It’s the Holidays and Tax Time – Watch Out for the Seasonal Scams

It’s the end of the year again (already!), and as usual, there are lots of scams out there having to do with the holidays and tax time. Cybercriminals use such scams every year because they work. People are busy trying to shop and get ready for the holidays, and often become a little frazzled and careless. Prepping for tax time often just adds to these burdens. A perfect time to pull a scam! Here are a couple that were in the news this week.

This one was in Security News, and this is the gist: “Experts Urge Users to Ignore Facebook Christmas Bonus Scam. Identity theft experts are warning Facebook users to be on the lookout for a “Christmas bonus” scam which appears to be endorsed by their friends on the social network. Variations on these scams appear to have been circulating on Facebook since at least 2015. Most recently, users are being targeted by messages claiming to offer them a “Christmas bonus” or “Christmas benefit,” according to the non-profit Identity Theft Resource Center (ITRC). …Although there are variations on this theme, the bottom line is that the scammers want either victims’ personal information or their money, or both. They will usually ask for personal details in order to process the ‘bonus.’ They may also ask for a small ‘transfer fee’ in order to wire the winnings into the victim’s bank account”. Social media: always a ripe venue for scamming.

This is another one that was in Security News about a fraudulent IRS form. Here is a sample: “New IRS Form Fraud Campaign Targets G Suite Users. A new scam using an IRS form as its mechanism has been found targeting users of Google’s G Suite, with as many as 50,000 executives and “important” employees affected so far. The campaign, discovered and reported by researchers at Abnormal Security, claims to contain an IRS W-8BEN form in PDF format. The attached form asks for far more personal information than required on the actual W-8BEN, which is the form needed to maintain a nonresident tax-exemption status. While there is no malware payload attached to the email, providing all the requested information would give the attacker’s a treasure trove of personal info that could be used for identity theft and other fraud.”

Watch out for these and other scams like them. Never trust that simply because a website or document looks legitimate it really is. Smoke, mirrors and misdirection updated for the age of cybercrime!

Is Your Credit Union Ready for the Ransomware Self-Assessment Tool?

I have written a number of blogs lately about the dangers of ransomware to all industries including the financial industry. Ransomware is proving to be the most dangerous and prevalent form of cyber attack today. Realizing this, the Bankers Electronic Crimes Task Force, State Banking Regulators and the United States Secret Service has developed and Ransomware Self-Assessment Tool to be employed by credit unions and other financial institutions to provide them with an overview of their preparedness towards identifying, protecting, detecting, responding and recovering from ransomware attacks. Many financial institutions already have, or soon will be, asked to complete this tool.

As many of you may recognize, “identify”, “protect”, “detect”, “respond” and “recover” make up the five functions of the Framework Core of the NIST Cybersecurity Framework. This is a good clue that credit unions would be wise to base their information security program on this framework if they wish to be proactively compliant with regulatory scrutiny and current “best practices” standards. In my blog post of December 3, I discussed the importance of embracing the Cybersecurity Framework if you want to resist ransomware attacks to the extent possible.

But the Self-Assessment Tool is not limited to questions about your adherence to this framework. In fact, the very first question in the tool asks if Center for Internet Security (CIS) controls are used to mitigate common cybersecurity attacks at your institution. Unless you have actually mapped your information security controls against CIS Top 20 you may not be able to answer this question. The current version of these controls is 7.1 and the control categories included are:

  1. Inventory and control of hardware assets
  2. Inventory and control of software assets
  3. Continuous vulnerability management
  4. Controlled use of administrative privileges
  5. Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
  6. Maintenance, monitoring and analysis of audit logs
  7. Email and web browser protection
  8. Malware defenses
  9. Limitation and control of network ports, protocols and services
  10. Data recovery capabilities
  11. Secure communication for network devices, such as firewalls, routers and switches
  12. Boundary defense
  13. Data protection
  14. Controlled access based on need to know
  15. Wireless access control
  16. Account monitoring and control
  17. Implement a security awareness and training program
  18. Application software security
  19. Incident response and management
  20. Penetration tests and red team exercises

Mapping your controls against the Top 20 is not only useful in responding to the Self-Assessment questionnaire, but is another good way of comparing your information security program to best practices recommendations.

However, the Self-Assessment tool does not stop there. To complete the tool, you will have to have to be able to pinpoint the location of your critical data and who manages it, identify third party vendors who have remote access to your network, identify how all your administrative and user-level access controls are implemented and much more.

If your credit union needs to prepare for responding to this tool, I highly recommend starting out by mapping your information security program to the NIST Cybersecurity Framework and the CIS Top 20 controls. Doing such will pay benefits far beyond completing the tool itself.

Beware of Increasing Attacker Automation

Attacker tools and workflows are getting more and more automated. They are able to quickly integrate a variety of attack techniques and targets to automate wider-scale compromises and exploitation. This increase in automated capabilities applies to all phases of the attacker methodologies.

For example, modern attacker and bot-net tools can integrate stolen credentials use (“credential stuffing”) into a wider variety of approaches. They can automate the work of the attackers when they find a successful login. They can also try those credentials against a wider set of targets, including various e-commerce and popular social media sites. Essentially, this makes exploitation of stolen credentials significantly easier for an attacker, and potentially, more damaging to the victims whose credentials have leaked.

Stolen credentials and the tools to use them are evolving rapidly, and a significant amount of innovation and evolution are expected in these tool sets over the next year to 18 months. Entire platforms given to user emulation and capable of doing en masse correlation of stolen user data across breach sets are what I expect to see in the next year or so. When these tools emerge, new economies of scale for online identity theft will quickly emerge, raising both awareness and criticality of the problem.

Folks at various security organizations, including Akamai, are also tracking the problem. (https://portswigger.net/daily-swig/behind-the-botnet-akamais-tony-lauro-on-tackling-real-world-credential-stuffing-attacks) Robust defenses against these automated platforms are going to be needed, and it will place significant stress on organizations who lack mature security programs with advanced visibility and analytics capabilities.

If you’d like some assistance preparing for these types of automated attacks or would like to discuss the potential impacts they may have on your organization, feel free to get in touch (https://microsolved.com/contact) or give us a call at 614-351-1237.

Want to Resist Ransomware? Embrace the NIST Cybersecurity Framework

Over the last months I have written several blogs concerning the burgeoning problem of ransomware attacks. Ransomware has been evolving rapidly of late and is liable to explode. According to Kapersky’s predictions for cybercrime in 2021, “cybercrime is set to evolve, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used to target victims.” When you add to this such problems as rising business email compromise problems and the difficulties of information security in the age of Covid, you can picture a pretty bleak outlook for data breaches and ransomware attacks next year.

Unfortunately, compromised business email information, weak remote working security practices and advanced vulnerability exploits can all be employed by organized gangs of cybercriminals to perpetrate ransomware; a type of attack that can present businesses with no-win solutions. If you pay the ransom, what is to keep the cybercriminals from revealing your stolen information publicly anyway, or coming back to you again with additional demands for money? If you pay, you can also possibly be in violation of U.S. laws and regulations. If you don’t pay, your private client information could be exposed publicly, possibly exposing you to regulatory sanctions and legal actions.

Of course, the best protection possible is to harden your business and personnel against successful social engineering attacks and cyber exploits. The problem is, no matter how good your information security program, you still may be compromised. To protect your business responsibly in this environment, you need to embrace all aspects of a good information security program: identify, protect, detect, respond and recover. These activities make up the framework core of the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov).

Identify basically refers to knowing your business. It includes asset management (i.e. software and hardware inventories), examining the business environment, identifying risk, coming up with a risk management and governance strategy and examining supply chain and third-party risk. If you don’t know your business deeply and exactly, you have little chance of protecting it properly.

Protect refers to all those programs you put in place to prevent cybercriminals from compromising your systems and information in the first place. These functions include access controls, data security measures (i.e. protection for data at rest and in transit), information protection processes and procedures (i.e. configuration and change management control, security policies and procedures, etc.), protective technologies (i.e. email security systems, SIEM, etc.), security maintenance (i.e. patching and updating), and the ever-important security awareness and training.

This leads into the “detect” part of the framework. As we have pointed out in past blogs, all the security systems in the world won’t keep you safe if you don’t actually monitor them and leverage their output to detect anomalies when they occur. And to perform this function properly, you need to involve humans. The human mind remains the most effective detection tool there is.

The last two parts of the framework core are “respond” and “recover”. These basically refer to your incident response and business continuity/disaster recovery programs. As was stated earlier, no matter how good your program is, there is always the possibility of compromise. That is why responding quickly and effectively is so important. This entails both planning and practice. As does business continuity/disaster recovery. Proper planning and realistic testing programs are essential.

Cybercriminals are looking forward to their best year ever in 2021. Do what you can to thwart their ambitions. A good, well rounded information security program is the best you can do in this respect. We recommend embracing the paradigms included in the NIST Cybersecurity Framework in this effort for their clarity, effectiveness and relative ease of implementation.

Wealth Management Firms and Ransomware Tabletop Simulations

No matter what industry you are in, you need to practice emergency procedures to build proficiency and identify glitches in your planning. For example, we all went though fire drills back in grade school, or if you’ve been on a cruise ship, you have received lifeboat drills. These kinds of exercises have proven their worth time and again over the years. For wealth management firms, one such program that needs practice exercises is the incident response program. And tabletop incident response exercises are an effective way to conduct these practices.

We at MSI have had years of experience in developing and conducting tabletop incident response exercises for organizations in a number of industries. In the financial industry, the most prevalent and dangerous attack type currently is ransomware. Ransomware attacks can lead to data breaches, lawsuits, regulatory involvement, loss of reputation and financial loss. Let MSI assist your firm in tabletop exercises designed to test your response preparations and to make adjustments and improvements in your response.

First, we will work with your firm to design a real-world ransomware attack scenario that is relevant to your particular organization. From there we will construct the scenario and set a time with your firm to conduct the exercise. MSI will provide two personnel for the exercise: the exercise moderator and the exercise observer/recorder. It should be noted here that these exercises can be conducted in either the real or virtual world. During these days of pandemic emergency this can be an important consideration.

Once the tabletop begins, the moderator will unfold the details of the exercise one by one, just as they’d come to notice if a real incident were occurring. Your incident response team will then follow your incident response plan, communicate with each other and relate just how they would address each issue as it unfolds. As the exercise continues, the moderator will continue to introduce complexities built into the ransomware exercise scenario. Once the exercise concludes, MSI will help your team conduct a “lessons learned” discussion that points out what worked well during the exercise and what didn’t seem to work well and needs improvement. Finally, your firm will receive a report from MSI recapping the exercise and including suggestions for improving your response techniques and mechanisms.

In our experience, incident response tabletop exercises have never failed to expose flaws in the incident response plan. These exercises also lead to spirited discussion and innovative thinking among the team members. Remember, the key to minimizing the negative effects of any cyber-attack, including ransomware attack, is quick and accurate response.

Should Wealth Management Firms Pay Ransomware or Not?

If your wealth management firm suffers a ransomware attack, should the firm pay the ransom or not? This seems like a straight-forward question, but in reality, is anything but. A number of factors have to be taken into account, including what kind of ransomware attack you have suffered, the possible financial costs associated with the attack and the attack aftermath, the possible reputational damage and attendant loss of clients, and also legal and regulatory consequences that may arise from the attack.

Let’s start by looking at the two main types of ransomware attacks your firm might encounter. In the “traditional” ransomware attack, cyber-criminals break into your network and encrypt your important data so that you cannot access it without the key they used. They then demand a ransom payment for this key. This is an attack on only one of the three pillars of information security: availability. If your firm doesn’t have safely stored backups, you must pay or suffer likely permanent loss of your data. If your firm has safely stored backups, all you have to do is restore your system from these backups. The decision to pay or not in this case seems simple for a wealth management firms: if you pay you get your data back quickly. If you don’t pay, you still get your data back, but not so quickly. It may take days to go through the restoration process. If you think your clients will stand for this downtime, you don’t pay. If you don’t think the business interruption will be tolerated, then maybe it is better to pay and take the financial loss.

The other type of ransomware attacks we’re seeing today are not so simple. If your important data is not properly encrypted, the attackers may not only re-encrypt your data, they may also copy it and threaten to release it publicly if they are not paid. This is a much thornier problem because it also affects another pillar of information security: confidentiality. Financial institutions are heavily regulated and are required to adequately protect the confidentiality of their client’s financial and personal private information. If the firm pays the ransom, they may get the key to unencrypt their data and a promise not to post this data publicly. But what level of trust can you put in the word of criminals?! What is to prevent them from publicly releasing the data anyway, or keeping the data and demanding further payments in the future? This complicates the decision to pay or not considerably. If the firm doesn’t pay the ransom, they are in for public scandal that might cause present clients to go elsewhere and prospective clients to choose a different firm. They may also be subject to regulatory sanction if their information security program is judged to be inadequate. In addition, the firm may be sued by affected clients which can lead to even more scandal and reputational loss.

But wait, there is more! Paying the ransomware is actually illegal is some instances. Under the International Emergency Economic Powers Act or the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions with individuals or entities that are on OFAC’s Specially Designated Nationals and Blocked Persons List or with persons from embargoed regions and countries (see the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf for more information). And how is the firm to know if the blackmailers they are dealing with are among those on the proscribed list? I would hate to have to be the one to make the decision to pay ransomware or not in these cases. To quote an old cliché, these decision makers are caught between a rock and hard place!

There is no simple, easy or right decision to make if your firm is caught up in this second type of ransomware attack. The real answer is to not be in such a position in the first place. Financial firms should ensure that their information security program is compliant with regulatory and best practices standards at all times. You should ensure that your data is properly encrypted and backed up, patch and update your systems religiously, test and monitor your systems and ensure that your partners and services providers are doing the same. To quote another old cliché: an ounce of prevention is worth a pound of cure!

Preparing for the End of SMS Authentication

Over the last several years, wealth management/asset management firms have been integrating their systems with banking, trading and other financial platforms. One of the largest challenges wealth management firms face, from a technology standpoint, is managing multi-factor authentication when connecting to the accounts of their clients. In the coming year to eighteen months, this is likely to get even more challenging as SMS-based authentication is phased out. 

Today, many financial web sites, applications and phone apps require the use of SMS one-time security verification codes to be sent via text to the user. This usually happens once the user has entered their login and password to the system, after which it triggers the credential to be sent to their mobile phone number on record. The user then inputs this code into a form on the system and it is verified, and if correct, allows the user to proceed to access the application. This is called two factor authentication/multi-factor authentication (“MFA”) and is one of the most common mechanisms for performing this type of user authorization.

The problem with this mechanism for regulating sign ins to applications is that the method of sending the code is insecure. Attackers have a variety of means of intercepting SMS text messages and thus defeating this type of authentication. Just do some quick Google searches and you’ll find plenty of examples of this attack being successful. You’ll also find regulatory guidance about ending SMS authentication from a variety of sources like NIST and various financial regulators around the world. 

The likely successor to SMS text message authentication is the authenticator app on user mobile devices and smartphones. These authenticator apps reside in encrypted storage on the user’s phone and when prompted, provide a one-time password (“OTP”) just like the code sent in the text message. The difference is, through a variety of cryptographic techniques, once the application is setup and  the settings configured, it doesn’t need to communicate with the financial platform, and thus is significantly more difficult for attackers to compromise. Indeed, they must actually have the user’s device, or at the very least, access to the data that resides on it. This greatly reduces the risk of interception and mis-use of the codes in question, and increases the security of the user’s account with the financial institution.

This presents a significant problem, and opportunity, for wealth management firms. Transitioning their business processes from integrating with SMS-based authentication to authenticator apps can be a challenge on the technical level. Updates to the user interaction processes, for those firms that handle it manually, usually by calling the user and asking for the code, are also going to be needed. It is especially important, for these manual interactions, that some passphrase or the like is used, as banks, trading platforms and other financial institutions will be training their users to NEVER provide an authenticator app secret to anyone over the phone. Attackers leveraging social engineering are going to be the most prevalent form of danger to this authentication model, so wealth management firms must create controls to help assure their clients that they are who they say they are and train them to resist attackers pretending to be the wealth management firm. 

Technical and manual implementations of this form of authentication will prove to be an ongoing challenge for wealth management firms. We are already working with a variety of our clients, helping them update their processes, policies and controls for these changes. If your organization has been traditionally using SMS message authentication with your own clients, there is even more impetus to get moving on changes to your own processes. 

Let us know if we can be of service. You can reach out and have a no stress, no hassle discussion with our team by completing this web form. You can also give us a call anytime at 614-351-1237. We’d love to help! 

Credential Stuffing: Protection, Detection and Response are all Needed

Credential stuffing is a truly thorny security problem that exploits weaknesses in both human nature and Internet access controls. A credential stuffing attack is using user name/password combinations stolen from one website to try to gain access to other websites. It exploits the tendency of all of us to use the same passwords for multiple websites. Although this is a human weakness, it is also perfectly understandable; it is tedious and difficult to remember many complex passwords. It is also difficult to reliably protect password lists that are in any way accessible over the Internet. I see many articles about password management tools or cryptographic techniques that have been compromised while preparing the MSI Infosec Précis. Even MFA is not invulnerable. Attackers have come up with a number of different MFA bypass attacks lately, and more are certain to follow. Couple all this with the fact that there already are literally billions of user name/password pairs available for sale out there that have already been compromised, and you can see why credential stuffing is such a danger to the security of our private information. It is used constantly by attackers to gain the network foothold they need to launch further attacks such as Ransomware.

How are you supposed to protect yourself and your business from password stuffing attacks? The best solution is for everyone to use strong, unique passwords for each different online account they have. Good luck with that! Even the best of us get lazy or stupid once in a while. Or you can (and probably should) employ strong password managers and MFA. These are good techniques that are largely successful. But as I stated above, even these techniques are not sacrosanct. So, if you can’t stop credential stuffing attacks, you had better be able to detect them quickly and react appropriately.

One way to detect these attacks is through monitoring and analysis. As Scott Matteson, the man who coined the term “credential stuffing,” recommended in a 2019 interview: “Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates.” Plus: “Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.”

In addition, there are tools and services available that can help you detect password stuffing attacks. As the MSI CEO, Brent Huston, discussed in his blog posted on November 11, MicroSolved’s data leakage detection engine ClawBack™ is one such tool that is useful in detecting stolen credentials that show up on pastebin sites or that have been leaked inadvertently through a variety of ways.

However, detection is not enough. You also need to be able to react quickly and surely when a leak has been detected. This means incorporating credential stuffing into your incident response (IR) plan. The incident response team as a whole should discuss response methods, incorporate them in the written IR plan and include them in their periodic IR training sessions. The combination of awareness of the credential stuffing problem, implementation of rational protection and detection mechanisms and documented response measures are a combination that can help your organization protect itself to best effect.

Getting ROI with ClawBack, our Data Leak Detection Platform

So, by now, you have likely heard about MicroSolved’s ClawBack™ data leakage detection engine. We launched it back in October of 2019, and it has been very successful among many of our clients that have in-house development teams. They are using it heavily to identify leaks of source code that could expose their intellectual property or cause a data breach at the application level.

While source code leaks remain a signficant concern, it is really only the beginning of how to take advantage of ClawBack. I’m going to discuss a few additional ways to get extreme return on investment with ClawBack’s capabilities, even if you don’t have in-house developers.

One of the most valuable solutions that you can create with ClawBack is to identify leaked credentials (user names and passwords). Hackers and cyber-criminals love to use stolen passwords for credential-stuffing attacks. ClawBack can give you a heads up when stolen credentials show up on the common pastebin sites or get leaked inadvertantly through a variety of common ways. Knowing about stolen credentials makes sense and gives you a chance to change them before they can be used against you. 

We’ve also talked a lot about sensitive data contained in device configurations. Many potentially sensitive details are often in configuration files that end up getting posted in support forums, as parts of resumes or even in GITHub repositories. A variety of identifiable information is often found in these files and evidence suggests that attackers, hackers and cybercriminals have developed several techniques for exploiting them. Our data leak detection platform specializes in hunting down these leaks, which are often missed by most traditional data loss prevention/data leakage prevention (DLP)/data protection tools. With ClawBack watching for configurations exposures, you’ve got a great return on investment.

But, what about other types of data theft? Many clients have gotten clever with adding watermarks, unique identity theft controls, specific security measures and honing in on techniques to watch for leaked API keys (especially by customers and business partners). These techniques have had high payoffs in finding compromised data and other exposures, often in near real time. Clients use this information to declare security incidents, issue take down orders for data leaks and prevent social engineering attackers from making use of leaked data. It often becomes a key part of their intrusion detection and threat intelligence processes, and can be a key differentiator in being able to track down and avoid suspicious activity.

ClawBack is a powerful SaaS Platform to help organizations reduce data leaks, minimize reputational risk, discover unusual and often unintentional insider threats and help prevent unauthorized access stemming from exposed data. To learn more about it, check out https://microsolved.com/clawback today.

Saved By Ransomware Presentation Now Available

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 

Deck: https://media.microsolved.com/SavedByRansomware.pdf

MP3: https://media.microsolved.com/SavedByRansomware.mp3

PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it!