Cyber Security: Tips for Managing Risks and Threats
RANDY JOHNSTON, EXECUTIVE VICE PRESIDENT,
K2 ENTERPRISES
Headlines abound on Cyber Security. Do these threats affect you and your firm, or do you believe that these attacks “always happen to someone else”? New threats such as spear phishing, ransomware, data breaches, and identity theft represent key threats to organizations which should be part of your internal control structure.
The benefits and risks associated with software-as-a-service (SaaS) and hosted applications are very different than traditional on-premises information technology, and the implications for evaluation of general computer controls are significant. Despite the enthusiasm for cloud applications. some traditional items used in an on-premises forensic investigation, like the transaction audit trail, user access logs, and computer access logs, are often difficult to obtain for Cloud solutions, and may even be unavailable by the time you or your client suspect a crime. What are the top Cyber Security issues? What are the new risks associated with Cloud solutions as well as some techniques which can be used to limit these risks? What strategies can we use to manage these risks?
What Types of Risks are There?
There are more new and sophisticated attacks and risks than can be enumerated in a short article. To name a few: Phishing, Tax-Related Identity Theft, Data Breaches, Ransomware, other viruses and malware, The Internet of Things has inadequate security, Cyber-espionage, Cyber theft/crime, Insecure Passwords, BYOD, unauthorized data access, data stored improperly without controls, privacy and regulation, and staff engagement are all examples of risks. What are some of the contributing factors to the scope of security concerns? Each of these are contributing factors:
- Large amounts of data to store and secure
- Rapid increase in mobile devices
- Need for anytime, anywhere access to data
- Large number of organizations being hacked
- Relative risks of the cloud compared to on-premise data storage/processing
We could quote a broad array of statistics on data breaches, exploits and other attacks. We suggest you simply search for data breach statistics and see for yourself. The key thing to remember is that whether your organization is large or small, everyone is a target. It requires a wide array of tools to protect your organization, including, but not limited to:
- Exercising due diligence in making data security decisions
- Choosing well-designed IT security policies
- Selecting hardware tools designed to mitigate threats
- Using software and services designed to mitigate threats
- Deploying strong user authentication, using multi-factor capabilities, not just user IDs and passwords
What Are the Elements of a Cyber Attack?
We need to consider several factors that Cyber attackers exploit as well as understand what must be protected to improve our Cyber security. First, we must protect our endpoints. These are frequently the target of the attack and include individual PCs, servers, networks or cloud providers. The purpose of and endpoint attack is to control, corrupt, or disable the endpoint. Attackers are looking for vulnerabilities, that is the weakness that permits the endpoint to be penetrated. Vulnerabilities include software flaws, system design weaknesses, insecure configurations, and human errors. Attackers use malware, that is malicious software. There are many different types of malware and attacks often involve more than one strategy. Our organizations are attacked with a delivery vehicle, that is the malware is delivered to victim machines through a variety of techniques from social engineering such as phishing to USB sticks. Finally, the method of execution (MoE) is the means through which attackers get the resources necessary including access, processing time, data, etc. to execute an attack.
Common types of malware include depositors, ransomware, backdoors, credential stealers, viruses, worms, and vandalizers. For example, a few of the popular ransomware infections include CryptoLocker, CryptoWall and Locky. These types of ransomware infections are designed to hold data hostage. They have been very active from late 2013 to the present. Typically, a user opens a program on a local PC that was e-mailed to the user embedded in a file or accessible via a web link. The malware program installs itself in numerous places and then connects to a command and control server run by the perpetrators which gives the ransomware a public key. This key is used to encrypt all Office files, database applications, pictures, etc., on a computer. Once data is encrypted, users are presented with an ultimatum and must pay within 72 hours or the private key (needed to unscramble the files) will be destroyed. Recent variants have been infecting Remote Data Services (RDS/Terminal Servers) and/or Citrix servers in public and private cloud installations.
Numerous CPA firms, healthcare entities, businesses and government agencies have fallen victim to CryptoLocker. The ransoms demanded range from $300 to $18,000. Users must pay in Bitcoin or by anonymous wire transfers. Anti-virus and anti-spam applications do not detect many variants of this threat, but some strategies such as using white listing, geofencing and other techniques have slowed down the rate of infections. However, attackers are getting smarter and choosing new methods for attack.
So, What Are Some Potential Tools to Prevent Cyber Attacks?
There are a few defenses that have been used for some time including a well-maintained firewall and a backup that runs almost continuously. It’s clear that a properly installed and maintained anti-virus product is the first line of defense. Signature based anti-virus products are not quite as effective as they once were. In fact, anti-virus is dead according to a Wall Street Journal interview with Brian Dye in May of 2014. Mr. Dye, who is Symantec’s senior vice president for information security. Symantec’s Norton antivirus suite has been at the forefront of PC security for years and years and the product has evolved to their Endpoint Protection product. But don’t let the claim distract: anti-virus isn’t being retired, and Dye’s words reflect the new reality in anti-virus protection. Dye told the WSJ that he estimates traditional antivirus detects a mere 45 percent of all attacks. Second, a properly configured firewall can help protect your network whether you are running in a public cloud or have created your own private cloud on-premise. We recommend firewalls in all business locations, and prefer business grade firewalls in homes, too. Some states have mandated encryption, like Massachusetts, and this protection is a strong third line of defense. Your fourth line of defense should be Identity Management including multi-factor authentication with a product like Duo or AuthAnvil. Based on the PCI compliance regulations that went effect February 1, 2018 that requires multi-factor for some users and use cases, we are suggesting multi-factor authentication for all users. These products allow your IT team or contractor to enable a mobile phone or other method such as a token to be used to authenticate a user. Remember that single factor authentication is something you know, like a user ID and a password, where multi-factor authentication is something you know and something you have. The broad acceptance of cell phones and the availability of inexpensive tokens plus the availability of multi-factor authentication from providers like Microsoft or Google leads us to recommend multi-factor authentication this year. Finally, and fifth, it may be time to consider Security Information & Event Management (SIEM) tools that can identify unauthorized or destructive behavior on your network.
And We Are Not Done Yet...
Why are the “bad guys” attacking our business and homes? The simple answer is to gain money and/or intellectual property. Another result of these attacks includes Identity theft. According to the U.S. Department of Justice, identity theft and identity fraud are terms used to refer to all types of crime in which someone involves frames or deception, typically for economic gain. Essentially, someone exploiting your personal information for their personal gain is the basis of identity theft. What happens with the stolen data? A few examples from the Dark Web using the TOR network: 1) $180 USD will buy you the login information for PayPal Accounts with a $1701 USD verified balance, 2) or perhaps you need US Citizenship Documentation. For $5K you can have a “real” social security number, birth certificate, passport, driver’s license, etc. 3) Finally, you can obtain a credit card or access to a bank account with a $1500 available limit for about $100 USD.
There are threats beyond those identified in this short article. Hopefully, you now understand that the threats are real, and that there are reasonable steps you can use to protect yourself, your family and your business.
About the Author
Randy Johnston is a shareholder in K2 Enterprises, LLC, a leading provider of CPE to accounting and financial professionals. Concepts for this article were extracted from the security sessions produced as part of the 2019 K2 Technology Conferences and from Johnston’s own experience working with technology at various firms in the U.S. You may reach Randy at randy@k2e.com.