Much of what we write about, and often repeat around security in this newsletter is based on actual experiences and real-world stories that SpireTech has been a part of or privy to learn about from others in the security industry that often may not hit the news. We never reveal the identity of those affected – but we do use these experiences to improve, and hopefully advise our clients of things to do (or not do). We hope you take our advice to heart.
We’ve talked about how people working from home should be using company-secured computers, or at least subscribe to our add-on package for securing home computers. Many recent stories of attacks have the same common trends that we’ve written about before. Lack of multi-factor-authentication on email or services on the web that can lead to compromise, aged hardware such as firewalls or network equipment that contain firmware vulnerabilities the vendor is no longer supporting or providing updates on, and often relying on some of the ‘ease of access’ that is present in software but may not be ‘safe’ to use.
Recently we learned of a case where an unsecured home computer and out-of-date firewall were used by hackers to monitor activity, learn the patterns of the end-user, gain access to the system during hours they typically did not use the system, and use their pre-configured VPN connection to move laterally into a company server and gain access. As technical individuals we can easily point out the risk factors involved in this case, what could have been avoided and why, but we want to take pause and help educate our client base on the other business concerns that arise due to a security incident that are often after-thoughts or forgotten altogether.
During a security incident, a lot of concerns immediately pop up:
- Persistence – Hackers typically want to ensure they have as much access as they can, for as long as they can. Often during any security incident, they attempt to leave behind something that can be later re-executed to allow them in either automatically or triggered by a human on the system itself often unbeknownst to them. You must ask:
- How long were they in my network before mounting an attack?
- Are the hackers still present in my network or have they left behind something on one or more systems that will later re-enable their access?
- Did they leave any backdoors in any network infrastructure (i.e. open ports, added a vpn account for themselves, etc.)?
- Exfiltration – Exfiltration is a common tactic used to extort payment of a ransom when you have good backups and don’t need to pay the criminals to get your data back. Exfiltration can trigger other compliance or notice requirements around HR, HIPAA, PCI, and so on.
- Did they steal my passwords?
- Did they steal copies of my data?
- Are they going to sell it, or publish it? Often you must assume that even if you were to negotiate for payment of a ransom, the data will still find its way to the dark web.
- Negotiations – if you must deal with extortionists, you need experts on your side to handle things, and you will need to hire specialists for this. US government rules prohibit payments to cyber-criminals connected with terrorist groups.
- Insurance and potential notifications
- Most cyber liability policies have a notification requirement, even if you don’t plan to file a claim.
- Insurance companies will want to be involved in any investigation and remediation and have their own processes you will need to follow, which can sometimes cause extended outages and delays in bringing operations back online. Forensics teams need access to the compromised system(s) to fully assess damage and allow the insurance carrier to validate the claim. This can lead to expensive disaster recovery options depending on how deep the attack was.
- Some states require that you notify the state of any incident and depending on the level of compliance you may find yourself having to report back to CISA, FBI, or other government entities.
- Depending on the nature of the incident your organization may have to send notice to all affected clients of yours if any of their information was stolen.
What are the takeaways and lessons learned related to computer hygiene?
- Unsecured home computers should not be used to connect to company assets, banking sites, or anything personally compromising.
- Do not allow any remote desktop connections to “remember” passwords.
- While this might make it quicker to connect to your work desktop, you can’t assume that your computer will always be safe, especially an unsecured home computer.
- Use multi-factor authentication everywhere possible, especially on your VPN and email.
- Keep your firewall and network infrastructure devices firmware up to date.
- Do not open inbound ports in your home or business firewall, especially Remote Desktop Protocol. VPN with MFA should be used as a means for secure remote access into a network which then allows you to securely connect to whatever ports or systems you need.
- Tell us if your data backup requirements change
- All backups need to have a minimum of two copies, one of them in a disconnected offsite location.
- Think about everything. Did you move that QuickBooks file? Is it backed up offsite?
- Be open to investment on additional security products and services that further mitigate risk.
- If you’re ever wondering or your gut says something is not right regarding security, immediately phone your technical support team.
You hear us say often that the only constant in technology is change. In today’s security landscape its ever important to stay vigilant and do all you can to protect yourselves, your business, and your loved ones. Stay safe out there.