Arraya Insights | May 23, 2017
I recently googled the term ‘cyber attack’ to learn what people researching the topic would see. As expected, the images that came back all included shady-looking characters wearing hooded sweatshirts while sitting in a dark room typing super-secret hacking stuff. These images brought a couple of thoughts to mind. I initially wondered why it’s always so cold in the room where these guys are “hacking” that they have to bundle up – and how do they type with gloves on? Secondly, why is it so dark? By turning on the lights, they could see so much better. Finally, because it seems like such a cool trick, how do I get lightning bolts to come out of my computer?
The point here is that attacks usually don’t happen the way most people imagine them. Hollywood tends to sensationalize what a cyber attack looks like. Often times, hackers – hooded or otherwise – can be stopped by simply implementing basic security best practices. Listed below are three basic hygiene tasks that could have prevented some of the more high profile attacks we’ve seen lately.
Multifactor Authentication (MFA) for Remote Access
Passwords alone don’t work, and too many people use “pizza” as the secret answer to reset their passwords. MFA is not a new concept, nor is it difficult to implement, but too many organizations fail to take advantage of it. MFA protects your account by authenticating it with something you know (e.g., a username and password) and something you have (some sort of token). Usually the MFA token is an app on your phone or a physical token with a number that changes every 60 seconds. This method is effective because even if someone learns your username and password, they would still need your phone or token as the second form of authentication to gain remote access. Consider the user community within your organization and how likely they may be to inadvertently give away their credentials. MFA protects against that (especially if you don’t force your users to regularly change their password).
During the 2016 presidential campaign, there was a lot of talk about Hilary Clinton’s emails. That leak came about from attackers that sent a phishing email to John Podesta (the campaign chair), tricking him into thinking he was changing his password. What he really did was give attackers the username and password to his email account so they could access it remotely. MFA could have protected that account even though he gave away those credentials.
Installing Security Patches and Updates
The second Tuesday of every month is affectionately referred to by many administrators as “Patch Tuesday.” It gets the nickname because that’s when Microsoft releases its monthly security patches. In many cases, these patches close security gaps that could otherwise be exploited. Additionally, other software vendors like Oracle, Adobe, Google and Mozilla also release security patches on a continuous basis. Think about what’s happening when a vendor releases patches to the world. They are essentially saying that if you don’t install these updates, an attacker could break into your system. They announce these patches publicly too, so it’s no secret how to exploit them. Yet, many organizations fail to install and test those patches in a timely fashion.
In January, the popular hosting site WordPress released a new software version that patched critical vulnerabilities. This update prevented attackers from accessing and potentially changing or defacing websites remotely. Many organizations failed to quickly install this update though, opening up vulnerabilities across the world. Reportedly, over 100,000 sites were attacked via this vulnerability. For those organizations that patched their systems this attack was unsuccessful. Unfortunately, many organizations learned the hard way the importance of quickly installing security patches.
Limiting and Monitoring Administrator Access
The topic of restricting administrator access can be a sensitive one. Many companies give their entire user community administrator access to their PCs, especially laptops. They do this so users have the flexibility to install whatever systems they want. In theory, this sounds great because it reduces support time by enabling users to completely manage their machines. The security risk is the same as the benefit though – users can do whatever they want. So if they open a malicious email attachment or click on a malicious website, that malware is now also running as an administrator and can install whatever it needs to. By limiting administrator access, even if a user does open a bad attachment or link, since the user isn’t an administrator the malware may not be able to install itself or run correctly, thereby securing the system. You can’t just limit access though, you have to monitor and control administrator accounts so when they are created, notifications go to the right people. This prevents attackers from creating administrator accounts and using them to escalate their privileges across other systems.
I don’t like using the Target hack as an example because it’s old and everyone overuses it, but it does illustrate my point. In Target’s case, attackers created a “domain admin” account that basically gave them remote access to all of the servers on the network. Domain admin accounts are extremely privileged accounts that, when created, should set off alarms to the security team. In this case, when the attackers added a new account to the domain admins list, alerts should’ve triggered which would have enabled security analysts to respond and potentially detect the attack. Instead, attackers were able to operate across the entire system without anyone noticing.
By following these steps, organizations can establish a solid cyber security baseline. For help implementing any of the above ideas, or to take your security defenses to the next level, reach out to Arraya’s Cyber Security Practice. Our team can provide the strategic guidance and technical know-how to keep hackers (of all wardrobes) at bay.