Verizon DBIR & Vestige

Today’s Threat Landscape

Verizon’s Data Breach Investigation Report (DBIR) is releasing today.  Once again Vestige was an official Contributor to the report and we are quite proud to be asked to assist in the data gathering that went into the DBIR.  While confidentiality is key in our business, information sharing that has been cleansed of identifying information is how we can all better ourselves in this environment.  The information gathered and reported allows us to see what happened in the past year and use those trends to help predict what is happening in the upcoming year.  Namely, what we need to watch out for to protect ourselves.

What’s going on in Cyber now

But, hey, wouldn’t it be nice to hear about what is going on right now?  Sure it would!

Unfortunately, Vestige has seen similar attacks to what has been going on over the past few years with some small changes.  In order to fulfill a financial gain, the attackers are relying on either ransomware by means of crypto-viruses or they are engaging in business email compromise (BEC) attacks.

One area we have seen that is troublesome is how crypto-viruses leave no area that is safe.  They will attempt to crawl into every computer, file share and drive that is in your environment.  Now, this next part is important.  About 10 years ago a shift began where companies abandoned backup tapes and moved towards disk backups.  Speed, cost and ease of use fueled that shift.  The problem is that the #1 effective tool to recover from crypto-viruses is to have good backups but now the crypto-viruses are attacking those disk backups that are just hanging as a USB drive off of a workstation or server.  If you are in IT and reading this post, you need to check and see that you either have the security set on those external drives so that only limited administrative accounts can write to them (and no one in your organization uses those types of accounts daily) or you are swapping drives.  If you are in management, you need to have a talk right now with IT about your backups and understand how they may be protected against crypto-viruses.  Otherwise, when someone in your organization opens up the wrong file, you’ll be making your way to one of the more popular Bitcoin trading companies to pay your ransom.

Phishing emails aren’t the only way that crypto-viruses are spreading.  Many organizations do not have adequate firewall preventions or leave ports open for Remote Desktop or other services.  It is only a matter of time before Remote Desktop is exposed and successfully attacked.  Merely changing the listening port for Remote Desktop is not adequate either.  The cost to implement a basic firewall with end-point VPN services is 1/10^th the cost of paying a ransom, and even cheaper when considering downtime.

We have seen an uptick in attacks with a genesis from third parties.  Whether it is a vendor of yours that has access to your network or it is a managed service provider, it makes sense today to ask them what they are doing to protect not just themselves, but also your assets.  Do they have adequate security policies in place and do they conduct IT security audits?

Enough about crypto-viruses, let’s talk about BEC – Business Email Compromises.  You know, the type of situation where out of the goodness of someone’s heart you wire tens of thousands of dollars to a complete stranger?  Yeah, that one.  We have seen situations where the perpetrators of these actions are creating fake, but similarly named, domains and sending emails back and forth with both parties to get the payor to send their money to another account and keep the payee at bay with excuses as to the delays.  But more and more, we are seeing these campaigns start with a phishing email to acquire someone’s credentials and then using the compromised mailbox to send the nefarious instructions.  In this scenario, it can be very difficult to spot the issue because the emails, while penned by the bad guy, are coming from the actual account itself.

Tips to protect yourself

1. Make sure your computers are up to date with patches. While it is justified to conduct more thorough testing of patches to servers before implementing as most servers contain mission critical applications, you can be more aggressive with patches to workstations.

2. How are your perimeter defenses? Spend the extra money for VPN services and avoid exposing your servers to the internet vs keeping them more safe behind a firewall.

3. Is IT talking to management and is management talking to IT? IT should feel empowered to make suggestions but in doing so should provide the business case.  Management should seriously consider the suggestions but also probe IT with questions about what is being done to make sure that your environment is safe.

4. Training of staff should be implemented in some way. Ideally formal Cybersecurity Training followed by planning phishing attempts but at the very least periodic reminders to be cautious of any email attachment or change in instructions.  Encourage picking up the phone with any kind of instruction that relates to payment activities.

5. Are you checking, or even logging, IP addresses that are successfully connecting to mailboxes? Are you scanning mailboxes for rules that automatically forward emails to an outside address?

6. Test yourself. Come into the office on an off day and consider any computer, as well as any USB drive connected to anything, to be encrypted.  Can you restore your data?

I suggest you spend some time reviewing the DBIR report.  Then take to heart some of the suggestions above.  As always, we are a simple call away to discuss any concerns you may have.

by Greg Kelley, BS, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations
For more information CONTACT US.