Ntiva Live: Cybersecurity for the Rest of Us

Most Common Causes of Data Breaches (Recent Cyber Incidents 2021)

Episode Overview: Top Causes of Recent Data Breaches

In our first episode, Frank discusses the common causes of cybersecurity incidents, using the most recent data breaches that made the news in the first half of 2021, including how they could have been prevented and what every business should have in place to prevent the same thing from happening to them!

Sign Up Today

Complete the form to register for the "Cybersecurity for the Rest of Us" series. You’ll get an email reminder before each livestream, plus an email with a link to the recording in case you miss any of the live events.

Major Cybersecurity Incidents in 1H21: Episode Transcript 

Thanks for everybody taking your lunch break with us. This is our first, the inaugural session of Cybersecurity for the Rest of Us. I'm Frank Smith. I'm with Ntiva, I'm the manager of security and consulting services. I am a computer engineer, so I'll apologize if I do any geek speak, but I try not to. I am a CISSP, I run all of our security programs, do compliance assessments, do all those kinds of things that are of big interest for everybody these days. Despite the fact that there is a PowerPoint slide up, I guarantee you this will not be a death by PowerPoint, and then move on from there for better or worse, you'll have to look at me instead of a PowerPoint.

If at any time you have questions, feel free to put them in the Q&A in the Zoom bar. That's preferable to the chat. If it shows up for you, we will be monitoring for the Q&A go ahead and ask basically anything.

Today, since this is our first one, I figured I'd take the opportunity to talk about some of the causes of all of these security incidents that you've been hearing in the news lately, and kind of finish it with something you don't really hear that much about, but is a bigger problem.

There's one thing that's very common about all of these cyber attacks. Every one of these was avoidable.

You can't really say they're preventable because there's some really bad actors out there and with the nation/state sponsorship and all that stuff going on, but absolutely nothing you heard about needed to be as bad as it was. It didn't need to get around like it did. Quite frankly, most of them really were preventable. I'm going to run through the root causes and then we'll talk about each of them separately. We'll talk SolarWinds, and colonial pipeline, the beef packing one, everything.

So no MFA. I mean, in this day and age, people don't have multi-factor authentication running on their systems and that is unacceptable.

It's not a hundred percent guaranteed by any stretch of the imagination, they can be hacked. It's not perfect, but if somebody is trying to break into your O365 and they figured out your passwords, they get an MFA prompt. They're going to go on and move to somebody else and try somebody else's tenant to get in. They're looking for the low hanging fruit in a lot of cases. When you do deploy MFA, this can be free. It's included with your O365 license, but it's preferable that you use the authenticator app, use the six digit code option where you take the code from the app and type it in. That's preferable to a push because quite frankly, people are lazy and every time their phone beeps, they reach over and tap it and SMS can be hot. Now, you know your casual hacker, isn't going to probably do that, but SMS can be hacked. I think everybody probably knows that.

Unpatched systems. I can't tell you the number of times this comes up. Yes, there are zero day attacks, but most of the breaches that have happened and most of the things that we've seen in the wild this year are old vulnerabilities. Some of them are three and more years old and somebody just realized, hey, this is out there. Or somebody published the exploit code. Yes. The zero day attack occurs. Yes, you need to be prepared to deal with that kinds of stuff but a steady vulnerability patch management system will just incredibly go a long way to make that go away.

If you're using Windows update and I know most of the people that join these kinds of things probably have Windows platforms, Windows update is just not enough. If you're going to rely on something like that, you do need to verify that the updates are in fact happening on it. If you've got legacy End of Life systems a lot of our small and midsize manufacturing clients, they have Windows 8, Windows NT based systems out there. This stuff has been around for a long time. It can be breached, but it's part of an industrial control system. It's part of that CNC milling machine that costs a quarter million dollars to replace. I recognize that all that stuff is out there. If you have End of Life stuff, you have to be extra careful with what you're doing.

IAC is identity and access controls. This is just the generic way of saying: How do you handle your users? Do you have a written onboarding and offboarding process? Are accounts set up so that users have minimum privileges that they need? Are they getting assigned to the right SharePoint libraries? Do they not get assigned to things they don't need? Does your organization block the ability to share links outside the company? Those are data loss preventions. Those are privacy, but they all overlap into security. You need to consider all of that kinds of stuff.

Passwords kind of get into here as well as these fished credentials, but I'll mention it here. You need a good password policy. Eight characters, and three types of complexity is going to cut it. That can be hit with a password spray attack and your passwords can be guessed like nothing. That's trivial. Go to at least 12, use all four types of characters. Personally, I go longer and encourage people to use passphrases instead of passwords.

That leads us into phished credentials. Look phishing is it. Some estimates have at, at north of 90% of all cyber attacks of all types began with a phishing email. Some of these are really good. Some of them are obviously phishes, but I've seen clients fall for even the most, what I consider, obvious phish. So if you get something, it has a link and your people are following it, entering credentials, that's just dangerous.

This is not just about your work email addresses. This is people who do it from home, too. They follow the link and if you've got a loose password process, they put their credentials in, maybe it's for their Gmail account. If they're reusing passwords at work, it's now everywhere. It doesn't take much to figure out who you are and what you're doing. If I have any information on you, LinkedIn just got, it was called a scrape attack. Because it tactically didn't result in a breach according to Microsoft, but that was 770 million records of information, personal email addresses, phone numbers, other types of contact information. I take that along with your LinkedIn profile, I can find you in other social media sites. It's pretty easy to say, let me go try their whatever password that I have in the dark web and I'm going to try it on their work account because I know where they work.

That's the common themes that we saw. I'm going to go ahead and stop sharing. There we go.

Let's talk about how we got into some of these situations where we are. What really started us down this path? This has been around for a long time.

SolarWinds was the one that got the news. It didn't get the attention it probably deserved to get, because we were dealing with a contested election, a pandemic, the holidays, everybody going on vacation. It was news, but not probably got as much attention as it probably should have, but SolarWinds started this whole thing. We had SolarWinds, FireEye, Microsoft, and then a bunch of the firewall, router and switch manufacturers all came real quick. December was our month that kind of was the rude awakening for the rest of the world.

Solarwinds started out with bad identity and access controls. We all heard it was an intern account that was initially used to breach the password on the intern account was SolarWinds 2020. So somebody got into their system with what could only have been the initial password. I don't really know where that came from, but clearly a password that never got reset. Got into the system and somehow with the intern account, managed to find their way into systems that an intern would have had no business accessing and did it with elevated administrative privileges. Now, these attackers, this has been traced to a nation state. There's no doubt that this is a more sophisticated attack and this differs from a lot of them in that this was a lurker attack. They joined in there with the intention of compromising the software and they wanted to just stay in the background.

In fact, the attackers did everything they could to reduce the amount of attention they would receive by simply saying, the malware, when it got out to the field, it would generate itself once or twice and then stop and then go quiet for a week or so. They would only do it at certain targets. This was a very sophisticated attack. They were also able to get into the system because they defeated MFA. Now, in this case, we believe that the multi-factor was in fact misconfigured and they took advantage of the fact that there was a misconfiguration. That certainly helped their case, but an intern account that was able to get in and get administrative privileges I mean, you just got to sit back and say, how in the world did that happen?

Colonial pipeline, right?

Everybody raise your hand if you sat in a gas line. We've seen a huge increase in inquiries for various security tools over the last 60 days and a lot of it has been driven by people who sat in gas lines. This is a non-trivial thing, right? This was, this is critical infrastructure. So here I am, I'm controlling 45% of the fuel that flows to the east coast, I had a remote access VPN set up with no multi-factor authentication. I mean really? Who would do that? Well, Colonial Pipeline would do that. Back to that slide I showed you. The reason I use those different colors, if you have one of those things that you're not doing, that's the yellow, and as you work your way more towards the center, two of the things overlap.

Yeah, you've, you've got a greater level of risk. If you've got three of those things you're an easy target. If you've got all four, you are the lowest hanging fruit of the internet. You're going to be breached. Quite frankly, if you haven't already, you just probably don't know you've been breached. In Colonial Pipeline's case, they had no MFA, they had phished credentials. This was a case where a user had a personal account that was hacked, that password was known and published on the dark web, somebody used it, mapped it to their Colonial Pipeline account and the same password worked. I'll confess. We don't know if it was exactly the same password. They haven't exactly published all the details to it, but what's very common and people go, well I don't reuse my passwords. Yeah, but you reuse a root password.

You know, I have hello world and for some passwords it's hello world one and for some it's hello world dollar sign, and you just play games with it. That's how you're incrementing passwords. You make minor changes to it. If I know one password for a lot of people, I know almost all your passwords.

The recent thing that came out with Kaseya. Kaseya, for those of you that don't know it, in the tool that was compromised, this is a remote monitoring tool. Large organizations use it rather than reaching out and trying to physically touch every computer in their environment. The Kaseya attack was targeting managed service providers. The managed service providers use the Kaseya tool. Some have them on site, some use their SAS solution. Part of what that tool incorporated in the part that was hacked was a automation aspect of it.

Companies that were using to say, rather than applying Windows update patches, log into the Kaseya portal, say push this patch out to all these machines and it pushed the patch all to all the machines. Well, as it turns out, the attackers got into the Kaseya environment, they compromised the platform, they did not use ransomware on Kaseya, nor did they use it at the next level in that supply chain. They didn't attack the ma a managed service providers. They pushed out the ransomware to the clients of the managed service providers. This was the third level, if you really get into it is where the damage was done, but it all goes back to the top level. In the case of the Kaseya attack, it has been traced to a vulnerability, which was first discovered over five years ago. They attacked Kaseya through a portal that probably should never have even been online.

They were able to elevate privileges once they got into the environment. Once they got in bad identity and access control user accounts that they were able to take advantage of, they were able to get in their attack, go ahead and push the stuff out. The ransomware, then went out to all of the lowest level in that supply chain.

The JBS meat packing plant. There's been less put out about that one, but everywhere you go, price of beef went up. Again, compromised credentials, bad identity and access control, stale accounts. This is a common thing. I'll beat this up for just a second. Very commonly, people leave the organization and instead of disabling the account and archiving it, making it go away, everybody's converting it to a shared mailbox or Bob may need this later on and forward this person's email there.

What ends up happening is, you're a company of a hundred people and you have a thousand Microsoft 365 accounts. Nobody thinks about it because you're not paying for them depending on the status you've put them into, but they're avenues of attack so don't leave them there. Yes, right after somebody departs the company you might want to access their OneDrive, their SharePoint, their email, whatever it is for 30 days. After that archive that mailbox, get it out of the tenant, make it go away so that you don't have this increased surface area for attack.

Now I'll talk a little bit about a more general thing. There has been a huge amount of press on ransomware. The Kaseya attack was a $70 million attack, Colonial Pipeline, allegedly paid 5 million, JBS meat packing, I think was 4 million where some of the numbers I heard around. All of those numbers are trivial compared to what's being lost through business, email compromise. This is a great term, it makes it sound like it's something outrageous and that those of us in the security field can talk to you about business email compromise. What it really boils down to in its simplest state, this is the most common vector. Somebody gets into your O365 tenants. They set up a forwarding rule. Usually it's on the CFO's account, the controller account, an accounts payable person's account. Sometimes you'll have a general mailbox that says accounts payable and accounts receivable at whatever company you are.

Those are easy targets. They get forwarding addresses put against them. Somebody come and get out of your account. They're not trying to attract attention, but they're monitoring your mail flow at this point. They see your communications with suppliers and vendors and your customers about, "hey, invoice ABC is coming out and here it is and it's for this amount of money". They start tracking that kind of stuff. They sit there, they look at it for a little while, usually weeks. I mean, these are not usually things that happen instantaneously. They track you for weeks or even months. They then intercept it. They'll create a fake domain in some cases but since they do have access to your tenants, sometimes they go in and use your real mailbox to send a message that says, hey, we're going to be changing our banking information.

Here's our new ACH stuff and the company that receives it should be verifying it, should have better accounting practices, but you'd be shocked at the number of companies that take it, no problem we'll change the ACH information. Sometimes they do it by changing the domains and send out fake information. Some companies are more vulnerable to others. If you have lowercase I's or W's or lowercase L's in your domain name, you can think about how these things can be spoofed. You can create a fake domain that differs from the real one. Replace a w with two vs. Replace an I with a lowercase L. Replace an L with a lowercase I. Replace the I with a J. These are all easy things to do and there's this registrar out there called cheapnames.com. They may be a bargain, but they are also a huge repository of fake names.

For somebody who's trying to spoof your domain, they're going to go register with cheapnames.com. You're going to then see this fake email and then at that point they'll usually intercept the email chain so that the risk of the real CFO seeing it doesn't come up and you see this back and forth on emails. I bet once a week, somebody says, could you take a look at this and see if we were compromised? It doesn't mean that your tenant is compromised, it could be your customer, your supplier, your vendor is compromised. Think about how long it takes to detect fake invoice information. You generate an invoice, most people have like 30 day terms. 30 days go by on the 30th day, you're not, you're not going out and saying, "hey, can I get the status of this invoice?" You gives him an extra couple of days.

Well, then you go, "hey, we haven't received payment on this invoice". Somebody comes back and says, "oh, I kind of remember doing that one let me get back to you". Well, another couple of days goes by. By the time you go through this back and forth and you realize, somebody says, "well, we sent the money, here's our information, here's the proof", blah, blah, blah. By the time all that happens, 45 to 60 days has gone by. That has already been moved. The money's gone. You're not ever going to see it. The fake bank, that money hit that account, they transferred it probably three or four times by then. Now you're sitting there, "hey, we paid the invoice". "No, you didn't".

Everybody's pointing fingers. Who was compromised? Who fell for the phish? Who should have known better?

Quite frankly, the only ones making money out of this or the lawyers because everybody starts getting their lawyers involved and I'll apologize to all the law firms out there, but that's your business. Everybody's going to turn around and start drawing in on their legal counsel and you're looking for accountability and you're looking for responsibility. I was on a call with somebody, he is in the Baltimore field office of the FBI. They said that the amount of money that they see lost, that they are investigating out of that office alone, is far exceeding what they're seeing on ransomware attacks. Keep in mind, ransomware attacks are usually reported because there's a lot more to getting it undone.

Whereas business email compromise, a lot of times the dollar amounts are lower. People are embarrassed to report it, but if you have any of these types of incidents, you should absolutely be reporting them to law enforcement. I tell everybody, report it to your local law enforcement and depending on the circumstances, FBI or secret service. The government has ic3.gov is the internet crime center website. You can file a report there as well. You don't even have to pick up the phone to file your report, but I always recommend you do that. Statistically, that does help law enforcement keep track of where the patterns are, what they're seeing, those kinds of things. I encourage you to do that as well.

We have, looks like a queue question came in all these pointing at it. In regards to the SolarWinds 2020 password that was figured out, did they use a password cracker, or did they make multiple attempts to figure out the password? With most websites, you only have a few attempts to enter the password or you get locked out. The short answer is, I don't know. However, my guess is that since that seems like a default password, my guess is that somebody figured out that SolarWinds was using a default password for new accounts. I bet had the incident not happened in December their default password would now be SolarWinds 2021, but that's just kind of me taking a guess.

I'll share something that I've seen in password spray and those type of attacks. The attackers are smart. Your log-ins, you automatically lock an account out on everything, but most of those thresholds are five or six attempts. Some as low as three, but five or six is pretty common. Some are as high as 10. One way of getting around it is, what the attackers have done, is they will use a IP address, try an account with two attempts. They'll change IP addresses and try the same account with two more attempts. When that doesn't work, they go away. They come back at 30 minutes or an hour. The password spray attack, it's an elegant brute force.

It's not quite the same as what it used to be, but it's definitely still using the same kind of things. I have seen passwords of the eight and three, which is what almost everybody uses for their complexity, those get hacked pretty quickly. We have a about three minutes left so I'm going to go back and show my ugly slide again and make it one step uglier for you. If you're using legacy anti virus, and you have any of these other things going on, you are at extreme risk. By legacy anti virus, I mean the stuff that everybody knows about. It's all those name brand things. It's everything that's out there that relies on virus definitions. You are extremely vulnerable when you do that. You need to absolutely be using the next generation tools. You'll hear it called managed detection and response, endpoint detection and response, summer touting next generation antivirus. My personal opinion, most of the products out there are just some additional ad-ons to legacy anti virus, and they are more vulnerable than the true EDR products.

We have stuff that we push, obviously. I strongly encourage you to do some type of EDR. The solution that we are currently offering would have prevented the ransomware from infecting machines on all of these current systems. Now, obviously you want to limit the ability of an attacker to even get to your system in the first place, but if somebody manages to get around all your defenses and do all of those kinds of things, you definitely want to have the right tools in place to keep it from happening. There's no guarantees. There's no 100%, but what you can absolutely do is you can say, look, you may get in there and get ransomware on one machine, but these newer tools, they are going to block the ability of the ransomware from spreading.

Even if it manages to infect one platform. A quick thing about Kaseya, that particular ransomware, the very first thing their scripted was disabled Windows Defender. If you have Windows Defender, you're that low-hanging fruit of the internet. It was just announced last night, Microsoft does not have a patch out. There is a Windows 10 and 11 vulnerability that allows for elevated privileges and there is a new attack that's coming out against Windows Defender again, where the malware adds itself to Windows Defender's exclusion list. It tells Windows Defender, you don't see those droids. Don't look over here and it won't disable Windows Defender, but it basically says that Windows Defender, you don't have to worry about it, it's all good.

I am right at my 30 minutes. If there are any last minute questions, please put them in. We won't kill the webinar just yet. If you have anything you'd like to see us discuss in two weeks, feel free to send that in as well. We will be changing up the topics every two weeks, but we will talking about just general cybersecurity things and hopefully increase the awareness and provide you some ideas on some things to look at to help you not be that low hanging fruit of the internet. Thanks for your time. Hopefully you got to have lunch. Look forward to seeing everybody in two weeks, take care. Bye-bye.

About the Ntiva Cybersecurity for the Rest of Us Livestream

Ntiva’s Frank Smith hosts the Cybersecurity for the Rest of Us livestream every other Thursday from 12:00 to 12:30pm ET. These live events, presented by the Ntiva team of cybersecurity experts, are sharply focused, easily digestible, and cover topics surrounding cyber security in today's modern workplace. We take questions from the audience and share what's working for us and others in the industry.