COVID-19 has quickly switched many organisations to full work remote / from home policies, and IT teams are dusting off disaster recovery and business continuity plans. We know hackers are using Coronavirus to target users, so it’s important to keep security front of mind when protecting a distributed workforce.
After talking about this topic with a few clients, I thought i’d share my security tips to consider when protecting a remote and highly distributed workforce.
This seems obvious, to provide some level protection from malware and exploits on endpoints. But keep in mind many organisations do not supply staff with laptops or home workstations, so they may well be accessing corporate email or data from home machines outside of the normal corporate security standards and monitoring. Keep mobile devices and tablets in mind here too. Many technology vendors are providing additional burst or top up licensing so be sure to look into this.
A highly distributed workforce creates visibility challenges too. Where your users usually connected via fixed perimeters you controlled, now they could be accessing cloud and SaaS data from anywhere, on any device. A Secure Web Gateway is a good solution for this, as it provides visibility into applications and data users are interacting with, and lets you enforce your corporate security policies no matter what they’re accessing. It also connects users to a global point-of-presence network, meaning you don’t have to drag your users back through your own perimeter in order to get visibility and enable your users to access applications.
Suddenly that often malnourished remote access solution is critical infrastructure. If you do need to connect staff into your environment to access applications, confirm your VPN is provisioned to handle 60-75% of your workforce connecting concurrently. This is also a really good time to ensure multi factor authentication is enabled on all your entry points, including VPN’s (you would be surprised how often it isn’t!).
Cythera provides a Secure Access solution through Cato Networks global points of presence that can be stood up in hours if you need assistance here.
This is really a dovetail on the visibility point, but with your users remote, accessing services from anywhere potentially on any device, logging and visibility have never been more important. Ensure you’re taking feeds from your cloud and SaaS applications, and comparing them to security and endpoint data, and running some form of behavioural and threat analysis over them. This will give you a really good head start to detecting and responding to threats before they become incidents. It might be as simple as why is Mary from HR logging in from Melbourne, and then five minutes later successfully authenticating from India. Or it might be a more sophisticated user making Powershell or API calls they have never made before. Visibility is key here. A detection and response platform can give you a good head start if you feel you’re lacking here.
Significant changes in working patterns demand that cyber security be front and centre in your IT planning. Reach out to the Cythera team if you need some air cover.
Craig Joyce has a strong reputation for his work in providing senior leaders in Australia with counsel on all matters relating to IT.
Craig has helped countless businesses thrive under varying conditions and across manufacturing, retail and technology sectors, also lending his focus to new businesses that need the right IT tools and advice to grow.
As one of the minds behind the highly regarded O2 Networks, Craig has spent his career taking on challenges in the IT industry and shedding light on the complex cyber security issues that businesses face every day in Australia and around the globe.
“The important thing with starting any business is understanding what it is you are setting out to achieve,” said Craig.
“We stand for cyber security and we are out there to protect our customers. That whole approach of thinking closely around what you would need to protect your own business and what type of services you would want to consume is a really good launching position into figuring out what you think you would need to appeal inside the market.”
“We have spent a lot of time looking at the technologies and the cyber security landscape and the threats that are out there and we’ve tailored our solution set to meet those requirements. Also, at the same time we’ve really focused very much on ignoring what’s come before and thinking where things are going in the future so that we know our platform will stand the test of time.”
Two biggest threats to businesses in Australia
“The two biggest threats to your business are going to be attacks that are aimed towards your people and attacks that are aimed at the end point. It is important to have both of those at the forefront of your mind,” said Craig.
“How do you educate your users? How to you make sure their devices are secure? They are the most common forms of attack.”
“Last year, 75% of all attacks were aimed at individual users and behaviours of those users to launch those attacks.”
“Our whole business is based around being your eyes, so we will look at your security infrastructure, we will look at your business and we will identify threats and we will help you remediate any that may occur within your environment.”
“We are the one stop shop.”
Craig Joyce is Co-Founder and Director of Cythera, with a leadership team comprised of industry veterans with backgrounds as highly successful entrepreneurs, Tier 1 telco or IT vendor providers.
Craig and the Cythera team are passionate advocates with a belief in the criticality of effective cyber security solutions for businesses of all sizes.
Cythera understands the challenges local businesses face protecting their business from cyber threats and has built Cythera from the ground up to support businesses to meet these demands.
This week while on-boarding a new customer, before we could even start we needed to help them recover from a compromise they had received before coming to us.
A user had suffered a phishing attack and had their Office365 email credentials stolen. Email phishing is the act of sending emails purporting to be an entity (such as Google) or an individual (such as your CEO), often using a crafted email with graphics and text from legitimate emails included to fool users into entering login information or opening an attachment. The attacker can then use the stolen credentials to gain access to your organisation, or use malware the user clicks on to gain a control channel into your environment.
In this case, the malicious actor had utilised a common method to compromise a business; They had taken control of the email account of a trusted business partner, and had then sent our client an email with a Dropbox link purporting to contain a legitimate looking business proposal.
This method is highly successful because when we receive an email from a known or trusted user, we tend to bypass our usual scepticism and control when it comes to clicking links or opening files. In this case, our client actually replied to the email and asked if it was legitimate. He got a reply ‘Yes it is, I need you to respond to it urgently’. As the business partners email had been compromised, the hacker could reply themselves in an attempt to validate the email. The client then opened the file which prompted him to login to Office365 to access to file, and his credentials were then stolen.
So how can we better protect ourselves from these sorts of problems? Email filtering won’t always help here as the emails actually coming from a seemingly legitimate user. But secure DNS and web filtering (such as what we deliver with our DNSProtect and WebProtect portions of our protect platform), would have helped prevent the user from inputing their details into a phishing site by blocking the phishing page from displaying in the clients browser. Not reusing passwords across accounts is another good practice to limit your exposure to any compromise should it take place. Additionally if the Dropbox link had instead contained malware, ransomware or a remote access tool (commonly called a RAT to security operators), an endpoint protection agent such as MalwareProtect and EndpointProtect would keep you safe.
We help a lot of Australian businesses out with security incidents, as well as recovering from hacks and breaches. Many of them can be attributed back to human error or poor security hygiene. I thought I would share some of my top tips to help you avoid a costly hack, or brand damaging breach.
This is an easy one. Operating system vendors don’t just release patches for new features, they’re also patching security vulnerabilities regularly. Keep desktops and laptops up to date and enable automatic updates wherever possible. Apply the same thinking to critical applications such as Microsoft Office (Vulnerabilities in Microsoft Office have risen 121 percent over the last 6 years ), to keep ahead of problems.
Many successful cyber security incidents start with an account being stolen or ‘phished’. One way to help stop these attacks being escalated is to have a second factor of authentication beyond just your username and password. This means that even if an account is stolen, the attacker can have a difficult time accessing the second login which may be a token or application that runs on a users smartphone. Two factor can be enabled selectively such as when a user is outside your corporate network. Some 2fa vendors to consider are Authy https://authy.com/ and Okta https://www.okta.com/ .
Cyber security is not just about technology and processes, it’s also about your people and the way they go about their day to day business. As a successful cyber attack can shut down your business or irrevocably damage your brand, It’s key that management and executive set a good example as this attitude then flows throughout the organisation. Ongoing cyber awareness training to make staff more conscious of potentially malicious behaviour will improve the cyber-hygiene of your business, with more mature organisations now also including cyber security training into staff onboarding.
Accounts that are stolen or included in breaches often end up being sold on the dark web for use in other attacks. There are resources available for you to check if key staff accounts have been included in previous breaches. https://haveibeenpwned.com/ allows you to search for staff email accounts, and any that are discovered should have passwords reset and even enabling two factor authentication on.
There’s a common theme with many of the companies we assist with security incidents; They didn’t plan for one. They often have a health and safety plan, and even a terrorism plan! This doesn’t need to be war and peace, and can be a single pager on roles and responsibilities, as well as who to contact including any cyber security partners you work with to assist in responding to incidents. If you have any regulatory bodies or government agencies you liaise with make sure to include any reporting structures that may need to take place here. The Australian Office of the Information Commissioner has a good guide on data breach plans . Make sure you’re also familiar with the Notifiable Data Breach Scheme .
There’s lots of talk about the increasing skills shortage in cyber security. And let’s face it, cyber security is probably not part of your core business so you’re constantly going to be playing catch up with a rapidly changing landscape. By partnering with a cyber security specialist you’re also subscribing to the ongoing skills and herd intelligence to help you plan and protect your business and brand from being the next headline. Just make sure they’re a specialist and not someone who’s also trying to sell you phones systems and printers.
Australia’s emerging enterprises are facing the same security risks and suffering the same incidents the big end of town are, but with much less capability to respond and protect themselves from a rapidly changing space. By baking security into your businesses DNA, and partnering with strategic cyber security specialists, you’re setting yourself up for success.
Last month a cross-platform assistant for creating malicious MS Office documents, named EvilClippy was released.
It allows an attacker to hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools.
Attackers can now hide malicious code from anti-virus and macro analysis tools by leveraging undocumented features in the way macros are stored within an office file.
Macros are stored in Compound File Binary Format (CFBF) and EvilClippy uses a technique known as VBA Stomping to replace the compiled version of the macros with something malicious.
According to the creators of the tool it allows attackers to bypass all anti-virus solutions, however it’s worth noting that Deep Instinct’s VBA and Office deep learning models available since November last year prevent all threats produced using EvilClippy without requiring an update or cloud lookup. Anti-virus vendors cannot detect threats created with this tool statically and must update detection hash by hash (reactively) as samples are submitted by customers.
Certainly the name of the tool is a tongue in cheek play on the name of the old office97 assistant, Clippy, that proved universally unpopular with most users.
Published below a list of hashes we have prevented at customer sites related to malicious office documents.
These include threats created using EvilClippy and word and excel droppers used in a number of campaigns, including, Emotet, Fareit, Lazarus, Lockergoga and Alcaul.
Again prevented statically with Deep Instinct’s November 2018 model.
This data published by researchers from Kaspersky illustrates the pivot from browser based attacks to office doc attacks, which is an interesting trend.
This last week we are seeing another successful campaign that uses excel macros and digitally signed files to deliver a remote access trojan. Microsoft’s security team’s only advice remains to ‘disable macros’
Cythera’s managed Protection Bundles are designed from the ground up to help your business meet emerging threats such as these, and provide you with ongoing outcome based security.
In Information Technology our businesses are often very project driven; “We need a new endpoint solution”, “We need to look at life-cycling our wireless”, “Our company needs a risk management platform”. In cyber security, this approach often leads to our clients ‘not knowing what they don’t know’. What they mean by this, is they rarely get the opportunity to take a step back and look at their cyber security in a holistic way (the people, processes and technology that make up security for them), and map themselves against common security frameworks to know where they’re strong and where they may need to work on.
To help our clients better equip themselves to respond to this issue, we’ve released version 2.0 of the Cythera Security Platform, the cornerstone of which is a cyber security health assessment.
The cyber security health assessment can be self run, or run by a Cythera team member alongside your IT team. The health assessment is administered in the form of a question and answer format, the results of which influence a risk rating, and maps your strengths and weaknesses against the NIST security framework, as well as the ASD Essential 8. This allows IT teams to understand where they are performing well, and areas of their security people, processes or technology they may need to focus on.
The assessment, which is free to use, can be run at regular intervals or once a year to compare to previous assessments, and ensure you’re improving in areas of focus. After the assessment is run, you can then access our business toolkit which provides recommended solutions in areas you want to drill down on, which include the full suite of Cytheras Protection Platform and associated offerings, allowing you to move towards an improved security posture across your business.
Our updated Security Platform also gives you access to ready-to-edit cyber policy templates and checklists, and allows you to easily enable phishing simulations and cyber awareness training for staff; items that are often lacking from Australian businesses security program.
Access your own cyber security health assessment, get started today for FREE at https://aware.cythera.com.au/free/
The 2018 OAIC data breach statistics revealed that over 75% of successful security breaches start with human error. The most common cyber attacks come in the form of malicious emails sent to unsuspecting employees, meaning employees are literally the first line of defence.
Although we often focus on technology solutions to solve security problems, our people are often still the weakest link, especially non-IT savvy users. If I had to spend a dollar in time or technology, I would look to close this gap while providing an education process that teaches employees about cybersecurity, IT best practices and regulatory compliance.
The best cyber security protection mechanism is in the active and ongoing education of your employees. Experience has shown that quick, relevant, and ongoing training during an employee’s tenure with an organisation are the best way to arm end users to become an organisation’s first line of cyber-defense.
A good security awareness training program should include :
Cythera provides businesses with the ability to significantly reduce risk, decrease incidents and related IT help desk costs, protect their reputation by experiencing fewer breaches, and secure your organisation. Contact us to start your cyber awareness program today.