Category Archives: Best Practices

Are You Ready for the Next Supply Chain Attack?

On Friday Title industry software and consulting provider was hit by a ransomware attack. Cloudstar operates 6 data centers and supports over 40,000 customer users. Now those customers are wondering what are they going to do.

Cloudstar users who close real estate sales are dependent on Cloudstar’s systems being up.

Cloudstar has been down since Friday. Their CEO says he doesn’t know when the systems will be back operational.

Cloudstar’s customers are scrambling today to be able to close loans.

In the meantime Cloudstar has brought in third party experts to help them.

While it is possible that Cloudstar was specifically targeted as suggested in a Housing Wire article, no one knows if that is true or not. It is certainly possible that there were just another random victim after an employee clicked on a malicious link.

This particular software is core to the title business so it is not like a title company can do a Google search and replace it. Cloudstar’s competing service providers are circling like vultures, offering free setup and who knows what else, but the problem is that the companies that use Cloudstar’s services do not have access to the forms and client data that lives on Cloudstar’s platform, which is now encrypted. Credit: ALTA

Title companies who are affected by this attack likely must report this to their regulator as the assumption by the federal government is that ransomware equals data compromise. They also likely have to tell customers that their loan or other data may have been compromised.

Some of Cloudstar’s customers may go out of business, depending on how long Cloudstar is down. It could anywhere from a few days to a month. Or more.

In helping our clients respond to Fannie Mae audits (MORA), Fannie seems to be much more interested in regulated entitys’ ability to respond to a ransomware attack and continue to support their customers. This is yet another concern that companies need to be concerned about.

But take a step back from from the specifics of this supply chain attack. You likely have vendors that are critical to your business and which are also a single point of failure that cannot be easily or quickly replaced. Given the number of ransomware and other cyber breach attacks against service providers, companies need to prepare themselves for the possibility that they will be in the same boat as the customers of Cloudstar are today. The alternative is that you lose access to your data, your business comes to a complete standstill, you have to report to regulators and customers that you lost control of your data and potentially, face significant expenses.

Are you ready?

Additional info credit: The Title Report

Is Your Company Ready for the Wave of Privacy Laws Here and to Come?

First it was California (version 1 and version 2); then it was Virginia. Now it is Colorado. IT IS NOT GOING TO STOP THERE.

California’s CCPA covered human resources data somewhat. CPRA covers it completely and will require HR departments to create programs to protect HR data.

This includes notices at the time data is collected, new data privacy practices, new rules for third parties that the company uses and procedures for when employees exercise their rights.

While Virginia and Colorado were the next two dominoes to fall, there are about two dozen bills in various state houses.

Some of these cover HR data; others do not.

The Colorado and Virginia are more likely to be the model going forward – with, of course, twists and turns. In part, this is because these laws are written more coherently. Of course that doesn’t mean that some states won’t model their laws after the California.

Unlike California, the Colorado and Virginia laws do not allow for a private right of action – a key contention in getting an agreement for a national privacy law. The Colorado law does allow local district attorneys to go after violators.

All of these laws have three different sets of responsibilities –

  1. Data controllers – the company or person responsible for the data
  2. Data processors – an organization that acts as an agent for the controller and in some way processes the data
  3. The individuals – who have new data rights

Even if the law in a particular state does not affect employee data, HR is likely going to need to be involved anyway. New policies and programs will affect employees in many ways and HR will need to help companies navigate the new path.

and, of course, companies are going to need to figure out where their customers and visitors are located because the laws effect is based on their location, not yours.

In addition, companies will need to engage legal talent, whether internal or external.

January 1, 2023 is really not that far away.

For more details, see this article at JD Supra

What is the U.S. Going to do About Putin?

The last presidential administration went hard after China – applying sanction after sanction, but with minimal success. They also seemed to give Russia a free pass.

Many of the very public recent hacks are being attributed to Russia, including SolarWinds and Kaseya.

When Biden met with Putin in Helsinki last month, the two agreed to form a committee to address the problem.

Since it is popular understanding that Putin is directing the attacks – or at least approving them (and probably taking a cut) – it is not clear that a committee will do much.

Still, that is the step that this administration is willing to take at this time.

However, there are some hints that this administration might be willing to do more.

When Biden was specifically asked if it made sense to attack back, he responded, somewhat cryptically, with a simple YES.

When Biden was asked what he expected Putin to do, he declined to say. He did say “we’ll see”.

We need to both defend and offend.

U.S. businesses need to harden their systems to attack and redesign them to mitigate the losses. While Russia is certainly a player in the attack business, it is not the only one and even if a miracle happened and Putin shut down his revenue stream, that will only reduce the number of attacks. AND, I don’t anticipate a miracle.

At the same time the U.S. government needs to make hackers face consequences. Having the DoJ indict people that will never be arrested, like the last administration did, is not terribly effective. Every now and then we catch a stupid one who crosses into friendly territory, but all that does is teach the smart ones not to do that.

This is a hard problem, but continuing to do what we have done in the past is not going to work. Credit: The White House

How Fast Can You Detect a Supply-Chain Ransomware Attack?

In light of the recent series of supply chain attacks (actually going back to 2011 at least), speed is crucial. SolarWinds, Microsoft Exchange, Kayesa and others.

This weekend’s attack against MSP software provider Kaysera is a perfect example of why speed is so important.

Many small and medium sized companies are dependent on managed service providers (MSPs) to run their IT systems. In order for MSPs to do that, they need access to their clients’ systems. The software that Kaysera makes helps MSPs do just that.

Which means that MSPs are a great attack point. Finding out what software they use and compromising it gives the hackers a force multiplier. One MSP equals, say, 100 customers, equals, say, 2500 workstations. Or more!

It appears that Kayesa got their arms around this quickly.

How did they do that? We don’t know how, but here is my speculation.

Given the business that they are in, they likely have a well trained, well staffed and well armed (with software) 24 by 7 Security Operations Center or SOC. Even a small SOC can easily cost a company a quarter million dollars a year or more, when you consider payroll, benefits, training and software. This is NOT something that you should try with one person, no training and limited software.

There is an alternative and that is a SOC as a service or SOCaaS. With a SOCaaS, you only pay for however much you use. The SOCaaS provider deals with the staffing, training, software and does it at scale. Maybe you need three people for a 25 person company, but those same 3 people can probably handle a hundred people. At 5 people maybe you can handle 500 people. It scales well due to automation. They also have the benefit of once they have seen an attack on one customer, they know what to look for at all customers. Also, if they need to buy a database of attack indicators, the cost of the database is likely licensed based on the number of SOC personnel they have, not the number of users they are monitoring. Again, Scale is your friend.

What is clear is time is your enemy and a SOC or SOCaaS reduces the time to detect a breach, so it is your friend.

While SOCs are very expensive, SOCaaS may be more cost effective than you might think. Nothing is free, but neither is getting attacked.

If you would like to investigate a SOCaaS, please contact us – we have a great solution.

Security News for the Week Ending July 2, 2021

WD NAS Devices Are Being Wiped Worldwide

The downside of using computers beyond their end of support is that you can get hacked and all of your data can get wiped. This is what has happened to many WD My Book owners. Western Digital stopped patching them in 2015 and hackers have figured out how to remotely execute a factory reset, wiping all the data. The second thing not to do is to not have offline backups, which, apparently, a lot of these Western Digital owners also did not have. The result is many sad Western Digital owners. It does not appear that Western Digital’s own servers were hacked. Users, at this point, are just outta luck if they did not make backups. Credit: Bleeping Computer

As if this wasn’t bad enough, there is now a second zero-day way to wipe the devices. Credit: Metacurity

Pentagon Official Accused of Disclosing Classified Information

Katie Arrington, a political appointee in the DoD’s office of acquisition and sustainment and who acted as A&S’s CISO was suspended and her security clearance deactivated after being accused of unauthorized disclosure of classified information. Rumors had been that she was walked out of the Pentagon several months ago, but no announcement was made until this week. If true, she could wind up in jail. Credit: Newsweek

Politics ‘R’ Us – CISA Don’t Need No Stinkin’ Director

CISA, the Cybersecurity and Infrastructure Security Agency, part of DHS, has been without a director since ex-president Trump fired Chris Krebs last year for saying that there was no massive election fraud. President Biden nominated Jen Easterly, a graduate of West Point and Oxford, an Army Lt. Colonel and long time intelligence and NSA official, however the Senate has not voted on her confirmation. The arcane Senate rules allow any Senator to put a hold on anything for any reason. In this case, Senator Rick Scott decided that since Kamala Harris had not visited the southern border, something he thinks is important, that the Senate should not vote on the nomination of Easterly to head DHS. This has nothing to do with Easterly or security, just some Senator on a power trip. It appears that maybe next week, after DHS has not had a director for more than 6 months, during which time a major oil pipeline was shut down due to a ransomware attack, the Russians compromised a number of federal agencies twice – once via SolarWinds and again using Microsoft Exchange, and numerous other attacks, Scott may decide to stop being a dictator and allow the Senate to vote on Easterly’s appointment. The political process is very messy. Credit: ZDNet

Microsoft Testifies it Gets 10 Info Demands a Day from the Feds

Microsoft testified this week that it gets 7-10 secrecy orders every single day from the feds, demanding that they turn over customer information and not notify the customer that their information has been targeted. Since these orders are secret and often stay that way forever, cloud service customers have no way of knowing if their personal and/or sensitive information is in the hands of the government, for some unknown purpose, under likely poor security (the FBI just told Congress that it needs millions and millions of more dollars in order to protect their systems, so it is reasonable to assume that at least some FBI systems have been compromised and data stolen. We know, for example, that the Department of Justice was a victim of the SolarWinds attack). This may mean that companies that use the cloud (which is almost everyone) may need to take more security measures than they are taking – at least for sensitive data. Credit: The Register

Is Russia More Tech-Savvy Than the US?

Russia’s main military intelligence unit, called, among other names, APT28, Fancy Bear and Iron Twilight, is using cloud containers (Kubernetes) to massively scale brute force attacks against American and European businesses targeting government, military, defense contractors, energy companies, education, logistics, law firms, media, politics and think tanks. Does that leave anyone out? After they use these brute force attacks to get login information, they use those credentials to move around inside the company and steal information, often undetected. The feds (NSA, CISA, FBI and the UK’s NCSC) publicly warned businesses this week. That means that businesses need to up their security game if they want to protect their systems and information. Credit: The Hacker News

Most Third Party Libraries Never Updated After Included in a Codebase

Okay, you are probably tired of hearing me rant about software supply chain but it is a huge source of hacks. Big hacks like SolarWinds and Microsoft Exchange, but mostly small hacks that we never figure out what the source is.

Reseachers looked at what developers actually do.

The analyzed 13 million scans of 86,000 code repositories containing more than 300,000 unique libraries and also asked a couple of thousand developers what they did.

If developers have accurate vulnerability information, they have fixed 17% of flaws in an hour and 25% within a week.

92 percent of open source flaws can be fixed with an update and 60 percent of those updates are minor.

Most of the time the updates are minor and unlikely to break things.

Only half of the developers said that they had a formal process for selecting third party libraries and more than a quarter had no idea if they did or not.

The security of libraries ranks third in selection – after functionality and cost. That is probably okay if third doesn’t mean “whatever”.

As the executive order on cybersecurity gets fleshed out, expect more attention from companies on the subject – because if they don’t then they will not be able to sell their software to the government or even use particular open source software at all.

For some companies it will become best practice and if you don’t have the ability to track and maintain libraries, they will find a vendor who will. This is independent of whether they sell to the government or not.

Credit: Help Net Security