In order to use more sophisticated cyber security tools, organizations need to have a decent understanding of cyber security best practices. Over the years, businesses both large and small have become victims of cyber-attacks that could have been prevented if basic cyber security principles and best practices were followed. Some of those best practices include patching devices, inventory control, managing backups and data recovery, securing VPNs for remote work environments, and managing default passwords.
Today, remote work environments have become common and with those environments comes an increase in cyber threats. According to a 2021 Public Sector Cybersecurity Survey report published by SolarWinds, the public sector is now facing an increasing risk of external cyberattacks due to security measures failing to keep up with the fast pace of cyber threat environments. The Public Sector Cyber Security survey noted that the hacking community (56%) is the largest source of security threats within the public sector, followed by careless and untrained insiders (52%), as well as foreign governments (47%).
Furthermore, the survey found that the public sector is especially concerned about increases with the types of security breaches they experienced – malware (65%), ransomware (66%), and phishing (63%). This is the first time in five years that insider carelessness or lack of employee training is not the biggest threat to the public sector. This means that IT threats have increased, but the ability to detect and remediate those threats has not, thus leaving organizations within the public sector vulnerable.
Developing good security hygiene could mean all the difference if your organization is attacked by a threat actor. Small security lapses lead to attacks and attacks lead to turmoil within your organization’s routine business practices. Let’s take a look at how following basic cyber security principles could help keep your organization from becoming the next big headline.
When cyber security professionals talk about patching devices, they are simply saying that you need to apply updates to your software as those updates become available. Common areas that will need patches include operating systems, applications, and embedded systems (like network equipment). When a bug is found after the release of a piece of software, a patch can be used to remediate it. Patching helps ensure that assets in your environment are not vulnerable to attackers.
A great example of how patching can help save your organization a lot of heartache is the 2017 Equifax data breach. This breach affected over 145 million people and was one of the largest breaches of this kind in history. The breach was caused when an employee didn’t apply the most recent patch for Apache Struts – a patch that was available for two months before the company was breached. Another example is the 2012 data breach of Nationwide Mutual Insurance. The insurance company was breached when a vulnerability found in a web application was left unpatched for three years. The data breach exposed the data of 1.27 million and the company had to pay $5.5 million in a settlement.
Recently, CISA (Cybersecurity and Infrastructure Security Agency) added 15 known exploited vulnerabilities to their catalog. Most of the vulnerabilities on this list are two to three years old, which means that if these vulnerabilities are still being exploited, organizations are not being diligent with patching devices. Patching out of date and vulnerable software is crucial and should be done as soon as an update is available.
Image 1: 15 Vulnerabilities Added to CISA's Catalog
Source: CISA
Unfortunately, many organizations fall into the habit of not prioritizing patching. Why? Simply because patching can be quite inconvenient and time consuming. However, there is nothing more inconvenient than having your systems and networks compromised by a threat actor who took advantage of your negligence.
Actively managing your organization’s inventory (end-user devices, network devices, non-computing/IoT devices, and servers) is crucial to keeping your environment safe. Assessing inventory regularly should be the foundation of every organization’s cyber security program. Because devices are constantly added and retired, and employees/users frequently come and go, it’s important to know what you have and how it’s being used.
If an organization doesn’t have an accurate and up-to-date asset inventory, trying to manage compliance and cyber-risk will be extremely difficult. If you aren’t sure if your organization is guilty of letting inventory fall to the wayside, ask yourself these questions:
If you couldn’t answer these questions fluidly, then you have a problem. Assets are like moving targets and managing them needs to be developed into a seamless process. Full visibility and control over all assets shouldn’t be optional.
Going through the initial process of accounting for every authorized/unauthorized device, application, software license, IoT, ICS, etc. can be tedious, but it’s worth it. There are cyber insurance companies who can make the process easier and can help you build a platform that allows you to discover your users, applications, and devices continuously and automatically, as well as the relationships between them. If your tools and processes work together to automatically discover and inventory the full range of your authorized IT assets, then you’ll be able to better understand and secure your asset inventory in real-time.
A strong and robust security model begins with asset inventory management. Once you take this proactive approach, it will be easy to track and analyze your assets across attack vectors to identify those that are most likely compromised. Having all of your assets in the inventory means that they are readily available via real-time dashboards and are easy to search. Also, they can include automatic and continuous compliance supervisors that uncover rogue assets and unauthorized use.
Managing backups and data recovery is another cyber security best practice that some organizations fall short on. Some organizations wait until they experience a data breach to start thinking about recovering their data via backups. While it can be relieving to know your data will more than likely be recovered, you really should be thinking about your backup and data recovery plan before being breached.
Backing up your data means that you have copies of your computer data on a hard drive – something that is offline. This helps protect the data against accidental loss or corruption. Some backup types include:
In order to have a successful backup and data recovery process, your organization will need to have a clear backup strategy that includes defined data protection goals. This policy should outline what, when, and how data and systems will be backed up and restored should you become compromised. Also, it’s important to test your backups regularly to ensure they work.
According to IBM, the average cost of a data breach in 2019 was $3.92 million, up 1.5% from 2018. The average cost was $150 for each record during that time frame. The U.S. has experienced the largest number of data breaches, followed closely by Canada and Germany.
What’s more interesting is that the average amount of time it takes for companies to realize that they’ve been breached is 197 days. Businesses with the right data breach recovery process contained their breach within 30 days and saved more than $1 million compared to companies that took longer than 30 days to intervene.
Sometimes, technology fails us, and we lose information, but most of the time we lose information due to malicious threat actors who manage to penetrate and circumvent backups. They either steal data for their own use, or they strip businesses of their resources. One threat actor that is known for destroying backups is the ransomware gang, Conti. The threat actor mainly targets backup systems to guarantee that ransom payments are made.
Conti has been strategic in designing and deploying backup removal solutions, gaining access to backup user accounts with elevated privileges. After they gain access to these accounts, they are free to do anything they want with the backups they’ve infiltrated – including destroying, corrupting, and encrypting all data. This makes it extremely difficult or impossible to conduct a recovery procedure. We realize that keeping information secure comes with a hefty price tag, but price should be less of a concern when you run the risk of losing valuable data if you’re breached.
Virtual private networks, or VPNs, are one of threat actors’ favorite entry points into a network. A VPN allows people to access the Internet just as they would be able to if they were connected to a private network. Securing VPNs provides effective security for organizations and can help keep certain resources hidden.
Attackers gain access to networks if organizations don’t patch their VPNs and other externally facing devices. VPNs provide threat actors with a stable foothold onto target networks through the VPNs internet exchange point (IXP). If an employee is connecting to a company’s VPN to access a company database that’s stored on a server, a threat actor who has infiltrated the IXP can monitor all data that passes through.
VPNs establish encrypted connections between devices, but an attacker can’t monitor VPN-encrypted traffic from outside the VPN. All it takes is one compromised account or device for an attacker to gain access to a VPN and steal what should be gated data. In September 2021, it was reported that a threat actor leaked 500,000 Fortinet VPN login credentials from 87,000 devices over the course of two years. The culprit was a member of the ransomware gang, Babuk. Although the VPN vulnerability had already been patched, the stolen credentials were still valid.
Fortinet stated the attackers were able to obtain the credentials from systems that didn’t implement the patch. The vulnerability, tracked as CVE-2018-13379, is a path traversal vulnerability in Fortinet’s FortiOS SSL VPN web portal which allows unauthenticated users to read arbitrary files (including the sessions file).
Although it was never confirmed that the leaked credentials belonged to remote employees, we can only assume that some of them did. VPNs are virtual, which means that they are often given to remote workers to access company resources. Setting up identity and access management (IAM) solutions and secure web gateways could help keep remote employees secure by filtering content and preventing data from leaving your organization’s network.
Managing default password is basic in theory but complicated in practice. Most don’t consider updating passwords to be difficult to manage, but when a company has thousands of employees who are responsible for making sure they update their passwords and don’t re-use passwords, things can get tricky. It’s important for organizations to develop a password management system that has a secure way to store passwords and access them when required.
Password best practices include:
Most cyber security professionals know the details surrounding the attack on Colonial Pipeline. The ransomware gang, DarkSide, launched a ransomware supply-chain on the company in May 2021. The threat actor gained access to Colonial Pipeline’s virtual private network (VPN) account due to a single compromised password. The account that was compromised allowed employees to remotely access the company’s computer network. At the time of the attack, the account wasn’t in use but could still be used to access the fuel company’s network.
After the ransomware attack, researchers discovered that the password for the account was inside a batch of leaked passwords on the dark web. It’s suspected that the Colonial Pipeline employee probably re-used that password on another previously hacked account. The VPN account that was compromised, did not use multifactor authentication and it isn’t known how DarkSide obtained the correct username and password.
As a result of the attack, Colonial Pipeline had to shut down the fuel pipeline, leaving gas stations, businesses, and households without fuel. Additionally, the news of a cyber-attack made its rounds and people started panic buying which resulted in gas shortages along the east coast. DarkSide stole about 100 gigabytes of data from the company and threatened to leak it if they refused to pay a ransom. Colonial Pipeline ended up paying DarkSide $4.4 million in ransom.
Putting cyber security basics into practice can help your organization protect business processes and reduce the risk of a cyber attack. Updating software, securing files, managing passwords, and managing inventory are the first principles you should follow before diving into more sophisticated cyber security tools. Avertium offers the following services to help your organization stay on the right path toward securing your environments:
Avertium, the FBI, and CISA recommend the following regarding cyber security best practices:
Patching
Inventory Control
Managing Backups & Data Recovery
Securing VPNs
Managing Default Passwords
Conti
DarkSide
External cybersecurity threats on the rise in public sector, report says (police1.com)
SolarWinds Public Sector Cybersecurity Survey Report
What is Patch Management? Benefits & Best Practices | Rapid7
The consequences of not applying patches (pandasecurity.com)
What is Asset Inventory Management? | Balbix
Ransomware Conti Is Set To Infiltrate Backups (lifars.com)
Data Backup & Recovery | Certitude Security | Cyber Security
Oversight finds 'small lapses' in security led to Colonial Pipeline, JBS hacks | TheHill
cybersecuirty_sb_factsheets_all.pdf (ftc.gov)
AA22-011A_Joint_CSA_Understanding_and_Mitigating _Russian_Cyber_Threats_to_US_Critical_Infrastructure_TLP-WHITE.pdf
Threat Actor Leaks Login Credentials Of About 500,000 Fortinet VPN Accounts - CPO Magazine
Password Best Practices | UC Santa Barbara Information Technology (ucsb.edu)
End of Year Recap for 2021 (avertium.com)
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.