It's Not Always What's On The Inside That Counts

-



  While serving as the head of an Information Security department, I once had a Chief Technology Officer (CTO) tell me, "The organization doesn't need security controls as long as they have security awareness training." The statement will seem naïve and even laughable to many security professionals. However, his words reflect a growing misconception shared by technology leaders in a time where everyone is worried about employees clicking on ransomware, visiting infected websites, or compromising a network over the VPN. Even my own Doctoral Dissertation is about the need for mandatory cybersecurity awareness training courses in middle schools. Yet, a look at the news reminds us that securing employees inside a company is not enough to secure the company.

One of the most concerning stories hitting the news this month is how ransomware groups are turning their focus toward firmware attacks. Leaked chats from the Conti ransomware group reveal that the organization is actively working to develop a set of firmware attack techniques. According to records, the group is interested in these attacks because they believe organizations do not update their firmware regularly. They are not wrong. Most organizations I've audited fail to keep up with software and operating system (OS) updates, much less worry about firmware. The lack of proper patching programs and firmware maintenance opens organizations to significant risks. Firmware is one of the most dangerous targets inside an organization, evading standard security solutions, providing long-term persistent access, and opening the door for devasting attacks.

Lack of patching and firmware updates aren’t the only poor security practice in the news. Flaws such as lack of multifactor authentication, unsecured ports, and poor logging are turning databases into a haven for ransomware attackers. After all, attackers don’t need employees to click on links when companies leave the door open for attackers to connect directly. Researchers recently identified over 1,200 Elasticsearch databases that were wiped and replaced with ransom notes. The attack comes on the heels of a report that over 3.6 million MySQL servers were discovered to be vulnerable to malicious queries and extortion. Both findings come less than two years after tens of thousands of exposed MongoDB databases were similarly compromised by ransomware. Again, poor organizational security controls are permitting mass ransomware attacks, with no employee interaction required.

Amid the discussion of ransomware, don't forget older and more traditional attacks. Italian security organizations recently released a warning that the pro-Russian hacktivist group, Killnet, is targeting Italian organizations with mass Distributed Denial of Service attacks (DDoS). Even worse, they are actively recruiting volunteers for further attacks. Many organizations may not see themselves as targets for a powerful international crime syndicate. However, extortion attacks relying upon DDoS attacks are becoming an increasingly popular substitute for ransomware. Last month, the US Security and Exchange Commission (SEC) reported that DDoS extortion attacks are expanding their target populations and striking companies across the nation, costing one VOIP provider more than 9 million dollars! Even former ransomware titans are beginning to recognize the profitability of these tactics, as evidenced by last week’s announcement that the former ransomware gang REvil has resurfaced as a DDoS extortion group. Like the other attacks noted, DDoS attacks can be stopped with proper security controls and practices, but security training isn’t one of them. 

As cybersecurity moves forward into the future, security awareness training is an essential part of protecting organizations. However, recent news releases remind security professionals that simply monitoring and training employees is not enough. If your organization is unsure if you have the proper security controls and defenses in place to protect your organization from outsiders, have an experienced cyber security professional evaluate your organization's security posture and ensure you are protected from emerging threats. 


Comments

Post a Comment

Popular posts from this blog

Remember the Mobile Devices

-
           There is probably no topic of contention that I encounter more as an IT security consultant and auditor than mobile device security. People and organizations just don’t want to secure themselves against mobile devices. The excuses are numerous: ·         Regulating employee mobile devices will lower morale. ·         Employees will think we are spying on them. ·         Other organizations allow their employees to use mobile devices freely. ·         No one worries about mobile device security anymore. I have even heard many of these statements from other information security professionals, including the last statement. DON’T BE FOOLED! Mobile devices are a serious risk to your organization. I have appeared on the news three times in the last few years to speak about attacks and threats targeting mobile devices. Two of those times were specifically about attacks targeting iPhones and Apple devices. Perhaps, for this reason, I was particularly alarmed by a recen
Read more