Credential stuffing is a truly thorny security problem that exploits weaknesses in both human nature and Internet access controls. A credential stuffing attack is using user name/password combinations stolen from one website to try to gain access to other websites. It exploits the tendency of all of us to use the same passwords for multiple websites. Although this is a human weakness, it is also perfectly understandable; it is tedious and difficult to remember many complex passwords. It is also difficult to reliably protect password lists that are in any way accessible over the Internet. I see many articles about password management tools or cryptographic techniques that have been compromised while preparing the MSI Infosec Précis. Even MFA is not invulnerable. Attackers have come up with a number of different MFA bypass attacks lately, and more are certain to follow. Couple all this with the fact that there already are literally billions of user name/password pairs available for sale out there that have already been compromised, and you can see why credential stuffing is such a danger to the security of our private information. It is used constantly by attackers to gain the network foothold they need to launch further attacks such as Ransomware.

How are you supposed to protect yourself and your business from password stuffing attacks? The best solution is for everyone to use strong, unique passwords for each different online account they have. Good luck with that! Even the best of us get lazy or stupid once in a while. Or you can (and probably should) employ strong password managers and MFA. These are good techniques that are largely successful. But as I stated above, even these techniques are not sacrosanct. So, if you can’t stop credential stuffing attacks, you had better be able to detect them quickly and react appropriately.

One way to detect these attacks is through monitoring and analysis. As Scott Matteson, the man who coined the term “credential stuffing,” recommended in a 2019 interview: “Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates.” Plus: “Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.”

In addition, there are tools and services available that can help you detect password stuffing attacks. As the MSI CEO, Brent Huston, discussed in his blog posted on November 11, MicroSolved’s data leakage detection engine ClawBack™ is one such tool that is useful in detecting stolen credentials that show up on pastebin sites or that have been leaked inadvertently through a variety of ways.

However, detection is not enough. You also need to be able to react quickly and surely when a leak has been detected. This means incorporating credential stuffing into your incident response (IR) plan. The incident response team as a whole should discuss response methods, incorporate them in the written IR plan and include them in their periodic IR training sessions. The combination of awareness of the credential stuffing problem, implementation of rational protection and detection mechanisms and documented response measures are a combination that can help your organization protect itself to best effect.

As the complexity of a computer system increases so does the difficulty of securing it against cyber-attack. In fact, difficulty of protection rises at a more than one-to-one ratio with complexity. This is one of the reasons we at MSI so highly tout extensively segmenting complex networks into “enclaves” with individual firewalls and access controls, as well as strict trust rules on how each enclave can communicate with each other and the outside world. Although this process is complex to develop and implement, once in place it greatly simplifies the protection of critical assets such as industrial controls systems and administration networks.

One reason why it behooves utilities to consider cyber-protections at this level is the exponential rise in the availability and use of Internet of Things (IoT) devices. It seems like every kind of device there is now has a computer in it and can be accessed and administered over a network of some kind. And usually this network is the Internet or is routable to the Internet.

Systems at threat include industrial control systems and the enterprise networks that administer them; they employ more remote access devices every day. IoT devices that are connected to enterprise networks can be just about anything. Smart light bulbs, cameras, heat sensors, voice controllers, televisions, robots… the list is daunting and grows constantly.

Exacerbating this problem for most of the last year has been the pandemic emergency. The need for social distancing and remote working has exploded because of it. And as we all know, in an emergency functionality trumps security every time. Concerns have set up remote conferencing and remote administration systems at a record pace. And even if they have performed some form of risk analysis before, during or after implementation, chances are that they may not have been holistic in their threat and risk analysis.

This brings me back to the enclave computing scheme I mentioned above. To set up proper network segmentation, the first things you need to know are what data/devices are on the network, how data flows between these entities and what trust relationships are implemented in their setup. Until you have a grasp on all of these factors, there is no way you can gauge the full range of negative security effects hooking IoT devices to your enterprise network can have.

So, my advice to Utilities and other users of industrial controls systems is this: do a thorough business impact analysis (BIA) of your enterprise network and all of its connections. The BIA will reveal the factors I mentioned above. It reveals what devices and data are there and their relative criticality. It shows you how data moves and what trusts what. This information is the necessary precursor to accurate risk and threat assessment, and can be the beginning of a new level of information security at your enterprise.

Data breaches are happening every day, and presently, they are often accompanied by ransom demands. It used to be that most ransomware simply encrypted a firm’s data and wanted to get paid for the key to decrypt it again. The answer to this kind of attack is pretty simple: make and securely store backups of your data so that you can reload your systems without paying ransom. This works, but some concerns still pay the ransom to avoid downtime while backups are accessed and systems restored. Unfortunately, the bad guys have a worse trick up their sleeves: threatening to publish your data on the Internet if you don’t pay the ransom.

This is a very thorny problem. If you don’t pay, you are going to have private personal and financial data of your clients exposed, which is going to lead to regulatory scrutiny and loss of business. If you do pay, you are out the expense and you have no guarantee that the cybercriminals won’t publish your data anyway.

Besides ensuring that your data doesn’t get compromised in the first place, the only thing that wealth management firms can do to thwart this problem is ensure that their incident response plan is complete and ready to invoke at a moments notice. This takes good communications, especially internally. This is the responsibility of the CISO in most firms.

The first thing the CISO should do once the incident is validated is to notify the incident response team and get them working on containing the incident and researching how it was perpetrated. From there, the CISO should handle communications. All incident-related communications should go through the CISO. The team should communicate their findings with the CISO, and the CISO in turn should communicate pertinent information with the Board of Directors. They are primarily responsible for the information security program at the firm, and decisions on further communications with regulators, law enforcement and clients should come from them. It is also their responsibility to decide how ransomware demands are to be addressed.

To perform all these functions quickly and efficiently, communications methods and responses to incidents should all be pre-planned and included in the incident response plan. It is also important to practice responses to various likely incident scenarios (table-top exercises are generally used for this). These practice sessions help to speed up actual incident responses and expose holes in the plan that could cripple the response if not corrected.

As I’m sure most of you know, October is National Cybersecurity Awareness Month. The point of this yearly event is to stimulate awareness of the importance of cybersecurity in the workplace and at home. Every year, it seems, cybersecurity becomes more important in the lives of all of us. Identity theft, ransomware, denial of service attacks and a plethora of other cyber-dangers are running rampant and becoming more sophisticated every day. Awareness of these problems and following a few simple security rules can go a surprisingly long way in keeping your networks safe. So why not take advantage of National Cybersecurity Awareness Month to bring awareness to your own personnel and families?

The number one tip I wish to emphasize is this: be wary, think and make sure before you click on a link or answer questions posed by unknown telephone callers. We are all human which means we get in a hurry, we get bored, we lose focus, we get preoccupied and a dozen other frailties. Cybercriminals rely on these human weaknesses to make their cash, and very successful they are at it. As an addendum to this advice, I want to emphasize caution when clicking on links or accessing websites having to do with the Covid-19 emergency or the impending national election. These two subjects are the subjects of more than half of all current phishing attacks.

Next tip: ensure that all of your devices, software applications, operating systems and firmware applications are included in your security maintenance program. Relying solely on WSUS and patching Windows vulnerabilities just doesn’t do the job. All your non-Windows network entities should be updated and patched as well. Also, updating and patching should be applied as soon as possible. You can bet that cybercriminals will not be slow in attacking vulnerable systems.

Tip number three: be very wary of social media use. The amount of private information that we blithely upload to social media sites is astounding! Having been in the intelligence field myself, I know how much information analysts can glean and infer from seemingly harmless business or family facts. You should remember that the information you provide your friends or colleagues on social media is only as private as their own security settings and habits. A good rule of thumb is to not post anything you wouldn’t want a stranger to see. Once again, think before you post!

The last tip I’ll provide here is to use very strong access controls and encrypt every connection and bit of private information you can. With so many of us working from home now, web conferencing is at an all time high. Make sure you use a service that will allow you to encrypt communications. If at all possible, employ multi-factor authentication for web conferences and other sensitive communications as well. If MFA is impossible, use a nice long passphrase instead of some weird nonsensical eight-digit password you can’t remember anyway. Entropy is where it’s at!

Automobile dealerships have problems when it comes to information security. One of these problems is that, being relatively small organizations, they have limited resources to expend on information security. Exacerbating this problem is the fact that dealerships are difficult to secure and are juicy targets for cyber-criminals and identity thieves.

What do I mean by “juicy targets?” Dealerships of necessity must collect a great deal of personal private information about their customers in order to do business. This not only includes names, addresses, phone numbers and email addresses, but also potentially includes information such as Social Security Numbers, credit ratings and other financial information. Criminals can exploit this level of information to cause all sorts of mischief and make lots of money.

What do I mean by difficult to secure? Dealerships typically have various sales departments (i.e. new, used, fleet), service departments, finance departments and body shops. All of these departments employ computers and most of these departments are also accessible to customers. In addition, dealership personnel are often called upon to leave customers and computers unattended while they perform various tasks away from their areas. This means that there are lots of “attack surfaces,” both physical and cyber, for cyber-criminals to try to exploit.

One  inexpensive and effective way for dealerships to fight these problems is to ensure that access to your computer networks is well secured. There are basically two ways for attackers to access your computer networks: through a physical connection or a wireless connection. If your dealership still uses wired connections for workstations (many don’t), you should ensure that these connections are secure from tampering. You don’t want unattended customers to be able to successfully plug their devices into an open port and get access to your network. Access via these ports should be limited to approved MAC addresses, or should employ some other access controls to prevent casual network access.

Even more important than this, though, is ensuring that your dealership wireless networks are properly configured and secured. On top of having the same vulnerabilities as wired networks, wireless networks have the added weakness of working via electromagnetic signals that can be accessed by anybody in range. To secure your wireless networks, you should follow best practices advice including:

• Use strong access controls to limit access to wireless networks to only authorized users. Multi-part authentication is strongly recommended for this.
• Ensure that your wireless network employs strong protocols like WPA2 and is fully encrypted.
• Ensure that wireless access points and other networking equipment are fully secured. It is preferable to have this equipment secured in locked rooms or cabinets. It’s even better if access to this equipment is logged to individuals.
• Ensure that your wireless systems are securely configured. Change all vendor default passwords, and ensure other device settings conform to best practices recommendations.
• Ensure that your wireless devices and software applications receive proper security maintenance, and are well updated and patched.
• Separate your wireless networks into segments and ensure that only those with a business need to know can access each segment.
• Ensure that guest networks are available and properly secured. Each user of the guest network should have separate access control to prevent other guest network users from illicitly spying and compromising others on the network.
• If you are allowing your employees to use their own devices to access the production wireless networks, ensure that these devices are secured according to best practices recommendations. Also ensure that users are fully educated in their responsibilities for maintaining wireless security.
• Monitor your wireless networks with an eye for anomalies and misconfigurations.

Following these and other good network security recommendations can greatly increase information security at your dealership without having to expend inordinate amounts of money and employee time.

Ransomware has been a sad fact of business life for some time now. It has proven to be an effective money maker for cyber-attackers, and so is constantly being developed and improved by the bad guys. We think of the typical ransomware attack as someone compromising your network, encrypting your data and demanding ransom payment for the key to decrypt it again. But credit unions are one of those businesses that are regulated; they must protect private Member information according to FFIEC and NCUA 748 recommendations and requirements. That makes them especially sensitive to another, enhanced type of ransomware attack in which the attackers also threaten to release private information to the public unless paid off. This type of coercion bypasses incident response and business continuity measures. It doesn’t matter if you can restore your systems from backup if you already have a public data breach.

Even if a compromised credit union has kept an average information security program in place and therefore is not heavily trod upon by the regulators, the business will still be damned by the court of public opinion if data breach occurs. This loss of reputation could seriously affect the credit union and could also lead to large expenditures in credit monitoring and spin doctoring efforts. So, for credit unions, the best answer is to protect your network and private information from being compromised in the first place.

First, strong encryption and key management are a must with this type of regulated information. Private member information should be well encrypted not only when being transmitted, but also when at rest on all systems. Over years of security testing, we have noticed many businesses that do a pretty good job of encryption, but then miss something crucial like databases or backups. This is like building a safe with a screen door in it! Another encryption problem we have noticed is poor key management practices. We have seen keys stored on production systems and not properly protected in other ways. An encryption system is only as good as its key management system. If you do the encryption and key management part correctly, the attackers won’t be able to read Member data even if they manage to get their hands on it.

Next is network security mechanisms and monitoring practices. It’s not good enough to simply build a series of walls to keep the bad guys out; you need to post guards to keep an eye on things as well. It’s the same with network security; you not only need to have effective security mechanisms in place, you need to have humans in the loop to add that detection ability that no machine can truly equal. That is why we recommend that credit unions don’t spend all of their infosec dollars on extravagant machines or software, and ensures adequate resources are set aside to properly staff the information security department. A decent, well configured firewall, full logging and log aggregation, an adequate AV package and egress filtering and monitoring can go a long way when properly employed and monitored by competent staff.

Configuration and privileged access control are also key. In most ransomware attacks, cyber-criminals employ phishing techniques or exploit network vulnerabilities to gain a foothold on businesses’ internal networks. But to mount a successful ransomware attack, they must also be able to maneuver around the network and to elevate their network privileges. On most networks, unfortunately, this is not a daunting task. Attackers can crack password hashes on user machines looking for admin passwords that they can then use to access other hosts and repeat the exercise. They can do this because most networks use common admin passwords on multiple machines. They also have generally “flat” networks that are not properly segmented according to the principles of least privilege and need to know. These practices can allow attackers to gain domain admin-level access to the system, and that is game over. In addition, many businesses are lax when it comes to privileged access control. Many sys-admins use the same password for simple network access as well as for admin access to the system. Plus, when a new admin user is added to the system, or privileges have been highly elevated for a normal user, no alerts are made and nobody is monitoring the access control list. All of these practices should be curtailed if you want to get serious about network protection.

The final control I’ll mention in this blog is user education and buy-in to the information security program at your credit union. Employees and partners can be your worst security enemy or your greatest security asset. To be truly effective, personnel not only should receive infosec training and awareness reminders regularly, they should also be actively enlisted by the credit union as troops in the fight against network compromise. Their worth to the company in this effort should be extolled, and good performance should get praise and recognition. Even little perks like a good parking spot or small bonus can really motivate personnel.

Implementing these kinds of effective controls can seriously increase your resistance to all type of network attacks including ransomware. However, I don’t mean to say that these controls can replace the need for decent incident response and business continuity programs; you need those too. This is because, as we all should know by now, no information security program is or can be perfect!