissions brings excessive amounts of risk into your organization. All of these permissions give hackers more opportunities to find vulnerabilities and leverage their way in.

Employees will often want to install other software on their work devices, or on their personal devices that they use for work. Many of these apps may not have the same security standards as the work software. To keep out unnecessary risks, your workplace needs to implement a solid review and management process for what can be installed on work related systems.

Get the Lawyers Ready

It’s always better to get the legal department involved before you do something, rather than after. You want to be asking, “Are there any legal concerns with this plan?” rather than, “Can you please get me out of hot water?” If you are gathering and storing data from employee’s devices, there could be laws that you need to consider. This is certainly true if you are a healthcare provider using a device for patient information.

Many employees don’t realize that their personal device and data can be embroiled in legal proceedings. To expedite any potential problems, it is important for your organization to have a clear bring your own device (BYOD) policy, specifying exactly how personal devices can be used and any potential repercussions. As stated by Ben Wright, these policies “must be firm and must try to avoid ambiguity. Otherwise, when controversy or investigation arises, the enterprise is exposed to delay and litigation with employees.”

Use your legal team to form an effective policy from the start, rather than pay them to clean up a messy court case. We all know which one is more expensive.

Making the Benefits Outweigh the Threats

Like many aspects of technology, mobile devices bring a tremendous set of advantages but also many drawbacks. A good BYOD policy can help with accessibility, productivity, and convenience, but there are many risks that need to be considered. Your organization needs a comprehensive plan on how mobile devices will be incorporated, with measures taken for the known (and unknown) threats lurking in the corner.

Want to learn more about your security readiness and risk factor? Try out our risk assessment tool to see if there are any gaps in your security plan. We’re here to help to establish or bolster your defenses so that your organization can own the day rather than being owned by your mobile devices.

Being Safe in the Cloud

Being Safe in the Cloud

It seems like everyone is migrating these days. Not only are more and more people leaving their countries to explore greener pastures, but many companies are moving their data and services to the cloud. This is where the future is heading. Cloud storage has been growing rapidly and a MarketsandMarkets report expects the total revenues of the cloud industry to be $9 billion by 2019. That’s a growth rate of almost 16% each year.

7 Reasons to Move to the Cloud

Whether you are looking to move your entire infrastructure or want to start using cloud services (aka SaaS), here are several reasons to consider the move:

Save Money

Operating your own systems and infrastructure is expensive. Not only do you need to own the hardware and maintain it, but you also need to pay staff to keep it running. You must have capital on hand for large equipment purchases at sporadic times, as well as staff on-call in case of downtime.

With cloud services, you can use what you need, as you need it. It makes expenses much more predictable and reduces the total cost of ownership (TCO). Your company won’t face any more huge bills that strain your cash flow when there is an equipment failure. An added bonus is that using cloud services is more efficient and environmentally friendly.

Enhance Security

Cloud providers such as AWS offer a “shared responsibility” model. This guarantees the underlying physical security of their platforms. It also provides tools that can be used to control access to cloud resources if they are implemented correctly. This arrangement shares the security responsibility between you and the cloud provider.

As users become more educated, vendors are expected to be compliant with established security standards (such as SOC2/SSAE16, PCI, and HITRUST). These standards give users greater confidence that data is being handled properly in the cloud.

Make Deployment Easier and Reduce Risks

Continued innovations in the cloud space are helping to ease the headaches of deployment and integration with platforms such as CodeDeploy, CircleCI, and SolanoLabs. Cloud services make it simpler to create development environments that more closely match production environments.

Give Greater Scalability and Flexibility

Because you’re not worrying about the hardware provisioning, you can get off the ground without any major technical difficulties. You also don’t have to plan your infrastructure to accommodate future growth, instead you can just scale up your services when the need arises. This gives you the freedom to expand without having to commit additional resources.

The freedom that comes with using a cloud provider allows you to experiment with new services. Because you don’t need additional hardware, it means that you can try out new things with ease. If they don’t work out, you aren’t stuck paying for a bunch of hardware that you don’t need.

Plan For Business Continuity and Help with Disaster Recovery

If your on-site hardware fails, your business will face downtime until it is fixed or replaced. Cloud services allow you to develop a backup strategy where you can quickly rollover your entire global infrastructure, or migrate to a different provider altogether. Downtime is very expensive. Your fixed costs stay the same and you’ll be paying many of your employees to be idle as they wait for your systems to recover. Minimizing downtime minimizes costs.

Save Time with Automatic Updates and Shift Accountability to Vendors

Products in the cloud are automatically updated. You are always on the latest version, so there is no confusion or waiting around. Vendors are more incentivized to provide excellent products that keep working, because the fees are paid over time instead of all upfront. With on-premise software, you are locked in, even if it performs poorly.

Improve Integration

Compatibility is important with the cloud. Because of its distributed nature, cloud solutions typically use industry standards for data interchange. Unlike on-premise solutions which try to solve many problems, cloud can solve much more specific problems. This allows you to pick and choose the solutions you need, rather than getting locked into a single monolithic platform. And if a better option comes along in the future, it is much more likely that you can switch services with minimal effort.

Mitigating Risks in the Cloud

While going to the cloud can be a great move for many companies, it also brings in some new risks. Having all of your data and processes in the cloud means that your once-siloed infrastructure is now spread across the globe and shared with more prying eyes than you ever thought possible. To top it off, your employees are more likely to interact with all this data on the go, all over the world, on a variety of different devices (many of which may be insecure). You can’t have the added convenience and accessibility without the possibility of vulnerabilities. Some tips to protect your business:

Protect Your Data with Encryption

Your sensitive data needs to be encrypted both in transit and at rest to be kept secure. A recent Ponemon Institute study revealed some shocking data, indicating that many companies have poor encryption practices:

  • Only 38% of organizations encrypt their data in transit.
  • Just 35% of organizations encrypt their data before putting it into the cloud.
  • 27% of organizations encrypt their data at rest in the cloud. Of these organizations, 73% have huge amounts of data that is susceptible in a breach.
  • Only 16% of organizations encrypt at the application level.
    11% of organizations use their cloud provider’s encryption service.

You Need to Manage Access to Cloud Services

Your company needs to enforce strict password policies. These should involve complex passwords that need to be changed regularly. Wherever possible, use multifactor authentication and give people only the access that they need.

Understand the Limitations of Your Vendors

Before you sign up to a new cloud service provider, there are several things that you need to find out about them:

  • Where are they located? Depending on the laws your country, some data may not be legally allowed to leave the country.
  • Who is involved? You need to know who will be handling your data and what the security vetting process looks like for hiring. Employees are still the weakest link; one disgruntled worker can potentially put your whole company at risk.
  • How does the vendor encrypt and handle the data?
  • Does the vendor outsource any of their work? Does this open up any further security risks?
  • Is the vendor certified compliant? You need to know which standards they comply to, when they were last assessed, and how often they are audited.

Have an Exit Strategy

Subscribing to a cloud service can be a great move for your business, but it also introduces some new factors that are beyond your control.

  • What happens if the service is discontinued? Businesses close down and cut back their offerings all of the time. Your company needs a plan on how it will proceed if this happens; otherwise, you could face a disruption.
  • It is critically important that you understand who owns your data when you leave a provider. If the data is disposed of, you should understand what process is used to dispose of that data.

Keep Up-to-Date on the Latest Data Breaches

The threat landscape is constantly changing, so it is important to stay current on the latest events. See our article on the best security blogs for excellent sources on how to stay up to date. Global security news is important, but you also need to keep up on the latest developments with your cloud provider. If they have any security incidents, you need to know about them so that you can make an educated decision on whether they are the right service provider for you.

Cloud Based Vendors: Have Good Security Hygiene

Software-as-a-service (SaaS) has revolutionized the way that business software is distributed and used. As a SaaS provider, you are expected to provide software the is always available, reliable, secure, and compatible on as many devices as possible. The following practices are considered good security hygiene:

Design For Failure

Cloud-based systems are inherently more complex than their traditional counterparts. Because of this, there are more opportunities for things to go wrong. That’s why it is important to plan for failure. It’s going to happen eventually, so it’s best to have systems in place that will alleviate any potential problems. Analyze the greatest threats that your systems face, as well as their individual risks, and have systems in place for when each of these come to fruition. This will minimize any damages or disruptions. If your service is designed to be resilient, it can prevent minor hiccups from becoming catastrophes.

Code Reviews

When security is so pertinent, it is important that your code is up to scratch. Leaving behind any mistakes or vulnerabilities could eventually lead to a data breach or other attacks. Is input being properly sanitized? Are you allowing arbitrary code to be executed (hello WordPress). Having additional sets of eyes can help to catch these types of vulnerabilities before your code goes out.

Subscribe to the Principle of Least Privilege

If you had a warehouse stacked with priceless jewels, you wouldn’t leave the roller doors open with people wandering free-range throughout, would you? Something could go missing and you would have no way of finding out how it happened. The same goes with your cloud-based system. Give your applications and servers only the access that they need. There are many tools at your disposal to accomplish this including security groups, NACLS, IAM Roles, bastion hosts/vpn servers, and so on. Every line of code you write introduces risk—not having a safety net around that code can worsen the damage of an exploit.

Manage Your Logs

If you want to keep your data secure and stay compliant with various regulations, it is important that you are monitoring your logs. This can be done internally or with a third-party service, but the security of your company depends on collecting logs from various sources such as firewalls, databases, endpoints, and network devices. This information can then be analyzed for potential threats. Good logging processes allow you to not only know that a problem has occurred, but also allows you to investigate the extent of the damage done.

Scan For Vulnerabilities and Perform Penetration Tests

To make sure that your systems, network, and data are secure, they need to be scanned regularly. There are a variety of services out there for automated vulnerability scanners such as Qualys and Amazon Inspector. These tools, when used properly, allow you to catch common security flaws that may have bypassed even your most rigorous of code reviews. And while we may love fully automated processes, there are still certain attacks that cannot be tested against with automated tools. In those cases, penetration testing is another tool in your arsenal for determining vulnerabilities.

Make Regular Backups and Have a Recovery Plan in Place

Despite your best efforts to make your apps resilient, there is always the possibility that a critical error can completely take down your infrastructure. Whether this is the result of an entire region going down or a hack that renders your servers and databases useless, it is important to have backups in place to recover from one of these incidents. Your infrastructure, code, databases, and configuration should all be backed up regularly and there should be a process in place to restore everything if need be. When disaster can’t be averted, it is important to have a solid recovery plan. This can help to reduce downtime and alleviate any negative effects on your business. Oh, and safeguard your backups so that they aren’t destroyed by a breach.

Are Cloud Services Right For My Business?

The move to the cloud seems inevitable for most businesses, and for good reason! If you need help ensuring your business is adequately protected now and into the future, please reach out.

Health Records: More Valuable Than You Think

Health Records: More Valuable Than You Think

What do blood diamonds, pangolins, and your medical records have in common? They are all worth a lot of money on the black market. Yes, that’s right, that old biopsy report and a few scribbles from your doctor about that embarrassing rash could be being sold off as you read this. It’s not just your medical history that’s valuable, but also how much personal information the records contain. They have your full name, phone number, address, date of birth, social security number, insurance details, and more. Can you imagine what could be done with all that information and a loose set of morals?

If it’s too early in the morning to be imaginative, here are a few of the many scams that can be perpetrated using your healthcare records. The information could be used to bill insurers for fake medical care, purchase drugs, open credit accounts, and—if you’re important enough—extortion.

Why Are My Medical Records So Valuable?

Because they have so much potential for fraud and other crimes, your medical records command an impressive price on the darknet. A recent Reuters article said that they can fetch around $10 each, compared to around $1 for credit card numbers. Why you ask?

  • Increased security measures on credit cards. Chips, pin codes, and additional identity verification measures has made it much more difficult for criminals to profit from credit data. If a customer has a nefarious charge, they can simply contact their bank and have the issue go ahead (i.e. new card reissued and insurance covers the theft). You can’t just cancel a medical record.
  • Difficulty to detect medical record theft. It is notoriously difficult to detect when medical records are stolen. This gives criminals more time to benefit from using the stolen data. In many cases, years, if at all.

How Can I Protect My Data?

  • Monitor Your Medical Documents. This means actually reading your explanation of benefits, insurance bills, and provider bills. If anything looks out of the ordinary inquire about it immediately.
  • Monitor Your Finances. Check that you don’t have any strange charges on your statements. You might also want to consider credit monitoring as it will help you stay on top of credit score fluctuations and new lines of credit.
  • Don’t Make Yourself A Target On Social Media. Social media is a treasure trove of information. The more information you have out there, the more that is available to criminals trying to use your data.

What Does Medical Record Theft Mean To Businesses?

Businesses should be just as concerned for medical record theft as patients. If compromised records are unencrypted, the organization must notify the patient by email or mail. If the quantity of records compromised exceeds 500, the organization must also notify relevant media outlets. Not only are these requirements expensive, they are also the type of PR that a do not want to have pointed at your business. Under the HITECH Act, a business can also be liable for up to $1.5 million in fines in addition to paying for damages. In a large-scale data breach, the totals costs could crush a business.

Last year, Anthem revealed that the information of almost 80 million people had been compromised. When accounting for the costs of notifying each individual, potential fines and damages, it is predicted that it will cost them more than $100 million. Considering that their insurance policy doesn’t cover any losses above that amount, the company could face real financial repercussions in addition to their already damaged reputation.

Big businesses aren’t the only ones susceptible to data breaches. In fact, many smaller companies are targeted because their lack of resources makes them easier to hack into. This year, a hacker group named TheDarkOverlord stole 655k medical records from smaller healthcare providers. The fallout from breaches like this can be devastating for businesses. Because of this, it is important that healthcare companies are managing their cyber risk appropriately.

Breaches affect your bottom line. Period. The core of our business is to ensure that your business stays healthy so that you can focus on keeping people healthy.