AWS-Cloud-Security-Consulting.jpg

CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS

CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.

CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Hackers Now Utilizing Standard Tools in Data Breaches

Several significant developments have emerged in today's dynamic cybersecurity landscape, highlighting threat actors' evolving tactics and the critical importance of robust cybersecurity measures.

Firstly, the emergence of ShrinkLocker, a ransomware variant exploiting Windows BitLocker, underscores cybercriminals' adaptability in leveraging built-in encryption features for malicious purposes.

Secondly, pharmacy benefit management company Sav-Rx's disclosure of a data breach affecting 2.8 million Americans underscores the ongoing challenges in safeguarding sensitive personal and medical information.

Standard tools are now being employed against organizations, as hackers no longer need to develop or learn new techniques, all while evading detection. This trend has significantly reduced the time required to execute a successful attack, particularly because most organizations rely on well-known software.

 1. Ransomware Exploits Windows BitLocker

A new strain of ransomware, dubbed ShrinkLocker, has surfaced. It leverages the Windows BitLocker feature to encrypt victim data. Threat actors are manipulating BitLocker, a full-volume encryptor integrated into the Windows operating system, to encrypt entire hard drives, rendering data inaccessible. Researchers from Kaspersky have identified this new threat, highlighting the importance of robust cybersecurity defenses.

 2. Sav-Rx Discloses Data Breach

Pharmacy benefits management company Sav-Rx has disclosed a data breach affecting 2.8 million Americans. The cyberattack, which occurred last October, resulted in the theft of personal data, including sensitive medical information. Investigations into the breach have been ongoing for eight months, underscoring the complex nature of cyber incidents and the importance of timely detection and response.

 3. New ATM Malware Poses Global Threat

A new strain of ATM malware has been advertised on the dark web, claiming to compromise a significant percentage of ATMs worldwide. Targeting machines from leading manufacturers, including Diebold Nixdorf and NCR, the malware seriously threatens financial institutions and consumers. The availability of a three-day trial further underscores the sophistication of cybercriminal tactics.

 4. Phishing Campaigns Targets Finance Companies

A phishing campaign employing a Python clone of the popular game Minesweeper has surfaced, targeting finance companies in Europe and the U.S. The campaign utilizes malicious scripts hidden within the game code to install remote management software, granting threat actors access to compromised systems. Vigilance against phishing attempts remains essential in mitigating cyber risks.

 5. High-Severity Vulnerability Affects Cisco Firepower Management Center

Cisco has issued a warning regarding a high-severity vulnerability in the web-based management interface of the Firepower Management Center (FMC) Software. Exploitable via SQL injection, the vulnerability poses a significant risk to organizations using Cisco's security solutions. Immediate action is advised to mitigate potential exploitation. 

6. Recovery Efforts Continue at Ascension Following Cyberattack

Healthcare network Ascension is gradually recovering from a recent cyberattack, which disrupted operations across its 140 member hospitals and senior care centers. The incident underscores the critical importance of cybersecurity in safeguarding patient care and sensitive medical information. Despite ongoing recovery efforts, challenges persist, highlighting the far-reaching impact of cyber incidents on healthcare organizations.

 7. Courtroom Recording Software Compromised with Backdoor Installer

Justice AV Solutions (JAVS), a widely used technology for recording courtroom proceedings, has been compromised by hackers. A backdoor installer implanted in a software update allows threat actors to gain complete control of systems, posing significant privacy and security risks. Organizations utilizing JAVS technologies are advised to address the security issue and mitigate potential threats immediately.

Stay informed and proactive about evolving cyber threats. Cybersecurity remains a top priority for safeguarding digital assets and maintaining trust in an increasingly interconnected world.

  

In summary, the cybersecurity landscape continues to evolve, presenting complex challenges for organizations and individuals alike. By remaining vigilant, proactive, and leveraging robust cybersecurity solutions, stakeholders can effectively mitigate risks and safeguard against emerging threats in an increasingly interconnected digital environment.

 Stay informed and proactive in the face of evolving cyber threats. Cybersecurity remains a top priority in safeguarding digital assets and maintaining trust in an increasingly interconnected world.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Understanding the UnitedHealth Data Breach: Lessons Learned and Cybersecurity Imperatives

In recent months, the healthcare industry has been rocked by a significant number of cybersecurity breaches, the most prolific of which was at UnitedHealth Group. This breach sheds light on the critical importance of robust cybersecurity measures in safeguarding sensitive patient data and ensuring the continuity of essential services. 

Below we delve into the details of this breach and explore its broader implications for cybersecurity in the healthcare industry as a whole.

The breach at UnitedHealth's tech unit on February 12th was orchestrated by hackers who gained remote access to the network using stolen login credentials. This breach, attributed to the cybercriminal gang AlphV, aka BlackCat, underscored the vulnerabilities inherent in relying solely on passwords for authentication, particularly the absence of multi-factor authentication (MFA). The compromised Change Healthcare Citrix portal, lacking MFA, provided an open gateway for cybercriminals to infiltrate and encrypt the systems, leading to a ransom demand to restore access.

The aftermath of the breach highlighted the significant disruption to American healthcare. Change Healthcare was locked out of the essential systems impacting medical claims processing across the country. UnitedHealth Group has been diligently working with law enforcement agencies and cybersecurity firms, including Google, Microsoft, Cisco, and Amazon, to investigate the breach and secure affected systems.

However, the ransom payment made by UnitedHealth Group underscores the complex ethical and practical considerations surrounding ransomware attacks. While paying the ransom may, or may not truly ensure the decryption of systems and the restoration of services, it also incentivizes cybercriminals to continue their nefarious activities.

In response to the breach, UnitedHealth Group has taken proactive measures to support affected healthcare providers, providing over $6.5 billion in accelerated payments and no-interest, no-fee loans to mitigate the financial impact.

This breach serves as a stark reminder of the urgent need for healthcare organizations to prioritize cybersecurity and implement robust defenses against evolving cyber threats. CyberSecOp continues to provide award winning services, standing ready to assist organizations in mitigating risks, conducting comprehensive risk assessments, and implementing tailored cybersecurity strategies to safeguard sensitive data and ensure the integrity of critical systems.

As the healthcare industry grapples with the fallout of this breach, it is imperative for organizations to learn from these events and strengthen their cybersecurity posture to protect patient privacy and maintain the trust of stakeholders.

Together, we can work towards building a more resilient and secure healthcare ecosystem where patient data remains protected and essential services remain uninterrupted.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Cyber Incident Response: A Comprehensive Guide

In today's world, cyber attacks are a fact of life. Every day, organizations of all sizes are targeted by hackers, criminals, and other malicious actors. While no organization is immune to attack, there are steps that can be taken to minimize the risk of a successful attack and to mitigate the damage caused by an attack that does occur.

One of the most important steps is to have a comprehensive cyber incident response plan in place. A good incident response plan will outline the steps that will be taken to identify, contain, and mitigate a cyber attack. It will also identify the roles and responsibilities of key personnel during an incident.

CyberSecOp is a leading provider of cyber security services. Our Emergency Incident Response team stands ready to support your organization in identifying, mitigating and preventing security incidents. We have the experience and expertise to help you respond to any type of cyber attack, quickly and effectively.

Our team of certified security professionals will work with you to:

  • Identify the nature of the attack

  • Contain the attack and prevent further damage

  • Restore your systems and data

  • Investigate the attack and identify the root cause

  • Develop a plan to prevent future attacks

We understand that a cyber attack can be a disruptive and stressful event. Our team is here to help you through the process and to get your business back up and running as quickly as possible.

The Cyber Incident Response Process

The cyber incident response process can be broken down into the following steps:

  1. Identify the attack. The first step is to identify that an attack has occurred. This may involve detecting suspicious activity, such as unusual logins or changes to network configurations.

  2. Contain the attack. Once an attack has been identified, it is important to contain the attack as quickly as possible. This may involve isolating the affected systems or networks, or removing malicious code.

  3. Mitigate the damage. Once the attack has been contained, it is important to mitigate the damage. This may involve restoring data from backups, or repairing damaged systems. It is also important to investigate the attack to determine how it occurred and to prevent future attacks.

  4. Investigate the attack. Once the attack has been contained, it is important to investigate the attack to determine how it occurred and to prevent future attacks. This may involve gathering evidence, such as logs and network traffic, and interviewing affected employees.

  5. Develop a plan to prevent future attacks. Once the attack has been investigated, it is important to develop a plan to prevent future attacks. This may involve implementing security controls, such as firewalls and intrusion detection systems, and training employees on security best practices.

Cyber Incident Response Resources

There are a number of resources available to help organizations create and implement a cyber incident response plan. Some of these resources include:

  • CyberSecOp can assist with the development of a comprehensive incident response program.

  • The National Institute of Standards and Technology (NIST) has developed a set of guidelines for creating a cyber incident response plan. These guidelines can be found on the NIST website.

  • The SANS Institute offers a number of resources on cyber incident response, including a checklist for creating a plan. These resources can be found on the SANS website.

  • The International Organization for Standardization (ISO) has developed a number of standards for information security, including one for incident response. These standards can be found on the ISO website.

Conclusion

Cyber incident response is an essential part of any organization's security posture. By having a comprehensive plan in place, organizations can minimize the damage caused by a cyber attack and quickly recover from an incident.

If you need help with your cyber incident response plan, please contact CyberSecOp today. We would be happy to help you develop a plan that meets your specific needs.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Defending Against Cybersecurity Threats: Best Practices for Individuals and Organizations

Cybersecurity breaches have become increasingly common in recent years, affecting organizations and individuals alike. According to a report by Risk Based Security, there were over 18,000 publicly disclosed data breaches in the first half of 2021, resulting in the exposure of over 18 billion records. This represents a 47% increase in the number of breaches compared to the same period in 2020.

The consequences of a cybersecurity breach can be severe and long-lasting. Breaches can lead to the theft of sensitive data, financial losses, reputational damage, and legal liabilities. For businesses, a cybersecurity breach can result in lost productivity, customer loss, and damage to the company's brand and reputation.

To address the growing threat of cybersecurity breaches, organizations need to take a proactive approach to cybersecurity. This includes implementing robust security measures, regularly monitoring systems for signs of intrusion, and educating employees about safe online practices. Organizations should also have an incident response plan in place to quickly and effectively respond to a breach if one occurs.

Individuals can also take steps to protect themselves from cybersecurity breaches, such as using strong and unique passwords, enabling two-factor authentication, and being cautious of phishing attacks.

Defending against cyber security threats

Defending against cyber security threats is a complex and ongoing process that requires a combination of technical, administrative, and physical measures. Here are some general steps you can take to improve your cyber security posture:

  1. Keep software and systems up-to-date: Regularly update your operating system, applications, and antivirus software to patch vulnerabilities and fix bugs.

  2. Use strong and unique passwords: Use complex passwords and avoid using the same password across multiple accounts. Consider using a password manager to generate and store strong passwords.

  3. Enable two-factor authentication: Enable two-factor authentication (2FA) on all your online accounts, which adds an extra layer of security beyond passwords.

  4. Be cautious of phishing attacks: Be suspicious of emails or messages that ask for personal or financial information or contain suspicious links. Always verify the source before providing any information.

  5. Use a firewall: A firewall can help protect your network by filtering traffic and blocking unauthorized access.

  6. Back up your data regularly: Back up your important data regularly to protect against data loss in case of a security breach or hardware failure.

  7. Limit access to sensitive data: Restrict access to sensitive data to only those who need it and use secure methods to share data.

  8. Educate yourself and others: Stay informed about the latest cyber security threats and educate others, including employees, family members, and friends, about safe online practices.

Remember, cyber security is an ongoing process, and it requires constant attention and vigilance. By implementing these steps, you can help protect yourself and your organization from cyber threats.

In conclusion, cybersecurity breaches are a growing threat that can have severe consequences for both organizations and individuals. By implementing robust security measures and staying vigilant, organizations and individuals can help reduce the risk of a breach and minimize the impact if one occurs.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Healthcare Cyber Breaches and Statistics

Cyber breaches in the healthcare industry can have serious consequences, as they can compromise the confidentiality, integrity, and availability of sensitive patient information. These breaches can lead to financial loss, damage to reputation, and regulatory fines for the affected organizations. They can also have serious consequences for patients, including identity theft, financial loss, and harm to their physical and mental health.

According to a survey conducted by the Healthcare Information and Management Systems Society (HIMSS) in 2018, only 36% of healthcare organizations reported having a fully implemented cybersecurity program. The survey also found that only 37% of healthcare organizations had a formal incident response plan in place, and only 29% had regularly scheduled cybersecurity training for employees.

There have been several high-profile healthcare cyber breaches in recent years, including the 2017 WannaCry ransomware attack that affected the National Health Service in the UK and the 2018 breach of the health insurance company Anthem, which exposed the personal information of nearly 79 million individuals.

According to the US Department of Health and Human Services (HHS), the healthcare industry has consistently had the highest number of reported data breaches of any sector. In 2020, the HHS received reports of 1,363 breaches affecting a total of over 36 million individuals. The most common types of breaches reported were hacking/IT incidents (43.8%), unauthorized access/disclosure incidents (33.7%), and theft incidents (22.5%).

It is important for healthcare organizations to implement robust cybersecurity measures to protect patient information and prevent cyber breaches. This includes regularly updating and patching systems, training employees on cybersecurity best practices, and implementing strong passwords and access controls.

high-profile cyber breaches in the healthcare

There have been several high-profile cyber breaches in the healthcare industry in recent years. Some examples include:

  • In 2021, the health insurance company Premera Blue Cross announced a data breach that affected over 11 million individuals. The breach occurred in 2014, but was not discovered until 2015. The company discovered that hackers had gained access to its systems and had potentially accessed personal and medical information of its customers.

  • In 2020, the healthcare provider UnityPoint Health suffered a data breach that affected over 1.4 million individuals. The breach occurred when an employee fell victim to a phishing attack, which allowed hackers to gain access to the company's systems and potentially view or steal patient information.

  • In 2019, the healthcare provider Quest Diagnostics announced a data breach that affected nearly 12 million individuals. The breach occurred when an unauthorized third party gained access to the company's systems and potentially accessed patient information.

  • In 2018, the health insurance company Anthem suffered a data breach that affected nearly 79 million individuals. The breach occurred when hackers gained access to the company's systems and potentially accessed the personal and medical information of its customers.

It is important for healthcare organizations to implement robust cybersecurity measures to protect against cyber breaches and prevent the unauthorized access or disclosure of sensitive patient information.

healthcare HIPAA and cyber protection

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that sets standards for protecting certain health information. HIPAA requires covered entities (such as healthcare providers, health plans, and healthcare clearinghouses) and their business associates to implement safeguards to protect the privacy and security of protected health information (PHI).

HIPAA requires covered entities to implement physical, technical, and administrative safeguards to protect PHI. These safeguards include:

  • Physical safeguards: measures to secure the physical environment where PHI is stored, such as locking doors and securing servers.

  • Technical safeguards: measures to protect against unauthorized access to PHI, such as firewalls, encryption, and access controls.

  • Administrative safeguards: policies and procedures to ensure the proper handling of PHI, such as training employees on HIPAA requirements and conducting risk assessments.

HIPAA also requires covered entities to report certain types of breaches of PHI to the Department of Health and Human Services (HHS) and, in some cases, to affected individuals.

It is important for covered entities and their business associates to comply with HIPAA requirements to protect the privacy and security of PHI and prevent cyber breaches. This includes implementing appropriate safeguards and regularly reviewing and updating their HIPAA compliance programs.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Healthcare is a Top 3 Cyber Target

 Attacks on the healthcare industry are on the rise as noted in a recent article published in CYBERSECOP.  Healthcare providers of all sizes are subject to attack and in this case, CHRISTUS Health learned of “unauthorized access” likely similar to 254 ransomware incidents targeting patient care facilities between June 2020 and April 2022 worldwide.  Patients are at risk, both their health and their PII where threat actors can alter and/or add to patient billings with no notice of impropriety.  The true impact will be hard to discern until more time and data are collected but we know one thing for sure, the healthcare industry needs to take cybersecurity as seriously as they do patient care and follow their own advice; Plan, Prevent, Protect and Respond.

Plan – Get a Risk Assessment to identify and understand your cybersecurity vulnerabilities is one of the most critical steps as the awareness will lead to a prioritized remediation plan.  Even a chink in the armor will have your patients, employees, and community concerned as a cyber-attack will likely affect critical operations because the prize is financial data, patient, and employee Personally Identifiable Information (PII).

Prevent - After an assessment is completed, you need a trusted and reliable security cyber organization to assist in leveraging the right framework and controls to be measured by such as HITURST, HITECH, HIPAA and PCI.  These guidelines assist in defining the appropriate critical security controls for effective cyber defense.  These efforts can be awareness training, policy creation & enforcement, and security controls as well as incident response readiness and governance.  It’s a journey, not a sprint.

Protect – Within most remediation plans include investments in endpoint protection dark web monitoring and focusing on digital trust goals to ensure the technology investments already made as well as those in the future work in harmony.  Like a Rubik’s cube, the goal is to have every facet of your organization in order, not just celebrating a single win.  It is important to have a managed security partner to protect your patients, employees, devices, and data with monitored protection systems along with managed & encrypted backups with a Security Operations Center staffed with certified security professionals watching and engaging on your behalf 24x7x365.

Respond – Did you know that a threat actor will live in your ecosystem for an average of 121 days mining sensitive data, passwords, organization charts, and behaviors before acting?  Nearly 95% of ransomware attacks are preventable so what starts as a threat becomes a technology issue, then a business risk issue, and eventually decision-making and communications issue at the board level.  Do you pay the ransomware or not?  Are we able to recover our data?  Has the threat actor accessed our PII?  And equally important is how do you keep from reaching this point again.  Having an incident response assessment and plan might be the one thing you do if you don’t buy into everything else.  You should receive an IT assessment of “how capable are we to thwart an attack?” and “how able are we to recover if breached?”  Buying cyber insurance is not the silver bullet it used to be so having an incident partner who is proactively focused on your company’s sensitive data and reputation is paramount.

Not unlike a hospital, there are two main ways to address cyber security by coming through the Emergency Room or the front door proactively for testing; I recommend the latter.  A proactive health check is the best step to understanding your ability to fight off an attack like a stress test.  The results may drive adjustments in behavior and readiness, such as point endpoint detection, policy creation & enforcement, and security training.  If you enter the ER, then don’t panic because you read this blog and signed up a reputable security partner to react & respond, including quarantining affected systems to prevent the ransom spread, resetting all passwords, checking your backups, activating your existing crisis/DR plans and negotiate with the threat actor if that is the best business decision communicating carefully along the way with detailed documentation.  The moral of this story is that hope is not a strategy, so know your security scorecard and realize cyber readiness is a journey, not a sprint.

Author: Christopher Yula

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Cyber Threats Require New Approach to Design Flaws and Risk  

Now that the year is in full swing, and you’re only left with the distant memories, COVID, and cyber security, what are your business cyber objectives for 2022?

Ours goals are to continue helping businesses:

  1. Improving security for everyone, by doubling the amount or organizations we helped last year (100% our client shows no evidence of a data breach)

  2. Offer competitive pricing, to make security an attainable goal for every organization

  3. Reduce cost and increase security by implementing more automation and artificial intelligence 

Cyber threats are a real threat to all modern businesses, with the evolution of technology in all sectors. Malicious cyberattacks in 2021 forced shutdown of many business operations at an average downtime of a month.  According to multiple reports, the amount of companies who ended paid hackers grew by 300% in 2020, and 200% in 2021. The businesses that were victimized had two options, pay the ransom or go out of business.

Email is the most popular attack vector

Email is still a top attack vector cybercriminal use. A majority of data breaches are caused by attacks on the human layer, but email hacking is much more than phishing.

Top 3 email attacks

  1. Most wire frauds are successful over email communication; the focus trust, in most case the threat actor would be in the middle of a communication between two are more parties. This allows the threat actor to control the conversation, and change wire information.

  2. Threat actor’s setup email rules to keep persistent connections and visibility to gain insight into the organization long after all passwords have been changed.

  3. Threat actors add external emails to distribution groups to keep persistent connect and gain continuous insight into the organization in preparation for their next attack.

Double and Triple Extortion

Cybercriminal groups identified by the FBI responsible for most incidents are known for conducting aggressive “double/triple extortion” ransomware attacks once they have gained access to a network.

In double extortion attacks not only is the victim organization’s data rendered inaccessible until a ransom is paid but the criminals may further monetize the ransomware attack by coupling it with a Distributed Denial of Service (DDoS) attack or selling the stolen data onto other criminal groups.  In some cases, if the organization is not careful, hackers use email, phone, or text to deceive  employees into helping them commit wire fraud.  

Providing security is challenging in any industry, whether you’re talking about agriculture, automobiles, furniture, financial services, or educational. It requires special equipment and knowledge around how things can fail in the field, and a disciplined approach to executing tests that reflect real-world conditions as much as possible.

This is where CyberSecOp can help your organization

We are an independent third-party testing, and compliance readiness firm, operating only within the cybersecurity industry. With our comprehensive suite of services and solutions our team can provide continuous testing, security program development, security tabletop exercise, security awareness training to reduce risk and increase critical testing against sensitive systems, using real-world conditions.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Holistic Ransomware Security Approach

Do you have a holistic approach for security against ransomware? To prevent events from escalating, consider immediate containment and expert remediation assistance. Ransomware attacks are rampant, and include hackers locking up computer systems and demanding a payment to unlock them. Ransomware has had devastating effects on our infrastructure and economy, impeded emergency responders, stalled tax payments and forced government offices back to pen-and-paper operations for weeks on end.

80% of those who paid their ransom were attacked again, and not even security firms are immune to these attacks.  

What is Ransomware?

Ransomware is a form of malicious software (malware) that is designed to encrypt files on a device, making the files and the systems that rely on them unusable. Malicious actors then demand a ransom payment, usually in the form of cryptocurrency, in exchange for decryption. These malicious actors may also make extortion demands, by threating to release stolen data if a ransom is not paid, or may come back after the fact and demand an additional payment in order to prevent the release of stolen data.

Recent Breach of a Top Security Firm

Accenture, one of the largest security firms around, confirmed in August 2021 that it was hit by a ransomware attack, with a hacker group using the LockBit ransomware reportedly threatening to release the company’s data and sell insider information.

Previously, the cybersecurity firm FireEye had been the first call for help at government agencies and international companies who had been hacked by sophisticated attackers. Yet on Dec 8, 2020, FireEye announced it had been breached, and not just data but also some of its most valuable tools had been stolen. 

Ransomware Impact

The impact of a successful ransomware deployment includes both technical and non-technical challenges, and can be crippling to business operations. Modern-day attackers have developed advanced techniques that now require a holistic security risk mitigation strategy, inclusive from the board to technical practitioners.

The impact of ransomware can include:

·         Temporary, and possibly permanent, loss of your company's data

·         A complete shutdown of your company's operations

·         Financial loss as a result of revenue-generating operations being shut down

·         Financial loss associated with the cost of remediation efforts

·         Permanent damage to your company's reputation

How Can CyberSecOp Help Your Organization?

Holistic Security Risk Mitigation Strategy

A holistic approach to cybersecurity can address the following components and their implications for governance, organizational structures, and processes.  Our holistic security program includes a risk management program, which provides an accurate overview of the risk landscape and governing principles that ensure accurate risk reporting. We address:

  • Assets: Clearly defining critical assets

  • Controls: Differentiated controls to balance security with agility

  • Processes: State-of-the-art and fully tested procedures for optimal security and remediation

  • Organization: Bringing the right skills, most efficient decision making, and effective enterprise-wide cooperation into your organization

  • Governance: Investments in operational resilience, prioritized based on deep transparency into cyber risks including third parties and vendors, covering of the whole value chain

  • Patches: Keeping your network up to date with the latest software patches

  • Software Mitigations: Using robust antivirus and firewall protections in your network

  • Backups: Backing up data securely and separately from your network, and routinely testing restoring from backups

Incident Response Services

Scoping and Investigation

The CyberSecOp Incident Response (IR) Team conducts forensic analysis to identify root causes and ensure rapid containment of ongoing attacks. This swiftness to action helps prevent escalation.

Services and Expert Guidance

CyberSecOp IR Team remediates issues throughout the network and implements updates to configurations, architecture, and tooling.

Advanced Threat Analysis

The CyberSecOp Team conducts in-depth investigations including root cause analysis, malware reverse engineering and comprehensive incident reporting.

How Does Ransomware Infect my Network?

Ransomware, like other forms of malware, seeks to take advantage of poor security practices employed by employees and system administrators. According to the Internet Crime Complaint Center (IC3) the most common methods of infection are:

  • Email Phishing: This social engineering attack vector occurs when a cyber-criminal sends an email which appears to be legitimate, but in fact contains a link to a malicious website or document with a malicious script, which then infects the recipient’s computer and associated network.

  • Remote Desktop Protocol (RDP) Vulnerabilities: RDP is a type of software that allows individuals to control the resources of another computer over the internet. RDP is commonly used by employees working remotely and by system administrators to manage computers from a distance.

  • Software Vulnerabilities: These vulnerabilities are flaws in the code of a piece of software (like Microsoft Word) that can be exploited by threat actors to gain control of a system to deploy malware. A common example would be “macros” that get installed within Microsoft Word or Microsoft Excel that lead to infection.

Best Practices and remedial measures

Users and administrators are advised to take the following preventive measures to protect their computer networks from ransomware infection/ attacks:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.

  • Check regularly for the integrity of the information stored in the databases.

  • Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)

  • Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems

  • Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.

  • Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.

  • Application white listing/Strict implementation of Software Restriction Policies (SRP)to block binaries running from %APPDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations.

  • Maintain updated Antivirus software on all systems

  • Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser

  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.

  • Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.

  • Disable ActiveX content in Microsoft Office applications such as Word, Excel, etc.

  • Disable remote Desktop Connections, employ least-privileged accounts. Limit users who can log in using Remote Desktop, set an account lockout policy. Ensure proper RDP logging and configuration.

  • Restrict access using firewalls and allow only to selected remote endpoints, VPN may also be used with dedicated pool for RDP access

  • Use strong authentication protocol, such as Network Level Authentication (NLA) in Windows.

  • Additional Security measures that may be considered are

    • Use RDP Gateways for better management

    • Change the listening port for Remote Desktop

    • Tunnel Remote Desktop connections through IPSec or SSH

    • Two-factor authentication may also be considered for highly critical systems

  • If not required consider disabling, PowerShell / windows script hosting.

  • Restrict users' abilities (permissions) to install and run unwanted software applications.

  • Enable personal firewalls on workstations.

  • Implement strict External Device (USB drive) usage policy.

  • Employ data-at-rest and data-in-transit encryption.

  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.

  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf

  • Carry out vulnerability Assessment and Penetration Testing (VAPT) and information security audit of critical networks/systems, especially database servers from CERT-IN empaneled auditors. Repeat audits at regular intervals.

  • Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released. Report such instances of fraud to CERT-In and Law Enforcement agencies

Our IT & cybersecurity consulting service protects you from cyber criminals in myriad ways. From implementing a cybersecurity program, which include a written information security program and cybersecurity assessment, to purchasing our best-in-class cybersecurity consulting and IT security solutions, engaging with CyberSecOp will lead you in the right direction towards an enhanced security stance. CyberSecOp is an ISO 27001 Certification Organization - join thousands of businesses by putting your security in our hands.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Why Supply Chain Attacks Keep Happening, and How

Authored by Alison Stuart, Sales Lead at CyberSecOp

Authored by Alison Stuart, Sales Lead at CyberSecOp

What Is a Supply Chain Attack? 

Supply chain attacks have crept to the top of the cybersecurity agenda after hackers alleged to be operating at the Russian government’s direction tampered with a network monitoring tool built by Texas software firm SolarWinds (CNBC), costing the company  $18 million in the first three months of 2021.

The hackers used a supply chain attack to insert malicious code into the Orion system. A supply chain attack works by targeting a third party with access to an organization's systems rather than trying to hack the networks directly. The third-party software, in this case, the SolarWinds Orion Platform, creates a backdoor through which hackers can access and impersonate users and accounts of victim organizations. The malware could also access system files and blend in with legitimate SolarWinds activity without detection, even by antivirus software. SolarWinds was a perfect target for this kind of supply chain attack. Because their Orion software is used by many multinational companies and government agencies, all the hackers had to do was install the malicious code into a new batch of software distributed by SolarWinds as an update or patch. (WhatIs.com)

Why Do Supply Chain Attacks Keep Happening, and How?

The short answer: ensuring the security of every single third-party vendor you interact with is complicated. Even if you require that your vendors are certified to be meeting some particular security standard such as NIST 800-171, that’s no guarantee that they can’t be compromised.

Why Does It Matter If My Vendors Are Secure, As Long As I Am?

Let’s look at what happened to Target. Target was pretty secure, but their HVAC supplier, Fazio Mechanical Services, was not. In 2013, Target was breached through the credentials hackers acquired from Fazio Mechanical Services, and malware was deployed to Target’s point of sale (POS) systems. Those systems collected credit card data from over 40 million shoppers who had visited Target stores during the 2013 holiday season. (NBC) 

So How Did the Breach Impact the Company? 

Not only did Target’s CEO, Gregg Steinhafle, step down within 6 months, but the company reported a 46% drop in profits in the fourth quarter of 2013 compared with the year before. (New York Times) Target spent 100 million dollars upgrading their payment terminals to support Chip-and-PIN enabled cards in response to the attack. Theoretically, that should protect them from future such incidents, right? Wrong. The number of customer cards that Chip-and-PIN-enabled terminals would have been able to stop the bad guys from stealing had Target put the technology in place prior to the breach is 0. Without end-to-end card data encryption, the card numbers and expiration dates can still be stolen and used in online transactions. (Krebs On Security)

Isn’t this Mostly Ancient History?

The Kaseya breach on July 2nd, 2021, left the private sector reeling most recently. A successful ransomware attack on a single company had spread to at least 200 organizations that the company provided software to (and likely far more, according to cybersecurity firm Huntress Labs). That number made it one of the single most enormous criminal ransomware sprees in history. Kaseya announced Friday afternoon (Kaseya) that it was attacked by hackers and warned all its customers to stop using its service immediately. Nearly 40 of its customers were already confirmed to have been hacked as of the evening of the press release.

Protecting your customers from potentially unsafe vendors is essential

Research shows that 2017 alone saw a 200% increase in supply chain attacks (DarkReading), and 56% of surveyed organizations had experienced a breach caused by one of their vendors. In Q1 of this year, The Identity Theft Resource Center (ITRC) said 137 organizations reported being hit by supply chain cyber-attacks at 27 different third-party vendors. The ITRC also indicated that the attacks in Q1 have affected seven million people.  Data breaches included high-profile cyber attacks on IT provider Accellion’s File Transfer Appliance (FTA), which impacted organizations including Shell, the Reserve Bank of New Zealand, Bombardier, and Kroger.

So How Can You Protect Your Company?

The easiest way to protect your company is to ensure you have an active vendor management program. CyberSecOp offers this service to companies of all sizes - contact us now to learn more or explore our Vendor Risk Management Services.

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

Vishing Awareness

vishing.jpg

Vishing

Spoofing a legitimate phone number, voice phishing scammers lead people to believe the call is legitimate

What is Vishing?

We’ve all heard the countless stories on phishing and how much of a threat is it in today’s information security landscape. Social engineering to solicit confidential information via email is a threat that all of us have been made aware of. Extensive efforts have been made to not only reduce the influx of phishing emails, but also to raise awareness so that users have the know-how to assess and respond to the threat when a malicious email hits their inbox.

In response, threat actors have turned to a newer form of exploitation: Vishing. Vishing is a form of criminal phone fraud that uses social engineering over the phone or SMS to gain confidential information. Here are some examples

  • Fake call from “Help Desk” asking for credentials

  • Unsolicited calls for credit and loans

  • Calls from a fake client asking about an invoice

Vishing is becoming an increasingly favored tool attackers use, due to the Covid-19 pandemic. With the shift to work-from-home environments, corporate VPNS, and elimination of in-person verification, threat actors are shifting their tactics to exploit this widespread weakness.

How do I protect my firm against Vishing?

  1. Security awareness is the best line of defense against this type of attack, so be sure to incorporate vishing education into your information security awareness program. Policies and procedures should be established and communicated to ensure that employees can verify identity when the helpdesk or anyone else from the company calls and asks after proprietary topical information. It is imperative that information security managers instill a sense of suspicion for any caller asking for said information.

  2. Enabling MFA for any system that has access to confidential information, network or system is non-negotiable; that second factor of authentication can halt many types of attacks. When you enable MFA you avoid the use of SMS as a means of authentication as SMS is easily manipulated and exploited.

  3. Lastly, always apply least privilege so that in the event an account is compromised, there will be minimal damage.

AUTHOR: CARLOS NETO

Information Security Officer

Read More
CyberSecOp Cybersecurity & Breach News CyberSecOp Cybersecurity & Breach News

What is a Data Breach?

A data breach is the unauthorized access, use, disclosure, or theft of sensitive, confidential, or personal information. Data breaches can occur when cybercriminals gain access to a system or database and steal or expose the information stored there. They can also occur when information is accidentally or improperly disclosed by an individual or organization.

Data breaches can have serious consequences, including financial losses, reputational damage, and legal liabilities. They can also have serious impacts on individuals whose information is compromised, including identity theft and other forms of fraud.

There are several ways that data breaches can occur, including through cyber attacks, such as hacking and ransomware, and through physical means, such as the loss or theft of a device containing sensitive information. To prevent data breaches, it is important for individuals and organizations to implement strong security measures, such as using strong passwords, regularly updating software and operating systems, and implementing controls to prevent unauthorized access to sensitive information.

data breach laws

There are various laws that protect against data breaches and provide consequences for individuals and organizations that fail to protect sensitive information. These laws vary by jurisdiction, but some common examples include:

  1. The General Data Protection Regulation (GDPR) is a data protection law that applies to organizations in the European Union (EU) and European Economic Area (EEA). It requires organizations to protect personal data and to report certain types of data breaches to authorities and individuals affected by the breach.

  2. The Health Insurance Portability and Accountability Act (HIPAA) is a law that applies to the healthcare industry in the United States. It requires organizations that handle protected health information (PHI) to implement safeguards to protect the privacy and security of PHI.

  3. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that apply to organizations that handle payment card information. It requires organizations to implement measures to protect against data breaches and to report certain types of data breaches to authorities and card issuers.

In addition to these laws, many countries have their own data protection laws that apply to the collection, use, and storage of personal information. It is important for organizations to be aware of and comply with these laws to protect against data breaches and the potential consequences of such breaches.

Prevent Data Breach

There are several steps that individuals and organizations can take to prevent data breaches and protect sensitive information:

  1. Use strong, unique passwords: Use strong, unique passwords for all accounts and devices, and regularly update them. Avoid using the same password for multiple accounts.

  2. Enable two-factor authentication: Enable two-factor authentication, which requires the use of a second form of authentication in addition to a password, for all accounts and devices.

  3. Keep software and operating systems up to date: Regularly update software and operating systems to ensure that the latest security patches are installed.

  4. Use a firewall: Use a firewall to block incoming connections from known malicious sources.

  5. Use antivirus software: Use antivirus software to identify and block malware, including ransomware.

  6. Implement access controls: Implement controls to prevent unauthorized access to sensitive information, such as by requiring users to authenticate before accessing certain data or systems.

  7. Regularly back up data: Regularly back up data and store it in a secure location to minimize the impact of a data breach.

  8. Train employees: Train employees on the importance of data security and best practices for protecting sensitive information.

By implementing these measures, individuals and organizations can significantly reduce their risk of suffering a data breach and the potential consequences of such a breach.

Read More