The Cloud Adds New Security Risks

Yesterday’s double trouble outage should remind businesses that planning for outages and continuing to operate is not optional.

The first outage was at Microsoft where it’s Active Directory services had some problems. Active Directory is used to “authenticate” users and services, so if it doesn’t work, not much else does.

The good news is that it happened towards the end of the work day (around 5:30 PM Eastern time for about 3 hours or so), so some of the pain was deflected. This particular type of outage is hard to build in redundancy for because it affected the behind the scenes infrastructure.

The second trouble was when 911 services in many communities in 14 states went down around 4:30 PM Mountain time. There was some question about whether these two were related, but based on what we are hearing, that is not the case. Losing 911 services is slightly more important than, saying, losing access to Twitter, even though the current occupant of the White House might disagree with that.

Like many companies, Public Safety Access Points or PSAPs, which is the technical name for 911 call centers, have outsourced some or all of their tech. Both companies involved with yesterday’s 911 outage have recently changed their name – likely to shed the reputations they had before. The company that the PSAPs contract with is Intrado, formerly known as West Safety Communications. Intrado says their outage was the fault of one of their vendors, Lumen. Many of you know Lumen as the company formerly known as Centurylink (actually, it is a piece of Centurylink).

The bottom line here is that whether you are a business selling or servicing widgets or a 911 operator, you are dependent on tech and more and more, you are dependent on the cloud. You are also dependent on third parties.

You need to decide how long you are willing to be down and how often. In general, cloud services are reliable. Some more than others. But you have lost some insight into tradeoffs being made by virtue of moving to the cloud and using third party vendors. These vendors are trying to save money. While you might agree with their decisions, you are never consulted and likely never informed.

You may be okay with this, but it should be a conscious decision, not something that happens accidentally.

Do you have a disaster recovery plan? Or a business continuity plan? When was it last tested? Are you happy with the results?

These outages were relatively short-lived. For most people the Microsoft outage affected them for around 3-4 hours. For the 911 outage, it lasted for around 1-2 hours. But many of these outages have lasted much longer than that.

Have you asked your vendors (cloud or otherwise) about their plans? Do you believe them? Are their meaningful penalties in the contract to cover your losses and your customers’ losses? Are you okay with the inevitable outages?

Consider this outage an opportunity. Credit: Brian Krebs

The FBI is TRYING to Stem Cyber Badguyness

There is no easy answer, but I can tell you for sure that the FBI has been applying more and more resources to cybecrime every year.

Just this month they unsealed seven indictments charging 16 people from China, Russia, Iran and Malaysia with hacking crimes.

Treasury sanctioned 45 people associated with Iran and two people from Russia.

At the same time, DHS and the FBI have been flooding us techies with threat advisories.

While this is completely unlikely to stop crime, it does increase the risk for bad guys. I am always amazed when these folks travel to countries friendly to us and get arrested and extradited.

FBI Director Wray said last week at a CISA summit that the FBI’s plan is to increase risk for the bad guys.

They have also been working with companies like Microsoft to take down web servers hosted by the hackers.

But it turns out that none of these recent indictments went after government sponsored hackers. That may be a coincidence or it may be intentional.

In fairness to the FBI, these crimes are hard to solve. It is not like China is going to cooperate with us

Still, we have to acknowledge that the more pressure the FBI and other law enforcement puts on hackers, the better. And, we should not forget, there are a lot of hackers right here in the U.S. Those should be easier to apprehend.

I will say that I would not want their job. It is next to impossible to win. Most hackers think, correctly or not, that the odds of getting caught are very low.

The risk is low – if they remember one thing – one thing that hackers seem to forget regularly. Pigs get fat, hogs get slaughtered. If you are too greedy, you will paint a target on your back. And you will increase the odds of getting caught.

Credit: The Record

Security News for the Week Ending September 25, 2020

GAO Tells Treasury: Track Cyber Risk in Financial Sector

The GAO told Treasury to work with Homeland Security to better track cyber risk in the financial sector.

The GAO says that Treasury does not track efforts or prioritize them. The “sector specific” security plan was last updated in 2016 and, of course, most of the tens of trillions of dollars of assets belong to private companies.

Not only that but Treasury has not implemented the recommendations from the last audit. Credit: Meritalk

Trump Campaign Spent $4 Million to Buy Your Location Data

The Trump campaign spent $4 million buying data on voters, including location, from a data broker named Phunware. The company makes a software development kit that developers can use to collect your data, including location, and sell it to data brokers. Nothing illegal, but lucrative for the app developers and useful for political campaigns and others. Credit: Vice

Google and Amazon – Both Can Be Un-Secure

We always talk about Amazon S3 storage buckets being configured in an un-secure manner, leaking data. Researchers say that 6 percent of a sample of Google storage buckets are also configured so that the wrong people can read from or write to it. Documents they were able to read include passports and birth certificates. Just like with Amazon, Google will disavow any responsibility if you mis-configure your storage. Bottom line – test your security regularly and do not assume that anything is secure. Credit: Threatpost

Russia and China, Oh, My! (Hacking)

While the current occupant of 1600 Pennsylvania Avenue continues to put pressure on China, he is not putting pressure on Russia and they are definitely going after us.

The Russian government hacking group known as APT28 or Fancy Bear is sending out fake NATO training materials laced with hard to detect Zebrocy Delphi malware. The email attachment has a zipx file extension. At the time researchers got a copy of the malware only 3 virus products detected it. It seems like with this campaign, the Ruskies are going after government computers, but there is always collateral damage. Credit: Bleeping Computer

At the same time, the FBI says that the Chinese are still actively going after Covid-19 research, including vaccines. After all, it is easier to steal a vaccine than to develop and test one. The Chinese read the newspapers, see who is claiming interesting stuff, and then try to hack them and steal their information. They are not alone. Russia and Iran are also trying to steal research and vaccine info. Credit: MSN

Controlling Insider Threats

There are two flavors of insider threats.

#1 is Edward Snowden. Skilled. Motivated. On a mission. Understands that there will be collateral damage. Knows that he or she is breaking the rules. Sometimes it is national security. Other times it is industrial espionage. Still other times it is pure curiosity. Often, but not always (such as sneaking a peak at a celeb’s medical records out of nosiness) money changes hands.

#2 is your average employee. Trying hard to do his or her job. Is a human being. Human beings make mistakes. No money. No evil intent. Just being human.

I don’t have any stats, but I bet for every #1, there are a couple hundred #2s – or more.

Let’s assume that there are a lot more cases of benign insider threat than malicious insider threat, but no matter the intent, the threat is real.

So what can you do?

Here are 5 tips.

#1 – Require cybersecurity awareness training, AKA anti-phishing training of everyone, but the lowest paid employee to the CEO. All it takes is one of them to click on the wrong thing and you are in a full-blown ransomware incident.

#2 – Avoid public WiFi. I know it is convenient and it is just to do this one thing, but it is far from secure. If you have to use public WiFi then at least use a SECURE VPN.

#3 – Enhance endpoint protection. Endpoints, AKA your users’ phones, tablets, laptops, computer computers and home whatever, is THE weak link in the chain. Enhance that and you will reduce overall risk. And it isn’t just company laptops. It is all endpoints.

#4 – Really stay on top of patches. The golden rule is 24/72. This means patch within 24 hours any zero day exploit that is under attack and 72 hours for everything else. Just this month we saw a Microsoft patch that was released late last week (netlogon), that the feds ordered all executive branch agencies to patch within 24 hours (by Monday night) and yesterday Microsoft said the bug is being exploited in the wild. This means patching your operating system and all applications. Even the ones that you don’t use. They are still an attack vector. And this includes employee owned phones — and deal with the ones that are no longer being patched by the vendor/carrier.

#5 – Proactively manage remote desktop/remote control tools. We are seeing multiple nation-state attacks that are going after remote access solutions. RDP. VPN. Remote control. They are an easy attack vector and we know for a fact that they are being actively exploited by hackers.

While these seem simple, doing them right is hard. If you need help, contact us. Credit: SC Magazine

Ransomware. Healthcare. 1 Old, 5 New.

The Hacking Group Dark Overlord hacked Athens Orthopedic 4 years ago and they are still dealing with the fallout, including paying a 1.5 million dollar fine to the feds.

The feds say that Athens management was not being good. In fact it was being naughty. HHS audited the doctors after the attack and found systematic non-compliance with HIPAA.

The hackers stole over 600,000 patient records. A journalist found some of their patient records on the dark web. Within a few days, the hackers contacted Athens demanding a ransom.

So this points out that ransomware 2.0 – the kind where hackers steal data, encrypt your systems and then hold both your systems and your data hostage – has been around for years. It is just becoming more popular now.

In addition to losing four years of their life and $1.5 million, the doctors now have to implement a corrective action plan (CAP). A CAP is HHS’s term for getting your security act together.

Oh, yes, the source of entry for the hackers? Credentials stolen from a third party. I guess the doctors will now implement a vendor cyber risk management program. A bit late, but better late than… Credit: Health IT Security

HHS also fined 4 other healthcare providers this year, fining them as much as a million dollars.

Fast forward to today.

This month hackers have posted the data of 5 different medical practices on the dark web in an effort to extort money. UCSF paid hackers over a million dollars just a couple of months ago.

So what are we seeing now?

Assured Imaging, University Hospital New Jersey, National Western Life, The College of Nurses of Ontario and Nonim Medical are all dealing with their data being hacked and posted on the dark web.

Assured Imaging is notifying 244,000 patients that their data may have been compromised. The hacker only had access to the data from May 15 to 17.

So what does all this tell us?

  • The hackers are using any available option, including third parties.
  • They do not need to have access for a long time to do a lot of damage.
  • Some health care providers are not following the HIPAA rules including getting annual third party risk assessments.
  • The companies that get hacked will be cleaning up the mess for years.
  • And will likely pay HHS a lot of money as well as getting to execute a CAP.
  • Finally, there will be lawsuits. There always are.

So I am going to leave you with just one thought and it doesn’t only apply to healthcare. Credit: Health IT Security

Do you feel lucky, punk?

I am sure that these organizations didn’t think they were going to get attacked. At least some of them were not taking security seriously enough.

Are you taking your company’s security seriously enough?

Election Security Status

With elections less than two months away and lots of stories about election hacking, what is the real story.

Unfortunately, the real story is classified so even if I did know, which I don’t, I couldn’t tell you. The government won’t admit that straight out, but they know a whole lot more than they are telling us.

But at this year’s Billington Cybersecurity Summit, experts talked about their opinion about what is so. Here is some of what they said.

Chris Krebs, head of DHS’s CISA and the government’s point person on election security says that we have turned the corner in a really meaningful way. Chris is a good guy, a smart guy and no one’s fool, so I think he honestly believes that.

What has CISA done? Well one big change from 2016 is that at least this time the vast majority of election officials (there are around 10,000 election entities in the U.S.) are no longer sleeping at the switch. That is a big improvement but it doesn’t fix the problem. At least they know that there is a problem.

Since the last election, CISA is working with a lot of election officials in every state. Not every official by a long shot. CISA says that they are working on supporting 8,800 election officials, whatever that means.

Remember that there is a lot of tech. There are voter registration systems, election night reporting systems, vote processing systems, public web sites and, of course, voting machines. This is far from a complete list. You also have voting tech vendors. Some of them, like one of the biggest, ES&S is completely scared. They are so scared that they are arguing before the Supreme Court that researchers who try to find bugs in their software should be thrown in jail. Is that really the smartest response? Better we should leave those bugs there for the Chinese and North Koreans to abuse. But their ego and reputation is much more important than the safety of your vote. Maybe they should spend more money on security instead of lawsuits.

One thing that is absolutely true is that way more votes will have an audit trail. In part this is due to the fact that many more people will be voting by mail. Nearly 75% of voters will be allow to vote by mail. We don’t know yet how many will. Each of those votes will be auditable. In addition, more and more voting machines will create a HUMAN READABLE audit trail for votemasters to use to verify your vote. It used to be that many voting machines had no audit trail at all so there was nothing to recount. Then there were voting machines that created a 3D barcode, but since you couldn’t read that, there was no way to know if your vote was recorded correctly. Or at all. Now most voting machines create an audit trail that says that I voted for, say, Sue for Secretary of State. You can look at that piece of paper before you deposit it in the ballot box and see if that is really who you voted for.

The states asked for a lot more money than Congress gave them to bolster election security. They got less than a half billion when the amount needed was 1-2 billion or maybe more. There are a lot of small election districts that have a zero dollar security budget and zero security expertise.

This time disinformation campaigns are much more of an issue than hacking voting machines. It is a lot more cost effective. We already saw that the Russians stood up an entire fake media organization to create and publish fake information to attempt to shift the conversation. If they can do that, it is way more cost effective.

At the same time, social media is getting a little bit better about kicking the disinformers off their platforms. Since chaos builds traffic and traffic is money, they really don’t want to do that at all, but they know that if they don’t at least make a half-hearted attempt at it, Congress will legislate what they do and they sure don’t want that.

All in all, we are better than 2016. Significantly better. The biggest issue is still human beings because they believe what they want to believe and don’t fact check what they are reading.

There is still a lot of room for improvement, but at least we are fighting the battle. Credit: CSO Online