It's Not Always What's On The Inside That Counts



  While serving as the head of an Information Security department, I once had a Chief Technology Officer (CTO) tell me, "The organization doesn't need security controls as long as they have security awareness training." The statement will seem naïve and even laughable to many security professionals. However, his words reflect a growing misconception shared by technology leaders in a time where everyone is worried about employees clicking on ransomware, visiting infected websites, or compromising a network over the VPN. Even my own Doctoral Dissertation is about the need for mandatory cybersecurity awareness training courses in middle schools. Yet, a look at the news reminds us that securing employees inside a company is not enough to secure the company.

One of the most concerning stories hitting the news this month is how ransomware groups are turning their focus toward firmware attacks. Leaked chats from the Conti ransomware group reveal that the organization is actively working to develop a set of firmware attack techniques. According to records, the group is interested in these attacks because they believe organizations do not update their firmware regularly. They are not wrong. Most organizations I've audited fail to keep up with software and operating system (OS) updates, much less worry about firmware. The lack of proper patching programs and firmware maintenance opens organizations to significant risks. Firmware is one of the most dangerous targets inside an organization, evading standard security solutions, providing long-term persistent access, and opening the door for devasting attacks.

Lack of patching and firmware updates aren’t the only poor security practice in the news. Flaws such as lack of multifactor authentication, unsecured ports, and poor logging are turning databases into a haven for ransomware attackers. After all, attackers don’t need employees to click on links when companies leave the door open for attackers to connect directly. Researchers recently identified over 1,200 Elasticsearch databases that were wiped and replaced with ransom notes. The attack comes on the heels of a report that over 3.6 million MySQL servers were discovered to be vulnerable to malicious queries and extortion. Both findings come less than two years after tens of thousands of exposed MongoDB databases were similarly compromised by ransomware. Again, poor organizational security controls are permitting mass ransomware attacks, with no employee interaction required.

Amid the discussion of ransomware, don't forget older and more traditional attacks. Italian security organizations recently released a warning that the pro-Russian hacktivist group, Killnet, is targeting Italian organizations with mass Distributed Denial of Service attacks (DDoS). Even worse, they are actively recruiting volunteers for further attacks. Many organizations may not see themselves as targets for a powerful international crime syndicate. However, extortion attacks relying upon DDoS attacks are becoming an increasingly popular substitute for ransomware. Last month, the US Security and Exchange Commission (SEC) reported that DDoS extortion attacks are expanding their target populations and striking companies across the nation, costing one VOIP provider more than 9 million dollars! Even former ransomware titans are beginning to recognize the profitability of these tactics, as evidenced by last week’s announcement that the former ransomware gang REvil has resurfaced as a DDoS extortion group. Like the other attacks noted, DDoS attacks can be stopped with proper security controls and practices, but security training isn’t one of them. 

As cybersecurity moves forward into the future, security awareness training is an essential part of protecting organizations. However, recent news releases remind security professionals that simply monitoring and training employees is not enough. If your organization is unsure if you have the proper security controls and defenses in place to protect your organization from outsiders, have an experienced cyber security professional evaluate your organization's security posture and ensure you are protected from emerging threats. 


Comments

Post a Comment

Popular posts from this blog

What Would I Do?

Remember the Mobile Devices