This is the eighth in a series about the concept of Zero Trust, which means in the IT sense that you trust nothing and always verify everything surrounding and connected to your network. Today’s discussion will be on Application Whitelisting.
Application Whitelisting
Application Whitelisting is a process of determining which software programs the company absolutely needs to do business, marking them as safe, and blocking any other program that tries to run on company computers. This methodology has the distinct advantage of blocking almost all forms of malware on computers. Pairing this with a good next-gen antivirus creates an impenetrable wall against malware threats. It also prevents users from accidentally or intentionally running something that should not be on company computers. Here are some questions to ask:
Do you know all software on your computers?
Do your users spend time on company computers listening to music?
Have any of your users ever downloaded software without asking?
Do you have a computer use policy? How is that enforced?
If your company is wanting to lock down what is running on company computers, then contact us for assistance.
Security researchers performed penetration testing on the networks of 45 various mid-sized companies and found that in real life scenarios 93% of those networks were able to be compromised to the point of business disruption. Here are the details:
The Target
The 45 companies were polled to determine what would be an unacceptable business interruption. They decided that the following met that criteria:
Disruption of production processes
Disruption of service delivery processes
Compromise of the digital identity of top management
Theft of funds
Theft of sensitive information
Fraud against users
These became the target for the penetration testers.
The Process
In order for the penetration tester to achieve their target, they followed the following process:
Breach the network perimeter – This was done by the use of compromised passwords found on the Dark Web and know vulnerabilities on devices that were directly connected to the internet
Obtain maximum privileges – In 100% of the networks, once an attacker was inside the network
Gaining access to key systems – With maximum privileges, the testers are able to gain access to other areas of the network including databases, executives computers, and production servers
Develop attacks on target systems – Once key systems are compromised the testers then figured out how to create the unacceptable business interruption. Although they could have created these interruptions, they only gathered proof that they could to present the data to the companies.
How to Defend
There are a couple main ways to defend against these kinds of attacks:
Security Controls / Segmentation – Creating least privileged access to key systems and segmenting the network will keep hackers from traversing the network once inside
Enhanced Network Monitoring – Modern cyber security tools watch activity and traffic on the network to find indicators of compromise. They pool this information into an attack history that can be used to remediate and further protect.
Your company is not as safe as you think, so contact us for free initial cybersecurity evaluation and risk report. .
There has been a recent trend for companies to “negotiate” with the criminal terrorists behind wave of ransomware attacks across the world by paying the ransom. In a recent study some alarming statistics have been released:
Current Ransomware Stats
If Ransom is Paid: The global findings also show that only 8% of organizations manage to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.
Cost of Ransom: The average ransom paid was $170,404. While $3.2 million was the highest payment out of those surveyed, the most common payment was $10,000. Ten organizations paid ransoms of $1 million or more.
Who is Paying the Ransom: The number of organizations that paid the ransom increased from 26% in 2020 to 32% in 2021.
The Brighter Side: While the number of organizations that experienced a ransomware attack fell from 51% of respondents surveyed in 2020 to 37% in 2021, and fewer organizations suffered data encryption as the result of a significant attack (54% in 2021 compared to 73% in 2020).
What is Being Done
There are now organizations trying to create a common framework to address this threat. The Institute for Security and Technology has created a Ransomware Task Force. This task force has been working to develop this framework and has published some guidance. Even though this is just the foundation work, it is good to see that efforts are being made.
If your company is worried about the threat of ransomware, then contact us for assistance setting up a multiple layer approach to security.
Read a recent study on the origins of malicious software aka malware. Here are the highlights:
Current Malware Statistics
29% – Malware is previously unknown to security vendors due to the continued efforts of malware creators to hide the software or make it undetectable.
88% – Malware is delivered to people’s inboxes and some of it bypassing normal SPAM filters.
8.8 Days – Time before regular antivirus vendors have discovered the malware and added it to their lists for detection.
$50 – The cost of a pre-fabricated malware kit that can be bought currently on the dark web.
“The most common type of malicious attachments were: documents (Word – 31%), archive files (ZIP & RAR – 28%), spreadsheets (Excel – 19%) and executable files (EXE – 17%).”
What can be done?
A multi-tiered approach to security remains the best solution:
Moving from traditional antivirus to Enhanced Detection & Response (EDR) software to go beyond lists of know infections to behavior tracking of software
Moving from traditional SPAM filters to Email Advanced Threat Protection which scans each email and opens each attachment to see if there is any malicious activity cause by them
Moving from traditional router to a business class firewall with Intrusion Prevention System to monitor traffic for suspicious activity
Employee training is also key to keep your staff aware of immerging trends and threats
If your company is looking to enhance your network security posture, then contact us for assistance.
A company named Arctic Wolf, a leader in enterprise security operation centers, published a report that states that the number of corporate credentials with plaintext passwords on the dark web has increased by 429% since March.
There are also startling statistics on the increase in email phishing attempts and the use of unsecure public wireless connections. These numbers are like due to the Work From Home employees using their own insecure computers and cyber criminals trying to take advantage of the trend. It appears that security measures that are used in the office need to be extended to the Work From Home network as well.
If your company is currently or is going to have Work From Home users, then contact us for assistance.
There has been information released by a security research firm called Eclypsium that there is a vulnerability dubbed Boothole in Unified Extensible Firmware Interface (UEFI) Secure Boot that would allow an attacker to completely take over a workstation, laptop, or server and be nearly undetectable. All hardware vendors will have to send out updates in the near future to patch the UEFI code to secure it against this “BootHole” vulnerability. Due to the difficulty in designing and testing these types of updates it will be some time before they are released. We will keep you posted as to the release of these updates as they become available.
If your company is concerned about security, then contact us for assistance.
“Office workers across the UK are wasting 14 days per person each year — or 1.8 billion hours a year in total — because the technology they’re given isn’t good enough.” – BetaNews
Outdated Tech = Wasted Time
Slowness: When a computer is slow, so is the worker operating it. As a computer ages, like anything else, the parts inside wear down. Regular maintenance and replacement are the solution to increasing employee productivity.
Crashing: As computer crashes happen data is damaged or lost. This means work has to be re-done. Crashing can be a sign of software issues or hardware issues that require proper diagnosis. Once fixed employees can get back to business without interruptions.
Incompatibility: Out-dated software or hardware can cause what used to work perfectly to stop all together. Regular updates of all software and replacement of aging hardware is always the best policy. Helping employees stay on track with standard operating procedures makes work flow possible.
Security: Hackers are constantly working to find new ways of breaching security measures. Without current security solutions (firewall / DNS filtering / antivirus / SPAM filtering / password management ) and up-to-date systems, your network is a sitting duck. Network downtime due to a breach can be a business killer.
If your company is using out-of-date technology, then contact us for assistance.
“In a new stunning example of the scale and sophistication of online cybercrime, just before the holidays, DOJ charged two hackers with stealing hundreds of gigabytes of data—including sensitive intellectual property, confidential business data, and personal information from companies and government agencies around the world—as part of a multi-year cyber-espionage campaign that targeted managed service providers (MSPs) directly, bypassing the protections of client systems. This indictment is the latest example of the U.S. government’s use of the criminal justice system to crack down on state-sponsored economic espionage.
As alleged in the indictment, the hackers belong to what is believed to be an elite, Chinese government-sponsored group known within the cyber-security community as Advanced Persistent Threat 10 (APT10). The targets of the hacking campaign included companies in the aerospace, health care, biotechnology, finance, manufacturing, and oil and gas industries, as well as U.S. government agencies, such as NASA and the U.S. Department of Energy.”
The indictment alleges that APT10’s MSP Theft Campaign began in 2014 and involved three stages.
The hackers gained unauthorized access into the MSPs’ computers and installed malware allowing APT10 to remotely monitor the computers and steal login credentials.
The group then used these stolen credentials to move laterally into each MSP’s network and the networks of their clients, further spreading the malware infection.
APT10 identified data of interest on these compromised computers and created packages for exfiltration using encrypted archives, allowing the hackers to move the data from one system to another before ultimately transferring it to APT10’s computers.
This sort of breach calls into question the operating procedures of MSPs everywhere, their security practices, and moral compass. If IT support staff are not trained in best practice and cannot keep from being infected via websites or emails, then what business do they have managing larger network systems with sensitive data.
If you are unsure of your MSPs practices and would prefer a company with transparency, then contact us for assistance.
Here are a couple recent SPAM emails that were received by clients and myself. They are explicit in nature but they a good lesson about the scare tactics of SPAMMERS. The first message seems to be the better SPAM message as it has better English and is even tries to be humorous, while the second is more direct and extortionary. Time to dissect these messages.
SPAM Message #1
Password – This message starts by stating that it knows your password. How can this be? There have been several information breaches from the government, retailers, healthcare, etc over the past couple of years. The majority of these breaches are eventually posted online with emails and passwords – hence the reason Farmhouse Networking has started offering Dark Web scanning and advises passwords be changed often.
Remote Access – The SPAMMER then goes on to provide a detailed explanation of how they got into the computer. It sounds convincing but deeper analysis by someone who is in the IT Security industry would reveal that their explanation is flawed. To do what they proposed would take several different exploits of various portions of the computer and would likely take longer than video would be playing.
Contacts – For their “computer software” to get contacts from all these various sources would require that the password mentioned earlier in the email be the same for all these services. It is recommended by Farmhouse Networking that different passwords be used for each service so that if one is compromised then the rest are not in jeopardy. It might be asked how to keep track and the answer is a password keeping software like LastPass.
SPAM Message #2
Threats – The message starts immediately with the intimidating remarks and threats. It may be true that alerting the authorities will not bring any immediate assistance, but if we are all upstanding citizens then there is nothing to worry about their threats. It is always good to submit these messages to the authorities (FBI) for analysis so they can take these guys down over time. I do find it sad that this SPAMMER did not take the time to explain how they gained access to my computer.
Webcam – It is very possible that if your computer is infected properly that the hacker could gain access to your webcam, but again if we are upstanding citizens and don’t do anything inappropriate in front of our computers then there is nothing to worry about here.
Bitcoin – The demands continue with a sense of expediency in the matter giving only 28 hours before the big reveal. This particular SPAMMER either knows the value of the first SPAMMERS creativity in producing a video or are selling themselves short at the $400 ransom in Bitcoin. Finally, they even try to give a bit of legitimacy to their claim by stating that they can send the video to a partial list of contacts.
If your company is interested in Dark Web Scanning for on-going breach protection or worried about SPAM, then contact us for assistance.
Thought that I would share a recently received new phishing email variant that could easily be overlooked and possibly cause damage to your network. The email appears to have come from Dropbox as a user sharing a folder with me, but a closer look shows many obvious signs that the email is a fake.
Starting from the Top
Look closely at the From portion of the email:
The lettering is actually another language where the font makes it look like English lettering. There is also the fact that the email is form someone that I don’t do business with. Always fight the urge to look at things that are not yours.
Stick to the Subject
Now to take a look at the Subject line of the email:
This has different lettering but it is again a different language used to look like English lettering.
And now the rest…
The final thing that caught my eye was the “button” in the middle of the email:
It actually looked fuzzy. It turns out the entire body of the email is a single image that is a link to their malicious site. Clicking anywhere in the body of the email would send you on your way to infection or account compromise. Hope this little tutorial helps you detect other phishing attempts in the future.
If your company is having trouble with SPAM or phishing, then contact us for assistance.
