Daily Archives: December 11, 2019

Increasing Standards Alignment and Consistency

Increasing standards alignment and consistency is a core pillar in the PCI Security Standards Council’s strategic framework, which guides how the Council achieves its mission and supports the needs of the global payments industry. In this interview with PCI SSC Operations Officer Mauro Lance, we discuss this strategic pillar and how it’s shaping Council priorities.

This Year in Ransomware Payouts (2019 Edition)

Even though 2017 still remains the year when we saw the ransomware pandemic at its peak, cybercriminals will not stop these attacks on individuals and businesses anytime soon. Unfortunately, ransomware attacks continued to make headlines this year as well. So, in this article, I’m going to look at the highest ransomware payouts of 2019, what organizations paid the ransom, and explain why it’s never a good idea to pay.

But first of all, let’s start with some mind-blowing 2019 ransomware statistics from 2019.

Ransomware statistics in 2019

Here are the most shocking ransomware facts coming from 2019 alone:

  • Two-thirds of ransomware attacks targeted state and local governments.
  • 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
  • Over 500 US schools were affected by ransomware attacks in 2019.
  • Almost 70 US government organizations were infected with ransomware since January 2019.
  • A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
  • In the third quarter of 2019, the average ransomware payout increased to $41,000.

The most significant ransomware payouts of 2019

In the best-case scenario, victims of ransomware could simply wipe their systems and recover their data from offline backups. However, some organizations don’t keep any backups at all. Or worse, even if they do have copies of their data, sometimes they also end up being locked up by cybercriminals.

There are times when ransomware victims can decrypt their files with free ransomware decryption tools but sadly, there isn’t a decryptor available for all the ransomware strains out there. This sometimes leads to companies paying the ransom, being desperate to get their business back up and running.

Without further ado, below you will find the most significant ransomware payouts of 2019.

#6. Park DuValle Community Health Center, Kentucky, USA

June 2019

Amount paid: $70,000

In June 2019, Park DuValle Community Health Center had the medical records of almost 20,000 patients encrypted by ransomware and ended up paying the $70,000 ransom. The attack had left them locked out of their system for almost two months, impacting the health center’s medical records system and appointment scheduling tool.

For seven weeks, they had to record the patients’ information on pen and paper and ask them to speak from memory about their past treatments. The health care center basically had to operate on a walk-in basis since they were not able to schedule appointments or view any data.

“This is everything. This is medical records, contact information, insurance information, anything about a patient…everything is gone,” said Elizabeth Ann Hagan-Grigsby, CEO of Park DuValle. “The records involved are for past and present patients,” she continued.

This was the second time during the same year that Park Duvalle was impacted by a ransomware attack. Back in April 2019, their systems had been locked down for about three weeks. This time, they had their data backed up, so they did not pay the ransom. However, the second time, they were unable to recover their data from the backups, so they decided to pay the ransom to restore it.

The amount was paid in 6 bitcoins (the equivalent of $70,000). Cybercriminals provided the encryption keys and Park DuValle was able to recover its data.

#5. Stratford City, Ontario, Canada

April 2019

Amount paid: $71,000

In April of this year, the City of Stratford also became a victim of a ransomware attack that chose to pay the ransom. According to the story published on Cybersecurity Insiders, the malware was installed on six of their servers on a physical note, that encrypted two virtual servers as well, leaving their sensitive data locked down.

Even though they received warnings from officials, they paid 10 bitcoins, which at the time of attack meant roughly $71,000. The security company they contacted was not able to recover their data and was only involved in forensics. Consequently, the city negotiated the price that needed to be paid for their information to become available again. Their cyber insurance covered $15,000 of the ransom.

It seems that no personally identifiable information data was compromised and revealed in this ransomware incident.

#4. La Porte County, Indiana, USA

July 2019

Amount paid: $130,000

Another victim of the Ryuk ransomware, La Porte County, Indiana, paid $130,000 to recover their data.

The attack happened on July 6 and was noticed right before it managed to spread to all of the network’s computers. The IT staff confined it to less than 7% of machines, however, two domain controllers were impacted and thus, network services became unavailable.

According to the source, the FBI and a forensic investigation firm attempted to recover the data without paying the ransom, but their efforts proved to be unsuccessful. $100,000 out of the $130,000 payment demand was covered by insurance.

Apparently, the county did have back up servers in place, however, they became infected by ransomware as well.

The ransomware that affected La Porte County’s systems is allegedly Ryuk, the same strain that affected Lake City. It was called a “triple threat” because it originated from an Emotet infection that delivered the Trickbot trojan, which then launched Ryuk.

#3. Jackson County, Georgia, USA

March 2019

Amount paid: $400,000

Back in March, Jackson County had its network shut down by a ransomware attack, leaving only its website and 911 emergency system untouched. This meant they had to do their reports and bookings in pen and paper, just like they did before using computers became the norm.

Their officials contacted the FBI and hired a cybersecurity consultant. The security specialist negotiated with the cyber attackers and it was decided that Jackson County had to transfer $400,000 to receive the decryption key and gain access to their data once again.

“We had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our system rebuilt”, said Kevin Poe, Jackson County Manager.

Apparently, the county’s network had been infected with the Ryuk ransomware strain, which as of now, does not have a free decryption tool available. According to experts, this type of ransomware had one of the most active campaigns in 2019, also affecting over 500 schools in the US.

Researchers are saying the Ryuk ransomware only launches after it completely spreads on the target’s network.

Here is what the Ryuk ransomware note would look like:

What the Ryuk ransomware note looks like

Source: cnet.com

#2. Lake City, Florida, USA

June 2019

Amount paid: $500,000

A second city in Florida paralyzed by ransomware agreed to pay the ransom: 42 bitcoins ($500,000).

Even though their IT staff disconnected the systems within ten minutes of the attack’s detection, the ransomware managed to infect their network almost entirely. The police and fire departments were not affected, as they were running on a separate network. The people who needed to pay their bills could only do it in cash or money orders and they received handwritten receipts.

Cybercriminals reached out to the city’s insurance provider a week after the infection took place and the ransom payment of 42 bitcoins was negotiated. The money was paid from the city’s insurance.

Over 100 years’ worth of records (ordinances, meeting minutes, resolutions, and City Council agendas) were encrypted for almost a month. A few weeks after the ransom was paid, they did not even recover all of their data. What’s more, Lake City’s information technology director was accused of failing to secure the network and not recovering the data quickly enough and eventually lost his job.

Lake City was another victim of the Ryuk ransomware strain.

#1. Riviera Beach City, Florida, USA

May 2019

Amount paid: $600,000

This brings us to the biggest ransomware payout of 2019, which was made by Riviera Beach City in Florida.

Allegedly, right after an employee clicked on a phishing email link received on May 29, hackers managed to infiltrate into the city’s network and locked it up. All of the city’s online systems went down, including email and even some phones, and on top of that, water utility pump stations were affected as well. As a result, payments could only be accepted in person or by mail (only in cash or by check) and communication was conducted by phone.

The City Council unanimously agreed to pay the ransom. The requested amount was 65 bitcoins, the equivalent of nearly $600,000. More than $300,000 from the city’s insurance policy was used to pay the ransom. The payment was officially made merely a few weeks after Riviera Beach agreed to spend around $1 million to replace the infected computer equipment.

Riviera Beach’s attack looked similar to what Jackson County experienced in March, so it seems they were yet another victim of the Ryuk ransomware strain.

The biggest ransom ever paid

Even though we’ve witnessed several major ransomware payouts this year, none of them was the all-time biggest.

In 2017, the Korean web hosting firm Internet Nayana received the largest ransom demand ever (a whopping $1.14 million), which they also ended up paying. During their negotiations, some of their data was permanently deleted. To make up for the incident, Nayana offered free hosting for life and refunds to its affected customers. So, of course, besides the actual payment, the ransomware attack involved additional costs and reputational damage.

Others refused to pay

Paying the ransom is not something that every ransomware victim considers. And sadly, data recovery costs for some organizations that decline the payment end up being much higher than the actual ransom. For instance, back in March 2018, the City of Atlanta was infected with the SamSam ransomware variant. Cybercriminals demanded a $52,000 ransom payment, however, Atlanta refused to pay and they had to spend $2.6 million to recover from the attack. So, since it has been proven that paying the ransom can be a lot cheaper than dealing with an attack’s aftermath, local governments are increasingly choosing to pay.

But here is an example of an organization that declined the ransomware payment.

Baltimore City’s ransomware resistance story

On May 7, 2019, cybercriminals froze around 10,000 Baltimore government computers and asked for a $100,000 payment in bitcoins. The city’s employees were locked out of their email accounts and citizens were unable to pay their bills. This wasn’t the first time the city became a victim of ransomware – in 2018, their 911 system was shut down for about a day by another similar attack and in both cases, they did not transfer money into the attackers’ Bitcoin wallet.

The second time, their computer systems were infected with the RobbinHood ransomware strain.

Bernard C. Jack Young, Mayor of Baltimore City, explained why they chose not to pay the ransom:

The city representative acknowledges that by paying the ransom there is no guarantee their systems will be unlocked and also emphasizes the fact that they are choosing not to encourage criminal behavior.

“Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom?

Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior.

If we paid the ransom, there is no guarantee they can or will unlock our system.

There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.

Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.” – Bernard C. Jack Young, Mayor of Baltimore City

US mayors have adopted a resolution against paying the ransom

A proposal to ban ransom payments was put forward by Bernard Young, the abovementioned mayor of Baltimore City, which has also been adopted. The resolution reads:

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”

“The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm.”

“The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”

Although the adopted resolution doesn’t have any legal binding, it can be used to justify not paying the ransom in front of federal authorities and taxpayers.

Paying the ransom is a short-term solution

Ransomware payouts have become a highly controversial topic and for a good reason. Several questions arise when it comes to paying the ransom: Are you really going to recover your data? Where is your money actually going? Are you funding terrorist groups?

The FBI has explicitly stated that they do not support the practice and they urge organizations to report any ransomware incidents to law enforcement, no matter if they paid or not.

I strongly believe no one, be them consumers or organizations, should ever pay the ransom.

Here is why:

#1. There is no guarantee you will ever recover your files

In some cases, people still lost their data even if they paid the ransom. For instance, the GermanWiper ransomware deletes your files even though you did pay.

Also, malicious hackers actually like to be taken seriously, so if you think that by paying only a fraction of the requested amount you will get your data back (or at least some part of it), you are wrong. For example, the City of New Bedfords, Massachusetts, was yet another government institution infected with the Ryuk ransomware. They tried to negotiate for $400,000 instead of $5.3 million, aiming to align the payment with the ones that were paid by cities hit by the same type of malware. However, their offer was declined.

 #2. You are funding criminal organizations

Yes, it may be cheaper and faster to get your data back (if you are “lucky” enough) by paying the ransom. But are you really okay with transferring your money to shady hacking groups who may be using it for more malicious purposes?

#3. You are only encouraging this behavior

If organizations continue to pay the ransom, cybercriminals will not stop this practice anytime soon. In fact, it has already become a highly profitable underground business, also known as Ransomware as a Service (RaaS).

So, do you actually want to incentivize more and more attacks and contribute to the further propagation of the ransomware illegal industry?

Think about it this way. In the long run, if you’ve chosen to pay the ransom, you will definitely not save any money. Why not use the amount that you would have given to those ransomware attackers to improve your defenses instead?

How to Prevent Ransomware in Your Organization

Ransomware disasters can, fortunately, be avoided. As you’ve probably noticed from the ransomware incidents that I’ve listed, the best targets seem to be government entities that have outdated IT systems in place and that don’t always follow cybersecurity best practices.

Here is how you can stop ransomware from infecting your organization:

#1. Back up your data

I can’t stress this enough. The first and most important thing you can do is have copies of your data stored somewhere safe, that won’t get infected as well. What’s more, make sure that your back up system actually works and test it frequently.

#2. Watch out for excessive admin rights inside your organization

Sometimes, ransomware can prove to be a result of abused privileged accounts (malware propagation is often linked to compromised credentials that belong to admin accounts).

So, be certain that your organization runs on the principle of least privilege and the Zero Trust model. In short, be careful whom you grant admin rights to within your organization. A tool such as Thor AdminPrivilege™ can help you easily escalate and de-escalate privileges and when used in tandem with our other security solutions, you will get notified when threats are discovered and more than that, admin rights will be automatically de-escalated on your compromised accounts.

#3. Use security tools specifically designed to stop ransomware

For instance, a product like Thor Foresight Enterprise is properly equipped to protect your organization against ransomware. First of all, it instantly blocks any incoming attacks (for example, associated with malicious URLs) and secondly, it contains a patch management tool, created to help you close all vulnerabilities related to outdated systems and software.

#4. Train your users

Last, but not least, your users should be able to recognize the signs of cyberattacks. I often hear IT admin struggling with compromised accounts and malware infections that happen due to users that seem to keep clicking on phishing links and following the instructions (for example, submitting their login credentials).


All in all, 2019 has shown us that ransomware is still a lucrative business for cybercriminals. The organizations that are choosing to pay the ransom only worsen the situation, setting high expectations for future ransomware attackers. So, the bottom line is this: if you are ever faced with this tough decision – to pay or not to pay – think about what paying actually means.

Are you in favor of paying the ransom? Let me know your thoughts in the comments section below.

The post This Year in Ransomware Payouts (2019 Edition) appeared first on Heimdal Security Blog.

Collecting and Crafting User Information from LinkedIn

Justin Angel // Penetration testing and red team engagements often require operators to collect user information from various sources that can then be translated into inputs to support social engineering and password attacks. LinkedIn is obviously a prime source for this type of information since users can associate themselves with a particular company. Assuming we […]

The post Collecting and Crafting User Information from LinkedIn appeared first on Black Hills Information Security.

The FireEye Approach to Operational Technology Security

Today FireEye launches the Cyber Physical Threat Intelligence subscription, which provides cyber security professionals with unmatched context, data and actionable analysis on threats and risk to cyber physical systems. In light of this release, we thought it would be helpful to explain FireEye’s philosophy and broader approach to operational technology (OT) security. In summary, combined visibility into both the IT and OT environments is critical for detecting malicious activity at any stage of an OT intrusion. The FireEye approach to OT security is to:

Detect threats early using full situational awareness of IT and OT networks.

The surface area for most intrusions transcend architectural layers because at almost every level along the way there are computers (servers and workstations) and networks using the same or similar operating systems and protocols as used in IT, which serve as an avenue of approach for impacting physical assets or control of a physical process. The oft touted airgap is in many cases a myth.

There is often a singular focus from the security community on industrial control system (ICS) malware largely due to its novel nature and the fact that there have been very few examples found. This attention is useful for a variety of reasons, but disproportionate to the actual methods of the intrusions where ICS-tailored malware is used. In the attacks utilizing Industroyer and TRITON, the attackers moved from the IT network to the OT network through systems that were accessible to both environments. Traditional malware backdoors, Mimikatz extracts, remote desktop sessions and other well-documented, easily detected attack methods were used throughout these intrusions and found at every level of the IT, IT DMZ, OT DMZ and OT environments.

We believe that defenders and incident responders should focus much more attention on intrusion methods, or TTPs, across the attack lifecycle, most of which are present on what we call “intermediary systems”—predominately networked workstations and servers using operating systems and protocols that are similar to or the same as those used in IT, which are used as stepping-stones to gain access to OT assets. This approach is effective because almost all sophisticated OT attacks leverage these systems as stepping stones to their ultimate target.

To illustrate this philosophy, we present some new concepts for approaching OT threats, including the Funnel of Opportunity for OT Threat Detection and the Theory of 99, as well as practical examples derived from our analysis and incident response work. We hope these ideas challenge others in the security community to put forward new ideas and drive discussion and collaboration. We strive for a world where attacking or disrupting ICS operations costs the threat actor their cover, their toolkits, their time and their freedom.

The "Funnel of Opportunity" Highlights the Value of Detecting OT Attacks In "Intermediary Systems"

Over the past 15 years of responding to and analyzing many of the most important threats in IT and OT, FireEye observed a consistent pattern across almost all OT security incidents: There is an inverse relationship between the presence of an attacker’s activities and the severity of consequence to physical assets or processes. The attack lifecycle when viewed like this begins to take on a “funnel” shape, representing both the breadth of attacker footprint and the breadth of detection opportunity for any given level. Similarly, from top to bottom we represent the timeline of the intrusion and its proximity to the physical world. The bottom is the cross-over of impact from the cyber world to the physical world.

Figure 1: The Funnel of Opportunity for OT Threat Detection

In the early stages of the attack lifecycle, the intruder spends prolonged periods of time targeting components such as servers and workstations across IT and the IT DMZ. Identifying threat activity at this architectural level is relatively straightforward given that dwell time is high, threat actors often leave visible traces, and there are many mature security tools, services and other capabilities designed to detect this activity. While it is difficult to anticipate or associate this early intrusion activity in IT layers with more complex OT targeted attacks, IT networks remain the best zone to detect attacks.

In addition to being relatively easy to detect, early attacker activity also presents a very low risk of negative impact to OT networks. This is primarily because OT networks are commonly segmented, often with an OT DMZ separating them from IT, limiting attacker access to the industrial process. Also, targeted OT attacks commonly require threat actors to acquire abundant process documentation to determine how to cause a desired outcome. While some of this information may be available in IT networks, planning this type of attack would almost certainly require further process visibility only available in the OT network. This is why, as the intrusion progresses and the attacker gets closer or gains access to OT networks, the severity of possible negative outcomes becomes proportionally higher. However, the activity becomes more difficult to detect as the attacker’s footprint grows smaller and there are fewer security tools available to defenders.

The TRITON and Industroyer Attacks Exemplify This Phenomenon

Figure 2 shows an approximate representation of endpoints that were compromised across the architecture of victim organizations during the TRITON and Industroyer attacks. The Funnel of Opportunity is located in the intersection between the two triangles. It is here where the balance between attacker presence and operational consequence of an intrusion makes it easier and more meaningful for security organizations to identify threat activity. As a result, threat hunting close to the OT DMZ and DCS represents the most efficient approach as the detectable features of the intrusion are still present and the severity of potential consequences of the intrusion is high, but still not critical.

Figure 2: Approximate representation of endpoints compromised during the TRITON and Industroyer attacks

In both the TRITON and Industroyer incidents, the threat actor followed a consistent pattern traversing the victims’ architecture from IT networks, through the OT network, and ultimately reaching the physical process controls. In both incidents, we observed that the actor moved through segmented architectures using computers located in different zones. While we only illustrated two incidents in this blog post, we highlight that movement across zones leveraging computers has also been observed in every public OT security incident to date.

The Theory of 99: Almost All Threat Activity Happens in Windows and Linux Systems

FireEye’s unique visibility into the full attack lifecycle of thousands of intrusions from both independent research and first-hand incident response experience has enabled us to support this theory with real-world data, some of which we share here. FireEye has consistently identified similar TTPs leveraged by threat actors regardless of their target industry or ultimate goals. We believe that visibility into network traffic and endpoint behaviors are some of the most important components for IT security. These components are also critical in preventing pivots to key assets in the OT network and detecting threat activity once it does reach OT.

Our observations can be summarized in what we call the Theory of 99, which states that in intrusions that go deep enough to impact OT:

  • 99% of compromised systems will be computer workstations and servers
  • 99% of malware will be designed for computer workstations and servers
  • 99% of forensics will be performed on computer workstations and servers
  • 99% of detection opportunities will be for activity connected to computer workstations and servers
  • 99% of intrusion dwell time happens in commercial off-the-shelf (COTS) computer equipment before any Purdue level 0-1 devices are impacted

As a result, there is often a significant overlap across TTPs utilized by threat actors targeting both IT and OT networks.

Figure 3: TTPs seen across both IT and OT incidents

Figure 3 presents a summary of TTP overlaps between TRITON, Industroyer, and some relatively common activity from cybercrime group FIN6. FIN6 is a group of intrusion operators who have compromised multiple point-of-sale (POS) environments to steal payment card data and sell it in on the dark web. While the motivations and ultimate goal of the threat actors that developed TRITON and Industroyer differ significantly from FIN6, the three actors share common TTPs, including the use of Meterpreter, compromising dual-homed systems, leveraging RDP to establish remote connections and so forth. The overlap in tools and TTPs across actors interested in IT and OT should be of no surprise. The use of IT tools for OT compromises directly corresponds to a trend best known as IT/OT convergence. As IT equipment increasingly becomes integrated in OT systems and networks to improve efficiency and manageability, we can expect threat actors to be able to leverage networked computers as a conduit to reach industrial controls.

Drawing parallels between intrusions into high security environments, we can gain insight into actor behaviors and identify detection opportunities earlier in the attack lifecycle. Intelligence on intrusions across various sectors can be useful in highlighting which common and emerging adversary tools and TTPs are likely to be used in tailored attacks against organizations with OT assets.

FireEye Services, Intelligence, and Technology Provide Unparalleled Protection In IT and OT

While the FireEye approach to OT security detailed in this blog post emphasizes the criticality of “intermediary systems” when defending OT, we do not want to downplay the importance of the OT expertise and technology needed to respond to the most critical 1% of threat activity that does impact control systems. OT is in our DNA at FireEye: FireEye Mandiant’s OT practice has been one of the leading industry voices over the past six years, and the FireEye Cyber Physical Intelligence offering is the most recent evolution of the heritage of Critical Intelligence—the first commercial OT threat intelligence company founded in 2009.

Figure 4: FireEye OT-specific offerings

We believe that sharing our philosophy for OT security and highlighting FireEye’s comprehensive OT security capabilities will help organizations look at this security challenge from a different angle and take tangible steps forward to build a robust, all-encompassing security program. Figure 4 maps FireEye’s OT security offerings against the NIST Cybersecurity Framework’s Five Functions, matching FireEye services to the lifecycle of an organization’s cyber security risk management.

If you are interested in learning more or purchasing FireEye OT-focused solutions, you can reach out here: FireEye OT Solutions.

The big task for CIOs in 2020: Bringing security and IT operations together

The first step in bridging the gap starts with understanding the problem.  IT and security operations have worked in silos for decades so one might think “If it ain’t broke, don’t fix it.”  But it is, in fact, broken, and there is little awareness of the impact caused by the fragmentation.

According to a recent study conducted by Forrester on behalf of endpoint security company Tanium, 67% of IT leaders surveyed admitted that driving collaboration between the two groups is a challenge and that the rift widens an already big gap in visibility and makes resolving issues harder.

To read this article in full, please click here

(Insider Story)

Don’t gift cyber attackers access to your organisation this Christmas

Stock up on sprouts, hang the decorations and prepare for a barrage of cyber attacks, because the Christmas season is in full swing.

December is a busy time for cyber criminals, as they look to take advantage of understaffed IT departments and employees who are distracted by tight deadlines, Christmas parties and the upcoming break.

Let’s take a look at some of the most common mistakes organisations make and how to address them. Some are quick fixes that you can sort out before you go away for the holidays, whereas other require a refined, systematic approach to information security.

1. Weak passwords

Hackers can crack passwords in a variety of ways:

  • Dictionary attacks: Hackers download a text file containing a list of words (usually from a dictionary) into a cracking application, and run it against user accounts located by the application.
  • Rainbow tables: Most modern systems store passwords in a hash. This means that even if hackers can get to the area or file that stores the password, the information will be encrypted. A rainbow table helps reverse the hash by comparing the hashed password with a list of hashed dictionary entries.
  • Brute force: The hacker tries common passwords in the hope that they will find a match.

The received wisdom about passwords is that they should have at least eight characters and mix letters, numbers and special characters.

However, this often leads to ridiculously complicated passwords that are hard to remember and, ironically, comparatively easy for computers to crack.

There’s another problem: even though complex passwords are theoretically hard to crack, you’d do well to not have to write them down somewhere, which immediately compromises them.

A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character from each word of a sentence.

Organisations should create a policy that lists specific requirements for creating passwords and instructs employees to change default passwords when they create accounts. If the account contains sensitive information, organisations should consider using multi-factor or hardware-based tokens in place of system-level passwords.

2. Poorly configured devices

Inexperienced or underfunded organisations often install routers, switches and other networking gear without involving anyone who understands the security ramifications of each device.

Misconfiguration can happen at any level of the application stack, including the code, web and application servers, databases and frameworks.

Here are some signs of a poorly configured device:

  • Default account information: Attackers can easily break into your application if you’ve left your account name as ‘admin’ or ‘test’ and not changed the default password.
  • Third-party applications installed on a production server: A production server with additional applications on it leaves organisations exposed.
  • Ineffective firewalls: If more ports than necessary are open, or if unauthorised hosts can connect to the server, attackers can gain control of the server.
  • Missing operating system security patches: Attackers exploit security holes that have been identified by patches. If you haven’t applied those patches, you are vulnerable.

To avoid making those mistakes, organisations should use a strong application architecture that separates components, create a process for applying software updates and patches as they are released and conduct regular scans and audits to help detect future misconfigurations or missing patches.

3. Insider threats

Employees are often directly responsible for data breaches. These can be broken down into three categories:

  • Malicious actors, who steal or expose data for financial gain, political reasons, revenge, etc.
  • Accidental loss, such as misplacing a removable device.
  • Negligence, where, for reasons other than malice, employees fail to comply with security policies.

It’s hard to identify potential sources of insider error, because everyone in the organisation is susceptible. Accidental loss and negligence can be mitigated by providing your staff with regular awareness courses that remind them of their security obligations.

Preventing malicious actors requires stricter measures, such as:

  • Implementing access controls to limit the amount of information any one employee can view;
  • Creating policies restricting the use of removable devices; and
  • Monitoring unauthorised accounts.

Educate your employees on cyber security risks

Educated and informed employees are your first line of defence when it comes to information security.

Empower them to make better security decisions with our Information Security and Cyber Security Staff Awareness E-Learning Course.

This GCHQ-approved training course gives your employees a comprehensive overview of the threats they face and how to avoid them.

get started

A version of this blog was originally published on 1 December 2017.

The post Don’t gift cyber attackers access to your organisation this Christmas appeared first on IT Governance UK Blog.