How to prepare for a data breach

Whether you want to believe it or not, there’s a high probability that at some point in time your business will suffer a cyber incident that results in a data breach. It doesn’t matter how good your security is, software has bugs, and people make mistakes – and these two things will at some point in time result in an event that would be considered a data breach. (Unless you don’t store any Personally Identifiable Information (PII), including your employee’s Tax File Numbers and Date of Birth….)

Think of it this way, you don’t expect to have a car accident every time you get into a motor vehicle, but likewise you wouldn’t get into a car without putting on your seat belt, would you? In much the same way, we need to implement systems that can help us recover from a cyber incident and provide us with sufficient information that we can confidently identify the implications of the incident.

In recent months we’ve been brought in to provide Incident Response and Digital Forensic services for victims of cyber incidents. In some cases, we’ve been able to accurately identify the actions of the intruders and include or exclude certain potentially affected individuals (as in the case of Business Email Compromise). In other instances, we’ve spent weeks combing through forensically valuable artefacts and still have been unable to accurately say what was, or was not, accessed by intruders.

Why would this matter?

Let’s say, the person who handles your payroll has their email account hacked. Let’s say that person has worked for you for 10 years and you have a staff of 50. How many employees have you had in the last 10 years? How many contractors? Let’s say it’s 100 people.

Due to the nature of that person’s job, it is not uncommon for them to receive and send emails and documents which include things like name, address, date of birth, tax file number, next of kin, resumes, superannuation fund details, bank account details, contact telephone number, etc. As most of us use Outlook (our email) as a sort of file store slash database, there’s probably a high chance that copies of these emails and items exist in their mailbox.

On the one hand, if there was a detailed log (aka Activity API) of every email and attachment viewed by each person accessing that mailbox, a forensic analyst could review that log and identify what, if any, confidential material was accessed. This could be the difference between having to notify 100 individuals that their personal details _might_ have been accessed, including Tax File Number and PAYG summaries, which could be leveraged to perform tax return form; or being able to advise 20 individuals that you know their details were accessed and they should take steps to notify the ATO, etc; versus being able to confidently say that no one had their personal details exposed.

That’s one example, and an easy one to demonstrate and work with. The harder examples are when Remote Desktop Servers (RDP/RDS/Citrix/Terminal Servers/etc) get accessed, the intruder(s) have been in the system for a few months, and the account they accessed was able to access the businesses entire file system, but we are unable to confidently say what they have or have not done during that time.

What should you do?

No matter what system you use, get your IT Administrator / Managed Service Provider or whomever looks after your IT systems to set up some form of log collector or aggregator (on a different machine). Then have all relevant security, access and auditing logs from your servers, firewalls, proxies, etc forwarded to the log collector for long term storage. This means that no matter whether the logs rotate due to time or the intruders delete them from the systems, you still have a backup stored somewhere for review. (Think of it like a dash cam in your car….)

For Windows Servers, ensure that “Audit Logon Events” is enabled for Failures and Successes. This will help identify brute force attacks, as well as keep a log of the date, time, IP address and user account that was used to login to your systems.

Turn “Volume Shadow Services (VSS)” ON on Windows Remote Desktop Servers (Citrix, Terminal Servers, etc) as it may help investigators recover valuable artefacts even if they’ve been destroyed by intruders. And if possible, ensure those systems are backed up at least daily with an ability to recover data from 30 days prior if financially feasible – at the very least 2 weeks!

If you’re using Office 365, enable Auditing. If you’re using some other form of hosted service, ask your provider what account auditing do they do, how detailed it is, and how long do they store the logs they collect?

None of this is expensive to implement – most of it is built in and just needs to be turned on!

Not having it turned on can be the difference between having to notify EVERYONE you store information on, that their information may have been accessed, versus being able to let a very specific set of individuals. That can equate to hundreds of thousands of dollars in legal, forensic, public relations and notification fees, not to mention loss of reputation.

Do I really need a cyber-secure printer or copier?

Yes and No, but mainly….. No.

In the last few months our clients have been getting calls from Managed Print and Copier sales people suggesting that they could get “hacked” due to their printer and potentially being fined under the new Notifiable Data Breach (NDB) scheme. Whilst it is technically possible to “hack” into a printer and use that to pivot throughout a network, most of what they are saying is outright fear mongering.

But you just said you can hack a printer?

Yes, you can, but to actually achieve this, one of at least 3 things has to happen first.

  1. Your IT guy inadvertently allows your copier to be accessible from the public internet, with absolutely no security over it.
  2. Another device in your network gets compromised first so that cyber-criminals can then leverage that device to try and break into your printer.
  3. Someone has to come into your office and physically plug into the printer or your network and try and break into the printer.

#1. If this is a real possibility for you, you have much bigger problems afoot and have probably already been hacked.

#2. If an endpoint has been compromised due to malware, your network has probably already been compromised. Unless you’re running some secret agency, why would anyone waste time breaking into a printer when they already have a foot hold in the network and can steal the crown jewels anyway?

#3. If a cyber-attacker can get physical access to your office, couldn’t they just steal your computers? Maybe one of your staff probably left themselves logged in, allowing them to copy all the interesting files that way. And heck, why not flog that fancy TV and laptop whilst they’re at it?

The whole “hack a printer” thing is legit, but for other reasons. Unless you, your IT guy or your copier guy are diligently running firmware updates on your printer, it’s likely that it’s running old software (called firmware) on it which may be susceptible to vulnerabilities (bugs) which may let an attacker gain escalated privileges (admin access) on the device, and since most devices these days are just computers anyway, that device can run software kind of like an actual computer.

Manufacturers want to sell new products, and this means they are unlikely to continue providing software (firmware) updates to old devices. Once a device hits about 5 years or so it’s time to consider replacing it so that you continue to get support (and software updates) from the manufacturer. If your copier is 10 years old, sure, now might be a good time to replace it, but not because you need a cyber-secure one!

But the most critical aspect to all this is “Why would an attacker want to hack a printer”?????

The value of a benign device like a copier, IP camera, wireless access point, or any other network connected device, is that if you can gain access to it you can install a remote access trojan on it and use it to hide in the network, getting back into the network if your other footholds are removed, or to attack other devices in the network from.

So what should you do?

The Australian Signals Directorate publishes a list of “Strategies to Mitigate Cyber Security Incidents” as well as the shortened “Essential 8” list which the ASD suggest can mitigate against 85% of the cyber-attacks they are called in to investigate. Google “ASD Essential 8” to find it.

The Essential 8 are…

  • Application Whitelisting – basically only allow good, known software to run on computers.
  • Patch Applications – keep everything up to date.
  • Disable Untrusted Microsoft Office Macros – as this is the current main vector for ransomware.
  • User Application Hardening – remove software you don’t need or that is known to be susceptible to exploit like Java, Flash, web ads, etc.
  • Restrict Administrative Privileges – no user should work as an admin account, admin accounts should be limited and only used when system admin tasks are required.
  • Patch Operating Systems – keep your Windows or Mac system up to date.
  • Multi-Factor Authentication – don’t rely on a username and password only to be secure, implement SMS, token, 2nd Factor Authentication (2FA) or biometrics to harden your security.
  • Daily Backup of Important Data – the penultimate strategy …. BACKUP!

At no point does the ASD suggest that a cyber-secure printer would have stopped a cyber-attack, nor would it have prevented an incident that would fall under the Notifiable Data Breach (NDB) legislation. It’s not even listed in the full list of 25 top mitigation strategies.

90% of businesses we audit have not implemented the essential 8. If your business has, I’d love to hear from you, but if like the other 90% you’re only able to tick off 4 or 5 of the Essential 8, focus your attention there first before you get scared into buying or leasing a new copier 😉

BGL Simple Fund could be putting your business at risk!

UPDATE: On the 3/11/2016, the Director of BGL Corp contacted me regarding this article. Ron Lesh and I discussed in detail about the issue we [INSANE and the other IT provider] had identified. Ron went on to confirm for me that the latest update informs the individual performing the update if the default password is still in use, and prompts them to correct this.

It seems that for many firms, the issue here was that they may not be reading security alerts from vendors and area also NOT running regular updates and thus leaving their systems (and their clients) at risk of compromise.

Great to see a software vendor taking the right steps with security. If only we could get more businesses to do this!

Continue reading

CRITICAL ALERT: Do you remote into your computer or servers? You could be at risk of a new RANSOMWARE variant we discovered YESTERDAY!

Please take the time to read this post. It could save your business a lot of money and heartache!

YESTERDAY (the 7th of April 2016) a client was hit with a new variant of ransomware (malware that encrypts all your files and holds them to ransom). I’ve spent the last 24 hours scouring through their log files trying to ascertain how the infection occurred – suspecting that it was either via email or a compromised web page.

FINALLY, I discovered that this new variant entered the network via Remote Desktop Protocol (RDP). RDP is the technology typically used to remote into a Windows server or desktop.
 
This client’s router had been configured to allow remote access to each of their staff to dial into their own desktop from home (or remote locations). It appears that the malware exploited the RDP connection of each computer that was left on overnight and once the attackers had gained access to the computer, they began to encrypt all the files on the computer – and any mapped drives. The malware even deleted Microsoft Office and other common business software.
 
Luckily, the client uses our Back-Up + Disaster Recovery [BUDR] solution, and it was a trivial matter to recover their data – however due to the damage done to the computers, we are now going through the laborious task of formatting and re-configuring three computers from scratch! Something that will result in those staff being unable to work for a couple of hours.
 
The reason I am bringing your attention to this is because I know MANY businesses have their IT guys set up their computers so they can dial in remotely. If you are doing this and you’re not using a VPN or SSLVPN to connect to your company, you are very likely to be hit by the same malware this client was hit with.
 
If you are doing this, Contact your IT Guy TODAY and talk to them about blocking remote access IMMEDIATELY unless it is via a secure VPN. If you have a Remote Desktop Server that is publicly accessible, shut down remote access and implement a VPN immediately. The time to rebuild an Remote Desktop Server could be a few days if it is compromised, and that’s not taking into consideration the risk of data loss (you check your backups, right?).
 
If you are UNSURE if you are doing this, get someone in to check (us perhaps?!). I would hate to see another business go through this trauma. Thankfully this client was doing an office move and we knew their backup was working, so we just continued with the office move and then began the cleanup at the other end whilst they continued to roll furniture in – so the only downtime will now be that of those who’s computers were attacked.
 
If you want to know more about this, please reach out to Insane Technologies on: (07) 5539-6116

PS: If you know someone who would like to opt in for security tips and download a free report we’ve recently published on protecting yourself from cybercrime, forward this link to them: https://www.insane.net.au/cybersecuritytips/