AWS-Cloud-Security-Consulting.jpg

CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS

CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.

CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Understanding the UnitedHealth Data Breach: Lessons Learned and Cybersecurity Imperatives

In recent months, the healthcare industry has been rocked by a significant number of cybersecurity breaches, the most prolific of which was at UnitedHealth Group. This breach sheds light on the critical importance of robust cybersecurity measures in safeguarding sensitive patient data and ensuring the continuity of essential services. 

Below we delve into the details of this breach and explore its broader implications for cybersecurity in the healthcare industry as a whole.

The breach at UnitedHealth's tech unit on February 12th was orchestrated by hackers who gained remote access to the network using stolen login credentials. This breach, attributed to the cybercriminal gang AlphV, aka BlackCat, underscored the vulnerabilities inherent in relying solely on passwords for authentication, particularly the absence of multi-factor authentication (MFA). The compromised Change Healthcare Citrix portal, lacking MFA, provided an open gateway for cybercriminals to infiltrate and encrypt the systems, leading to a ransom demand to restore access.

The aftermath of the breach highlighted the significant disruption to American healthcare. Change Healthcare was locked out of the essential systems impacting medical claims processing across the country. UnitedHealth Group has been diligently working with law enforcement agencies and cybersecurity firms, including Google, Microsoft, Cisco, and Amazon, to investigate the breach and secure affected systems.

However, the ransom payment made by UnitedHealth Group underscores the complex ethical and practical considerations surrounding ransomware attacks. While paying the ransom may, or may not truly ensure the decryption of systems and the restoration of services, it also incentivizes cybercriminals to continue their nefarious activities.

In response to the breach, UnitedHealth Group has taken proactive measures to support affected healthcare providers, providing over $6.5 billion in accelerated payments and no-interest, no-fee loans to mitigate the financial impact.

This breach serves as a stark reminder of the urgent need for healthcare organizations to prioritize cybersecurity and implement robust defenses against evolving cyber threats. CyberSecOp continues to provide award winning services, standing ready to assist organizations in mitigating risks, conducting comprehensive risk assessments, and implementing tailored cybersecurity strategies to safeguard sensitive data and ensure the integrity of critical systems.

As the healthcare industry grapples with the fallout of this breach, it is imperative for organizations to learn from these events and strengthen their cybersecurity posture to protect patient privacy and maintain the trust of stakeholders.

Together, we can work towards building a more resilient and secure healthcare ecosystem where patient data remains protected and essential services remain uninterrupted.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Cyber Incident Response: A Comprehensive Guide

In today's world, cyber attacks are a fact of life. Every day, organizations of all sizes are targeted by hackers, criminals, and other malicious actors. While no organization is immune to attack, there are steps that can be taken to minimize the risk of a successful attack and to mitigate the damage caused by an attack that does occur.

One of the most important steps is to have a comprehensive cyber incident response plan in place. A good incident response plan will outline the steps that will be taken to identify, contain, and mitigate a cyber attack. It will also identify the roles and responsibilities of key personnel during an incident.

CyberSecOp is a leading provider of cyber security services. Our Emergency Incident Response team stands ready to support your organization in identifying, mitigating and preventing security incidents. We have the experience and expertise to help you respond to any type of cyber attack, quickly and effectively.

Our team of certified security professionals will work with you to:

  • Identify the nature of the attack

  • Contain the attack and prevent further damage

  • Restore your systems and data

  • Investigate the attack and identify the root cause

  • Develop a plan to prevent future attacks

We understand that a cyber attack can be a disruptive and stressful event. Our team is here to help you through the process and to get your business back up and running as quickly as possible.

The Cyber Incident Response Process

The cyber incident response process can be broken down into the following steps:

  1. Identify the attack. The first step is to identify that an attack has occurred. This may involve detecting suspicious activity, such as unusual logins or changes to network configurations.

  2. Contain the attack. Once an attack has been identified, it is important to contain the attack as quickly as possible. This may involve isolating the affected systems or networks, or removing malicious code.

  3. Mitigate the damage. Once the attack has been contained, it is important to mitigate the damage. This may involve restoring data from backups, or repairing damaged systems. It is also important to investigate the attack to determine how it occurred and to prevent future attacks.

  4. Investigate the attack. Once the attack has been contained, it is important to investigate the attack to determine how it occurred and to prevent future attacks. This may involve gathering evidence, such as logs and network traffic, and interviewing affected employees.

  5. Develop a plan to prevent future attacks. Once the attack has been investigated, it is important to develop a plan to prevent future attacks. This may involve implementing security controls, such as firewalls and intrusion detection systems, and training employees on security best practices.

Cyber Incident Response Resources

There are a number of resources available to help organizations create and implement a cyber incident response plan. Some of these resources include:

  • CyberSecOp can assist with the development of a comprehensive incident response program.

  • The National Institute of Standards and Technology (NIST) has developed a set of guidelines for creating a cyber incident response plan. These guidelines can be found on the NIST website.

  • The SANS Institute offers a number of resources on cyber incident response, including a checklist for creating a plan. These resources can be found on the SANS website.

  • The International Organization for Standardization (ISO) has developed a number of standards for information security, including one for incident response. These standards can be found on the ISO website.

Conclusion

Cyber incident response is an essential part of any organization's security posture. By having a comprehensive plan in place, organizations can minimize the damage caused by a cyber attack and quickly recover from an incident.

If you need help with your cyber incident response plan, please contact CyberSecOp today. We would be happy to help you develop a plan that meets your specific needs.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Cyber Threats Require New Approach to Design Flaws and Risk  

Now that the year is in full swing, and you’re only left with the distant memories, COVID, and cyber security, what are your business cyber objectives for 2022?

Ours goals are to continue helping businesses:

  1. Improving security for everyone, by doubling the amount or organizations we helped last year (100% our client shows no evidence of a data breach)

  2. Offer competitive pricing, to make security an attainable goal for every organization

  3. Reduce cost and increase security by implementing more automation and artificial intelligence 

Cyber threats are a real threat to all modern businesses, with the evolution of technology in all sectors. Malicious cyberattacks in 2021 forced shutdown of many business operations at an average downtime of a month.  According to multiple reports, the amount of companies who ended paid hackers grew by 300% in 2020, and 200% in 2021. The businesses that were victimized had two options, pay the ransom or go out of business.

Email is the most popular attack vector

Email is still a top attack vector cybercriminal use. A majority of data breaches are caused by attacks on the human layer, but email hacking is much more than phishing.

Top 3 email attacks

  1. Most wire frauds are successful over email communication; the focus trust, in most case the threat actor would be in the middle of a communication between two are more parties. This allows the threat actor to control the conversation, and change wire information.

  2. Threat actor’s setup email rules to keep persistent connections and visibility to gain insight into the organization long after all passwords have been changed.

  3. Threat actors add external emails to distribution groups to keep persistent connect and gain continuous insight into the organization in preparation for their next attack.

Double and Triple Extortion

Cybercriminal groups identified by the FBI responsible for most incidents are known for conducting aggressive “double/triple extortion” ransomware attacks once they have gained access to a network.

In double extortion attacks not only is the victim organization’s data rendered inaccessible until a ransom is paid but the criminals may further monetize the ransomware attack by coupling it with a Distributed Denial of Service (DDoS) attack or selling the stolen data onto other criminal groups.  In some cases, if the organization is not careful, hackers use email, phone, or text to deceive  employees into helping them commit wire fraud.  

Providing security is challenging in any industry, whether you’re talking about agriculture, automobiles, furniture, financial services, or educational. It requires special equipment and knowledge around how things can fail in the field, and a disciplined approach to executing tests that reflect real-world conditions as much as possible.

This is where CyberSecOp can help your organization

We are an independent third-party testing, and compliance readiness firm, operating only within the cybersecurity industry. With our comprehensive suite of services and solutions our team can provide continuous testing, security program development, security tabletop exercise, security awareness training to reduce risk and increase critical testing against sensitive systems, using real-world conditions.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Holistic Ransomware Security Approach

Do you have a holistic approach for security against ransomware? To prevent events from escalating, consider immediate containment and expert remediation assistance. Ransomware attacks are rampant, and include hackers locking up computer systems and demanding a payment to unlock them. Ransomware has had devastating effects on our infrastructure and economy, impeded emergency responders, stalled tax payments and forced government offices back to pen-and-paper operations for weeks on end.

80% of those who paid their ransom were attacked again, and not even security firms are immune to these attacks.  

What is Ransomware?

Ransomware is a form of malicious software (malware) that is designed to encrypt files on a device, making the files and the systems that rely on them unusable. Malicious actors then demand a ransom payment, usually in the form of cryptocurrency, in exchange for decryption. These malicious actors may also make extortion demands, by threating to release stolen data if a ransom is not paid, or may come back after the fact and demand an additional payment in order to prevent the release of stolen data.

Recent Breach of a Top Security Firm

Accenture, one of the largest security firms around, confirmed in August 2021 that it was hit by a ransomware attack, with a hacker group using the LockBit ransomware reportedly threatening to release the company’s data and sell insider information.

Previously, the cybersecurity firm FireEye had been the first call for help at government agencies and international companies who had been hacked by sophisticated attackers. Yet on Dec 8, 2020, FireEye announced it had been breached, and not just data but also some of its most valuable tools had been stolen. 

Ransomware Impact

The impact of a successful ransomware deployment includes both technical and non-technical challenges, and can be crippling to business operations. Modern-day attackers have developed advanced techniques that now require a holistic security risk mitigation strategy, inclusive from the board to technical practitioners.

The impact of ransomware can include:

·         Temporary, and possibly permanent, loss of your company's data

·         A complete shutdown of your company's operations

·         Financial loss as a result of revenue-generating operations being shut down

·         Financial loss associated with the cost of remediation efforts

·         Permanent damage to your company's reputation

How Can CyberSecOp Help Your Organization?

Holistic Security Risk Mitigation Strategy

A holistic approach to cybersecurity can address the following components and their implications for governance, organizational structures, and processes.  Our holistic security program includes a risk management program, which provides an accurate overview of the risk landscape and governing principles that ensure accurate risk reporting. We address:

  • Assets: Clearly defining critical assets

  • Controls: Differentiated controls to balance security with agility

  • Processes: State-of-the-art and fully tested procedures for optimal security and remediation

  • Organization: Bringing the right skills, most efficient decision making, and effective enterprise-wide cooperation into your organization

  • Governance: Investments in operational resilience, prioritized based on deep transparency into cyber risks including third parties and vendors, covering of the whole value chain

  • Patches: Keeping your network up to date with the latest software patches

  • Software Mitigations: Using robust antivirus and firewall protections in your network

  • Backups: Backing up data securely and separately from your network, and routinely testing restoring from backups

Incident Response Services

Scoping and Investigation

The CyberSecOp Incident Response (IR) Team conducts forensic analysis to identify root causes and ensure rapid containment of ongoing attacks. This swiftness to action helps prevent escalation.

Services and Expert Guidance

CyberSecOp IR Team remediates issues throughout the network and implements updates to configurations, architecture, and tooling.

Advanced Threat Analysis

The CyberSecOp Team conducts in-depth investigations including root cause analysis, malware reverse engineering and comprehensive incident reporting.

How Does Ransomware Infect my Network?

Ransomware, like other forms of malware, seeks to take advantage of poor security practices employed by employees and system administrators. According to the Internet Crime Complaint Center (IC3) the most common methods of infection are:

  • Email Phishing: This social engineering attack vector occurs when a cyber-criminal sends an email which appears to be legitimate, but in fact contains a link to a malicious website or document with a malicious script, which then infects the recipient’s computer and associated network.

  • Remote Desktop Protocol (RDP) Vulnerabilities: RDP is a type of software that allows individuals to control the resources of another computer over the internet. RDP is commonly used by employees working remotely and by system administrators to manage computers from a distance.

  • Software Vulnerabilities: These vulnerabilities are flaws in the code of a piece of software (like Microsoft Word) that can be exploited by threat actors to gain control of a system to deploy malware. A common example would be “macros” that get installed within Microsoft Word or Microsoft Excel that lead to infection.

Best Practices and remedial measures

Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection/ attacks:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.

  • Check regularly for the integrity of the information stored in the databases.

  • Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)

  • Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems

  • Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.

  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.

  • Application white listing/Strict implementation of Software Restriction Policies (SRP)to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.

  • Maintain updated Antivirus software on all systems

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser

  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.

  • Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

  • Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.

  • Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configuration.

  • Restrict access using firewalls and allow only to selected remote endpoints, VPN may also be used with dedicated pool for RDP access

  • Use strong authentication protocol, such as Network Level Authentication (NLA) in Windows.

  • Additional Security measures that may be considered are

    • Use RDP Gateways for better management

    • Change the listening port for Remote Desktop

    • Tunnel Remote Desktop connections through IPSec or SSH

    • Two-factor authentication may also be considered for highly critical systems

  • If not required consider disabling, PowerShell / windows script hosting.

  • Restrict users' abilities (permissions) to install and run unwanted software applications.

  • Enable personal firewalls on workstations.

  • Implement strict External Device (USB drive) usage policy.

  • Employ data-at-rest and data-in-transit encryption.

  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.

  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

  • Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers from CERT-IN empaneled auditors. Repeat audits at regular intervals.

  • Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report such instances of fraud to CERT-In and Law Enforcement agencies

Our IT & cybersecurity consulting service protects you from cyber criminals in myriad ways. From implementing a cybersecurity program, which include a written information security program and cybersecurity assessment, to purchasing our best-in-class cybersecurity consulting and IT security solutions, engaging with CyberSecOp will lead you in the right direction towards an enhanced security stance. CyberSecOp is an ISO 27001 Certification Organization - join thousands of businesses by putting your security in our hands.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Why Supply Chain Attacks Keep Happening, and How

Authored by Alison Stuart, Sales Lead at CyberSecOp

Authored by Alison Stuart, Sales Lead at CyberSecOp

What Is a Supply Chain Attack? 

Supply chain attacks have crept to the top of the cybersecurity agenda after hackers alleged to be operating at the Russian government’s direction tampered with a network monitoring tool built by Texas software firm SolarWinds (CNBC), costing the company  $18 million in the first three months of 2021.

The hackers used a supply chain attack to insert malicious code into the Orion system. A supply chain attack works by targeting a third party with access to an organization's systems rather than trying to hack the networks directly. The third-party software, in this case, the SolarWinds Orion Platform, creates a backdoor through which hackers can access and impersonate users and accounts of victim organizations. The malware could also access system files and blend in with legitimate SolarWinds activity without detection, even by antivirus software. SolarWinds was a perfect target for this kind of supply chain attack. Because their Orion software is used by many multinational companies and government agencies, all the hackers had to do was install the malicious code into a new batch of software distributed by SolarWinds as an update or patch. (WhatIs.com)

Why Do Supply Chain Attacks Keep Happening, and How?

The short answer: ensuring the security of every single third-party vendor you interact with is complicated. Even if you require that your vendors are certified to be meeting some particular security standard such as NIST 800-171, that’s no guarantee that they can’t be compromised.

Why Does It Matter If My Vendors Are Secure, As Long As I Am?

Let’s look at what happened to Target. Target was pretty secure, but their HVAC supplier, Fazio Mechanical Services, was not. In 2013, Target was breached through the credentials hackers acquired from Fazio Mechanical Services, and malware was deployed to Target’s point of sale (POS) systems. Those systems collected credit card data from over 40 million shoppers who had visited Target stores during the 2013 holiday season. (NBC) 

So How Did the Breach Impact the Company? 

Not only did Target’s CEO, Gregg Steinhafle, step down within 6 months, but the company reported a 46% drop in profits in the fourth quarter of 2013 compared with the year before. (New York Times) Target spent 100 million dollars upgrading their payment terminals to support Chip-and-PIN enabled cards in response to the attack. Theoretically, that should protect them from future such incidents, right? Wrong. The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach is 0. Without end-to-end card data encryption, the card numbers and expiration dates can still be stolen and used in online transactions. (Krebs On Security)

Isn’t this Mostly Ancient History?

The Kaseya breach on July 2nd, 2021, left the private sector reeling most recently. A successful ransomware attack on a single company had spread to at least 200 organizations that the company provided software to (and likely far more, according to cybersecurity firm Huntress Labs). That number made it one of the single most enormous criminal ransomware sprees in history. Kaseya announced Friday afternoon (Kaseya) that it was attacked by hackers and warned all its customers to stop using its service immediately. Nearly 40 of its customers were already confirmed to have been hacked as of the evening of the press release.

Protecting your customers from potentially unsafe vendors is essential

Research shows that 2017 alone saw a 200% increase in supply chain attacks (DarkReading), and 56% of surveyed organizations had experienced a breach caused by one of their vendors. In Q1 of this year, The Identity Theft Resource Center (ITRC) said 137 organizations reported being hit by supply chain cyber-attacks at 27 different third-party vendors. The ITRC also indicated that the attacks in Q1 have affected seven million people.  Data breaches included high-profile cyber attacks on IT provider Accellion’s File Transfer Appliance (FTA), which impacted organizations including Shell, the Reserve Bank of New Zealand, Bombardier, and Kroger.

So How Can You Protect Your Company?

The easiest way to protect your company is to ensure you have an active vendor management program. CyberSecOp offers this service to companies of all sizes - contact us now to learn more or explore our Vendor Risk Management Services.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Three Reasons Why You Need an Incident Response Solution

Imagine the following scenario: you arrive early to work in the morning, plop down at your desk with coffee in hand, and log in to your computer. You’re excited to start working on a big project, but first you are greeted with this message:

incident-reponse-services-blog.jpg

Quickly, you dash over to a colleagues’ desk. They too, have the same message on their desk. You try dialing your IT department, but they don’t start until normal business hours.

What do you do? Where do you even start?

It’s easy to think that the above scenario would never happen to you. In reality, a 2020 survey of 600 businesses in the United States revealed that a staggering 78% had been infected with ransomware that year. The average cost of recovering from a ransomware attack has spiked to $1.85 million in 2021!

Ransomware isn’t the only threat to your business continuity. In February 2021, the state of Texas suffered massive power outages due to a severe winter storm. At least 151 people died as a result. Property damage has been estimated at more than $195 billion.

What do these scenarios have in common? They demonstrate the need to prepare for the worst; this is the essence of Incident Response.

What is Incident Response anyway?

Every organization needs to have an Incident Response Plan (IRP). The team that executes the IRP is the Computer Incident Response Team (CIRT). The most important feature of both the IRP and CIRT is that they are clearly defined before the incident takes place! Disaster recovery is hardest when preparation is lacking.

The Incident Response Plan details who does what if an incident does happen. This can include using alternate systems, notifying stakeholders, or restoring from backups.

Perhaps the most important part of the Incident Response Plan is the postmortem. Now that you’ve recovered, what will you do in order to ensure that attackers won’t attack again using the exact same methods? The Incident Response Team will identify what door the attackers used to get in and make sure it stays shut.

Why do I need Incident Response?

I’m so glad you asked. Here’s three reasons why you need Incident Response for your organization:

1.     The probability of an incident has never been higher.

Ransomware is pervasive. At this point, we need to ask ourselves not “will I get breached?” but “when will I get breached?”

A proper defense has multiple layers. Having a fence around your house is nice, but you’ll still have homeowners’ insurance. Incident Response is a way to mitigate the risks of ransomware that we can’t avoid.

2.     The cost of an incident has never been higher.

How much would it cost to replace your entire infrastructure? The nasty aspect of ransomware is that, in some cases, the only way to ensure that the attackers have been completely removed from your environment is to start from scratch. This means replacing every workstation and server in your organization.

Sometimes, there simply isn’t a price to pay; there may not even be new hardware available to purchase with a global silicon chip shortage.

3.     You can’t afford not to.

Every business owes itself to do a risk analysis of a ransomware attack. What would be the cost of not doing business for an hour? A day? A week? You will find that incident response is a necessary piece of the plan for protecting your assets and business continuity.

CyberSecOp is a leader in the Incident Response field. CyberSecOp consultants are cyber incident response subject matter experts who have collaborated on numerous security projects and operational improvement initiatives. We will support your security operational activities by helping to develop an incident response plan and work with your IT team to mitigate any potential risk. Our teams will create investigative processes and playbooks. In addition, we will be responsible for continuously identifying gaps and managing the improvements in the security response process, technologies, and monitoring. Working closely with internal architecture, engineering, and project management teams will ensure cyber-defense requirements are identified and communicated early in the project life cycle.

Security incident response services with CyberSecOp

  • Support cyber incident response actions to ensure proper assessment, containment, mitigation, and documentation

  • Support cyber investigations for large- and small-scale security incident breaches

  • Review and analyze cyber threats and provide SME support

  • Interact and assist other investigative teams within on time sensitive, critical investigations

  • Participate as part of a close team of technical specialists on coordinated responses and subsequent remediation of security incidents

  • Manage the security monitoring enrollment process to ensure adequate coverage and effectiveness of all new and existing cloud- and on-premise-based applications, services and platforms

  • Maintain detailed tracking plan of all internal/external enrollment outcomes/recommendations and provide support through to implementation

  • Act as a liaison between cyber-defense, engineering, security architecture, network & system operations, and functional project teams to ensure effective project implementation that meets incident response requirements

  • Define baseline security monitoring requirements for all new projects, services, and applications joining your organization's network

  • Facilitate the development and tuning of SIEM rules to support enrollments and ensure high fidelity alerting

 Don’t delay in ensuring that your business can survive any threat. Join CyberSecOp on your journey towards a safe and protected future.

Author: Josh Cabrera

Read More