The Big Disaster: Protection From Vicious Cyberattacks

It’s scary, and not everyone’s favorite topic, but let’s face it, there are highly motivated malicious actors who spend all their time trying to hack into your organization, either for financial gain, or malintent. I liken it to COVID – it’s not a matter of IF you will get the virus, but WHEN. You know all about the virus (cyber and human), you’ve safeguarded with vaccines and other precautions, but you must stay constantly vigilant to protect yourself. When you do suffer from COVID or a cyberattack, you can’t operate at top performance, and you don’t know what the long-term effects will be.

How do they get in? The most common ways are old, unpatched vulnerability in a system; a phishing email that successfully fools an employee; the use of access credentials purchased or obtained from data leaks, any number of Ransomware-as-a-service (RAAS) groups, or other tactics employed by cybercriminals to infiltrate a company’s network. Organizations are most vulnerable when there’s a siloed IT department, employee changeover, or when they’ve just been hit by a cyberattack, are halfway back up, and are hit again.

The most famous recent attack was in 2021 when Colonial Pipeline, one of the largest pipeline operators in the United States providing roughly 45% of the East Coast’s fuel, including gasoline, diesel, home heating oil, jet fuel, and military supplies, was attacked.¹ A ransomware outbreak, linked to Russian-based DarkSide group, struck Colonial Pipeline’s networks, and operations were fractured for over a week. The hackers “exfiltrated” material from the company’s shared internal drive via an account which was not protected by multifactor authentication and demanded approximately $5 million in exchange for the files. Within hours after the attack the company paid a ransom of nearly 75 Bitcoins ($5 million) to the hackers in exchange for a decryption tool, which proved so slow that the company’s business continuity planning tools were more effective in bringing back operational capacity.

The Colonial Pipeline incident and the events and announcements discussed above shed light on how organizations can prepare for, and respond to, ransomware and other cybersecurity incidents that involve similar attack vectors and unauthorized access by cyber criminals.

The number of cyberattacks per week on corporate networks increased 50 percent in 2021 compared to 2020, peaking at an all-time high in December. The number, intensity and variety of these attacks is increasing in 2022 as cybercriminals continue to devise new strategies to launch sophisticated attacks.²

Executive Order

In response to the Colonial Pipeline attack, and other high-profile attacks, President Biden signed an executive order on May 12, 2021, increasing software security standards for sales to the government, tighten detection and security on existing systems, improve information sharing and training, establish a Cyber Safety Review Board, and improve incident response³. The United States Department of Justice also convened a cybersecurity task force to increase prosecutions.

The 18-page order includes numerous ambitious requirements with deadlines ranging from 14-360 days and is divided into sections relating to, among other things:

Removal of contractual barriers to information sharing
Mandated use of multifactor authentication and encryption and security best practices
Building security into software from the ground up
Requiring baseline incident response capabilities
Enabling better endpoint detection and response systems to detect malicious activity
Creating event logging so that incidents can be better detected and mitigated

While it pertains specifically to federal networks, in taking a bold step to chart a new course, the order encourages “private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”

Is your Organization a Target?

Although any organization is a potential target, many malicious actors go after small businesses thinking that their security is not as iron-clad. Typically, smaller organizations have not invested as much money into disaster recovery and business continuity as larger companies. Among small businesses with fewer than 250 employees, the average reported cyberattack cost was about $25,600, according to a 2021 report from Hiscox, an insurance provider.⁴ That amount could be enough to shutter some small firms. Cybersecurity Ventures expects global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.⁵

“Cybercrime is very opportunistic,” says Nathan Little, vice president of digital forensics and incident response for Tetra Defense, a cyber risk management company that assists insurers and companies in preventing and recovering from cyberattacks. “Every company, no matter what the size, is an opportunity for a cybercriminal to make some kind of money.”

Larger organizations as well as government entities are not safe either, as demonstrated by Colonial Pipeline, as well as Wal-Mart or the recent New Hampshire school system breach. Attackers also infiltrate through trusted vendors who have not properly safeguarded against attacks.

How to Protect your Organization

Many organizations lack an appropriate level of preparedness to defend against disastrous attacks. Even firms that have invested in cybersecurity broadly may be unaware of how to prepare for, and defend specifically against, ransomware attacks. There are many ways to protect your organization from cyberattacks, but these are the top ones, based on my experience.

1. Manage control of users

The most significant risk for cyberattacks at your organization is the end user. A team of hackers can unleash the most potent cocktail of malware on a system, but if no one opens it, the attack is rendered useless. The biggest threat are weak passwords. Hackers are sophisticated and have moved beyond guessing your favorite ice cream flavor or your childhood pet to installing ransomware which efficiently attempts every combination of letters, numbers, and characters.

Most breaches happen through email, the main way that employees communicate. It’s important to train employees on what looks like a phishing email, and regularly test them.
It’s smart to move to a zero trust, least privileged access environment where users do not have access to anything that doesn’t directly pertain to their job.
Multifactor authentication is the quickest way to protect an identity, but it’s even better to move to a password-less environment which leverages biometrics or another tool to identify users. Microsoft has several helpful tools for this. FIDO2 compliant security keys provide secure authentication, independent of the form factor. The security key holds credentials and can be protected with an additional second factor like fingerprint (integrated into the security key) or a PIN to be entered at the Windows sign-in. Learn all about FIDO2 here.

2. Move to the Cloud

As businesses have shifted to remote or hybrid work environments, it’s smarter than ever to move to the cloud for anywhere, anytime access. Microsoft Azure is built on a foundation of trust and security. With significant investments in security, compliance, privacy, and transparency, Azure provides a secure foundation to host your infrastructure, applications, and data in the cloud. Microsoft also provides built-in security controls and capabilities to further help you protect your data and applications on Azure.

Not quite ready to move to the cloud? We regularly help customers with on-prem security measures, as well as a roadmap to the cloud.

The cloud is like having an alarm system for your home – you still must arm it and close the windows and doors. It’s important to install patches and updates, and constantly monitor who’s trying to get into your system. Microsoft enables actionable intelligence against increasingly sophisticated attacks using a network of global threat monitoring and insights. This threat intelligence is developed by analyzing a wide variety of signal sources and a massive scale of signals. (For example, customers authenticate with our services over 450 billion times every month, and Microsoft scans 200 billion emails for malware and phishing each month.) Azure includes intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, behavioral analytics, anomaly detection, and machine learning. You can leverage additional services to develop a strong threat prevention, detection, and mitigation strategy.
Azure Active Directory serves as a central system for managing access across all your cloud services, including Azure, Office 365, and hundreds of popular SaaS and PaaS cloud services. Its federation capability means that you can use on-premises identities and credentials to access those services, and Azure Multi-Factor Authentication provides for the most secure sign-on experience.
Azure provides security-hardened infrastructure to interconnect Azure VMs as well as make connections to on-premises datacenters. Additionally, you can extend your on-premises network to the cloud using secure site-to-site VPN or a dedicated Azure ExpressRoute connection. You can strengthen network security by configuring Network Security Groups, user-defined routing, IP forwarding, forced tunneling, endpoint ACLs, and Web Application Firewall as appropriate.

3. Backup your DATA!!!!!!

If a client has been breached, the very first thing we ask them is if they have their data backed up. Of course, this happens automatically in the cloud, but for on-prem or hybrid customers, it’s an important question. It can mean the difference between a dead-in-the-water or business-as-usual scenario. In addition to ransomware attacks, you need a back up in case of system crashes, hard drive fails, theft or simply human error. Your data is too precious to lose.

In the event of a disaster, getting your business up and running again quickly can give you a competitive advantage. Many businesses around the world have suffered huge losses and reputation damage after losing data. Often, being able to assure your customers and partners that you have a solid data backup and recovery plan can also make your business seem more reliable than those that don’t.
Proper planning means your doors can stay open in the face of a data disaster. Any interruption in your company’s day-to-day activity can reduce productivity and cause more than just data loss. Solid storage and recovery solutions can ensure you are one of the surviving businesses if you go through the unfortunate experience of data loss. Reducing downtime is one of the major reasons why data backups are important.

4. Purchase Cybersecurity Insurance

Many businesses are now required to purchase cybersecurity insurance, especially if they store important, sensitive customer information such as phone numbers, credit card numbers, Social Security numbers, or HIPPA information.

Businesses that store their own financial data and any personal customer data should at least consider first-party coverage. For example, a business that is the victim of a ransomware attack can lose valuable data, such as financial records, if it is unable to respond to the payment demands. With first-party coverage, the business’s insurer can step in to cover part or all the ransom, depending on the coverage limits of the policy.
If you store more significant personal information about your customers, you will want to look into liability coverage, also called third-party coverage. Unlike first-party coverage, cyber liability policies cover legal fees and judgments in cases where people sue your business for damages caused by a cyberattack.
If an affected customer decides to sue because of the fallout from the data breach, you’ll need liability coverage to cover the legal fees and expenses. Small businesses that work with other companies’ data should also consider liability coverage as a viable option.
Most small businesses carry around $1 million in cybersecurity coverage limits, which generally protects them against most cyber incidents. Businesses have different risks and needs, though, so an insurance agent can help you determine what level of coverage is right for your business.

A Helpful Checklist

Right now, drop everything, and perform this simple checklist to better safeguard your organization.

Pair your data backup plan with a disaster recovery plan
Define strong password policies
Remove stale user accounts
Change the default username for admins
Restrict user privileges
Encrypt sensitive business data
Keep applications and firmware up to date
Audit employee login and logoff behavior
Manage USB connections
Use removable drives or media
Utilize cloud-based backup

Additionally, I recommend taking this quick assessment to see where there may be holes in your security operations. Get in touch, and let me know if we can partner with you to look at your current security measures and make recommendations. In the meantime, STAY SAFE out there!

References