Data Breaches Archives

Why Hackers Aren’t the Biggest Threat to Your Cloud Configuration

October 28, 2022October 28, 2022

Private businesses and government contractors alike are increasingly relying on public cloud services to drive their core business functions – according to Gartner, global cloud spending will increase by over 20% to almost $500 billion. But the speed of cloud adoption often leaves cybersecurity by the wayside, leaving companies open to major risks.

In 2020, cloud represented the third most targeted cyber environment. That trend has continued, with 45% of organizations reporting a cloud-based data breach within the last 12 months according to Thales Group. But cloud infrastructure is increasingly secure, and vanishingly few cloud security incidents can be laid at the feet of cloud service providers (CSPs) – so why do these breaches occur?

In this article, we will answer that question, explaining the risk factors for cloud breaches, and how organizations can prevent them with better risk assessment, cyber training and security planning.

The Rise of Cloud Security Incidents

The number of companies experiencing cloud-based data breaches is climbing – the 45% of businesses who reported a cloud-based breach in the past 12 months is up 5% from 2021. But while cloud breaches can take many forms, they also share many commonalities.

In 2019, Facebook (now Meta) was involved in a data breach that affected hundreds of millions of users – while the issue was quickly resolved, it was a PR disaster for one of the largest social platforms on Earth. Two years later – in 2021 – software company Cognyte had more than 5 billion sensitive records exposed on the Internet, including names, passwords and email addresses.

The same year Cognyte was attacked, professional services company Accenture was targeted in a cyberattack by the LockBit group – over 6 TB of data was stolen, with ransomware actors demanding a $50 million payment. Because the company did not pay in time, it lost proprietary information.

What do all these incident share in common? They are all cloud breaches that occurred within the past year, and all of them were caused by misconfigurations: Cognyte left a database unsecured – meanwhile, both Facebook and Accenture left an AWS bucket open to the public. These are all typical examples of the way cloud incidents occur today.

Understanding the Shared Responsibility Model

When an organization stores data and applications on the cloud, it is leasing computing power, storage and networking infrastructure from a CSP, and working within a virtualized environment. While the CSP is generally responsible for the security of its infrastructure, the customer is generally responsible for the security of their assets residing in their virtual environment – this is called the “shared responsibility” model.

Today, most CSPs are heavily protected with multiple, redundant layers of security, including encryption at rest and in transit, firewalls, DDoS protection and more. Accordingly – while breaches on the infrastructure side do happen – they are rare. According to IBM, two-thirds of cloud breaches are caused by exposed Application Programming Interfaces (APIs), and – by 2025 – Gartner predicts that 99% of cloud breaches will be the customer’s fault.

For this reason, organizations can mostly trust the security of CSPs: what they need to be wary of is security vulnerabilities in their virtual environment, arising from user error and poor design.

Cloud Breaches: Top Five Causes

There is more than one way that an organization can leave their cloud platform compromised or exposed. Here are five of the most common:

1. Misconfigured APIs

APIs are provided by CSPs for the purpose of automation and easy access. Unfortunately, organizations often leave their APIs unprotected or poorly protected by mistake, allowing them to be freely accessed by malicious actors.

2. Poorly Protected Credentials

Unless an organization is using multi-factor authentication (MFA), nothing can stop a malicious actor from gaining access to a cloud environment if they have the right credentials. Data leaks, phishing attacks and exposed devices can compromise the credentials of privileged users, allowing attackers full access to administrative features.

3. Multi-Cloud Complexity

With the growth of multi-cloud environments that combine multiple cloud platforms together in one solution, organizations are facing increased complexity that can make it hard to stay secure. According to Check Point, 57% of organizations struggle to secure data in multi-cloud environments due to inconsistency between different vendors.

4. Vulnerable Third-Party Services

An organization that secures its cloud configuration perfectly can still be compromised if it is hosting vulnerable third-party services within its cloud environment. Like many other IT environments, cloud suffers from a software supply chain problem: organizations don’t know what dependencies exist in their products, or how they might be vulnerable.

5. Bad Virtual Machine Images

Infrastructure-as-a-Service (IaaS) companies typically provide their customers with the option of creating custom virtual machine images (VMI) to interface with their cloud environment, or use a default. Unfortunately, many default VMIs available from cloud providers come with unpatched vulnerabilities, malware or insecure firewall settings.

Impact of Poor Cloud Security

Given how much organizations depend on cloud-based services to run their business, a successful cyberattack on cloud environments can have wide-reaching impacts. These include:

- Data Exfiltration – malicious actors can steal sensitive data including user credentials, personally identifiable information (PII) about employees or customers, intellectual property and more. Data exfiltration is also a major blow to brand equity and public trust.
- System Takeover – when attackers infiltrate a cloud environment through compromised credentials, they can do more than steal – they can delete data and applications, change settings, and deface Web surfaces. Ultimately, an arbitrary degree of control is possible.
- Lateral movement – once in the cloud, attackers can potentially transition to your organization’s internal network and IT systems, giving them access to local files and devices.
- Ransomware – cloud is one of many channels ransomware actors can use to encrypt data, lock users out of a system and demand ransom payment. While ordinary ransomware attacks are bad enough, ransomware attacks that spread through the cloud have the potential to be more far reaching.

Protecting Your Cloud Environment

While cloud surfaces have become a popular target for hackers, hackers themselves are not the biggest risk to your cloud environment – the biggest risk is failing to properly secure it in easily avoidable ways. Here are a few steps to prevent that from happening:

1. Invest in Cyber Training – cyber training can help employees to set better passwords, avoid phishing scams, and understand the importance of safety in a cloud environment.

2. Choose FedRAMP Certified CSPs – CSPs authorized under the Federal Risk and Authorization Management Program (FedRAMP) are required to follow NIST 800-53 security controls to protect their customers. They are more also more likely than other CSPs to provide security features that make security breaches less likely from the customer side, such as multi-factor authentication (MFA) and warnings in the event of an exposed API.

3. Get a Risk Assessment – a comprehensive risk assessment will reveal potential vulnerabilities throughout your organization’s IT systems and may reveal organizational problems that make cloud misconfigurations more likely.

4. Implement a System Security Plan – under NIST SP 800-171, all government contractors are required to have a System Security Plan (SSP) for all systems that may handle CUI during the course of a contract – this includes cloud surfaces. Implementing an SSP will help your organization to recognize security gaps, and develop procedures around cloud development to reduce the likelihood of dangerous mistakes.

Cyber Expertise You Can Trust

Securicon helps your business to comply with Federal and regulatory requirements through program and risk assessments. With a team comprised of veterans from the U.S security community – including DoD, DHS, and the U.S Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.

In 2021, Remote Employment is Driving Cybersecurity Trends

February 19, 2021March 31, 2021

Every year, Dan Lohrmann from the Government Technology blog chooses a pithy title for the previous year in cybersecurity. For 2020, he chose ‘The Year the COVID-19 Crisis Brought a Cyber Pandemic,’ and for a summary of the past 12 months, we can’t improve on that. It is no exaggeration to say that last year was a grueling time for cyber professionals, and we expect to be dealing with the consequences into 2021 and beyond.

COVID’s Impact on Cybersecurity

In past blog posts, we have emphasized the “opportunistic” nature of malicious cyber actors who are always looking for chaos to exploit in pursuit of their goals. In many ways, 2020 is a perfect example of this mentality, ushering in an unprecedented rise of cybersecurity incidents that even the most cynical researchers could not anticipate.

Here are just a few cybersecurity statistics from last year:

An 800% increase in cybercrimes reported to the FBI
A 238% increase in cyberattacks on banking institutions
36 billion records exposed through data breaches

In a single day, COVID-related cyberattacks grew from a few hundred cases per day to over 5,000 in March 2020 alone. But what made a biological virus such an easy disaster to exploit for digital terrorists? There are many answers, but the most important one is this: following COVID-related lockdowns, the global workforce has gone mobile, and there seems to be no going back.

According to one study, 1 in 4 Americans are expected to work remotely through 2021, and this trend will be mirrored in the federal space: after reports found no negative impact on productivity from remote employment, federal agencies are planning to expand opportunities for telework. While this may be beneficial to the workforce, there are ramifications that affect cybersecurity trends in 2021. In this article, we will outline a few of the most significant.

1. Remote Endpoint Vulnerabilities

In a recent blog post, we wrote that:

When targeting an organization, attackers seek any endpoint that may be attached to it. Those endpoints have expanded to include devices, systems and equipment across a large geographic region. Notoriously vulnerable IoT and mobile devices in employee homes provide the perfect bridge to their work computer and enforcing security measures is tough.

This problem will remain a top priority for cybersecurity professionals in 2021, and now we can be even more specific: in some cases, even technologies dedicated to protecting remote devices can be targeted in highly successful attacks.

The Trouble with VPNs

More than 400 million businesses depend on virtual private networks (VPNs) to provide an encrypted connection between remote devices and secure networks. However – as the NSA warned this past Summer – popular VPN protocols suffer from major vulnerabilities. During July, actors using stolen VPN credentials managed to take over the Twitter accounts of high-profile figures including Bill Gates, Elon Musk and many others.

In response to these security problems, some businesses are switching to Zero Trust Network Access (ZTNA) schemes which not only protect against VPN-directed attacks, but also attacks on remote desktop (RDP), email clients and other forms of endpoint communications. Nevertheless, there’s a long way to go before these legacy technologies are phased out, and organizations have their work cut out for them along the way.

Increased Risk From Mobile Devices

Smartphones, tablets and other mobile devices are likely the most common examples of remote endpoints; consequently, they are also highly popular targets for attackers. Last year, we witnessed a rise in spyware targeting encrypted messaging apps, major security flaws in popular Android apps and more.

In response to these highly publicized vulnerabilities, Google has promised to double down on security – fortunately, businesses aren’t waiting for them to follow through. According to Forbes, mobile device security will be the fastest-growing category of cybersecurity between now and 2025, showing that organizations finally recognize the risks inherent to mobile devices.

2. More Phishing Attacks

Phishing has long been one of the most popular methods for targeting an organization, and the incidence of phishing attacks has only increased with the rise of remote employment. According to one report, companies experienced an average of 1,185 phishing attempts per month throughout 2020. At the same time, “spear phishing” – a highly targeted form of the phishing attack – became more prevalent with the help of automation and remains a significant risk to businesses in the public and private sector.

There are promising trends on the horizon which may diminish the impact of phishing attacks. For instance, Gartner predicts that Passwordless Authentication will be among the most influential technologies for cybersecurity over the next three years; without passwords to steal, the effectiveness of phishing attacks will decrease.

In the end, investment in cybersecurity training remains by far the most effective way to protect an organization from phishing attacks and other forms of social engineering. It is no wonder, then, that businesses are spending more on cybersecurity training than ever before, and we hope this trend continues.

3. Advanced Insider Threats

In the ever-shifting cybersecurity landscape, insider threats are one of the few never-changing constants. Whether they are involved in deliberate sabotage or innocent user error, insiders are directly or indirectly responsible for the majority of security breaches and cyber incidents occurring in the organizations they work for.

Unfortunately, the risk of insider threats has only increased as a consequence of remote employment: outside of tightly controlled facilities, it is much harder to monitor employee activity and protected assets. Accordingly, Forrester warned that “perfect conditions” for insider threats were created by COVID lockdowns.

Insider Threats as a Service

To exacerbate the issue even further, researchers warn that an increasing number of insider threats are contracted from outside: so-called “Insider-Threats-as-a-Service” may hire themselves out as corporate spies, advertising their services as a “trusted insider” on the Dark Web, or they may be planted through organized recruitment campaigns.

To protect against advanced insider threats, businesses must remain vigilant in screening candidates. Government contractors are already required to maintain an insider threat program (ITP) as defined by NIST SP 800-171, and commercial organizations may wish to follow their example.

4. Increased Dependence on Cloud

Over the past year, cloud adoption has accelerated as more businesses depend on Software-as-a-Service (SaaS) models and cloud storage to link their connected workforce while maintaining productivity levels. But while cloud technologies are more secure than they’ve ever been, cyber actors are also more talented than they have ever been, and the risk of cloud adoption is obviously not zero.

As a result, businesses are also spending more on Cloud Workload Protection Platforms (CWPPs) and Cloud Security Posture Management (CSPM), which Gartner has also named in its list of influential cybersecurity technologies. In 2021, organizations should familiarize themselves with cloud risks and best practices, alongside important regulations that affect cloud services like FedRAMP and HIPAA.

Conclusion

Thanks to the trends listed above, there is every reason to believe that 2021 will be a challenging year for cybersecurity and compliance. For businesses who want to avoid cyber incidents, data breaches and expensive fines, here are three major takeaways:

Increase security for remote endpoints – in a past blog post, we shared how organizations can improve the security of remote endpoints and prevent attacks through a mobile workforce.
Provide better cybersecurity training – insiders can endanger an organization, but they can also protect it. In 2021, make cybersecurity a collaborative effort by training your workforce to recognize social engineering attacks and protect your most sensitive assets.
Partner with experts – remaining secure in the face of a constantly-developing threat landscape is a difficult task without outside assistance. In 2021, partner with cyber experts who can test your organization for vulnerabilities, assess compliance and assemble a cybersecurity plan tailored to your individual needs.

Securicon provides information security solutions to public and private sector organizations. Our expert cybersecurity teams help our clients manage and secure their Information Technology (IT) and Operational Technology (OT) environments by providing vulnerability and penetration testing/assessments; governance, risk and compliance services (GRC) and security architecture review and design services. To learn more, visit our contact page.

Hackers Can Gain Active Directory Privileges Through Vulnerability in Xerox Printers

February 18, 2020February 24, 2020

data breach, vulnerability testing, hackers

Organizations beware: last week, Xerox released a security advisory for several models of the WorkCentre Multifunction and Color Multifunction printers. Thanks to a Lightweight Directory Access Protocol (LDAP) vulnerability, hackers can launch a pass-back attack against printers with weak or default credentials. This exposes the login information of Active Directory users – including those with administrative privileges – and can be used to gain further control over an organization’s network.

Deral Heiland and Michael Belton’s research on multi-function printers and the “Pass-Back Attack” first appeared in a document published on foofus.net. Steven Campbell, a Senior Security Consultant at Securicon, frequently finds network devices using default credentials that are vulnerable to the pass-back attack vector during client assessments and uses this attack vector to discover credentials to Active Directory service accounts.

Unfortunately, the newly reported vulnerability in Xerox WorkCentre MFP’s is just one in a series of similar weaknesses impacting today’s off-the-shelf IoT devices. In this article, we’ll explain how it can be used to gain administrative access over Active Directory domains, and what you should do to protect yourself.

How it Works: Xerox Pass-Back Attack

First – after accessing an organization’s network – a malicious or unauthorized user can gain access to the Web interface for affected Xerox printers using well-known, default login credentials. Even if the username and passwords have been changed, they may be brute-forced if they are weak and easily guessable.

*Figure 1: Admin interface accessed using default credentials*

Next, the actor finds an LDAP connection configured on the device and changes the Server IP address or hostname to their own IP address as shown in the next figure. Since the Xerox firmware does not require a user to re-enter or validate the LDAP credentials before changing its server address, there is nothing standing in the attacker’s way.

Next, the attacker uses a utility like netcat to listen for incoming connections and display the output in plaintext. Using the LDAP server search field, they can search for any name and connect to the corresponding account.

On the actor’s system, the netcat utility receives the connection and displays credentials used by the printer to reach the Active Directory Domain Controller, including domain, username and password.

*Figure 4: Capturing Plaintext Credentials*

In the best-case scenario, the attacker will discover an ordinary Active Directory user account that does not belong to any privileged security groups. The attacker can still use the unauthenticated user to gain a foothold in the domain, which constitutes a moderate vulnerability.

However, our own tests on client networks demonstrate that the worst-case scenario is more likely. We frequently find that the printer service account belongs to a privileged group such as “Domain Admins,” and grants the attacker full control over the Active Directory Domain. This is a severe vulnerability which requires immediate remediation.

Are You Protected?

The table below lists Xerox printers susceptible to the attack outlined above, and the corresponding firmware patch. Devices on a lower software version are still vulnerable and should be patched using the updates provided by Xerox.

Aside from installing the latest firmware update, we recommend that organizations implement two security controls across all their networked devices to prevent similar attacks in the future:

Always update default manufacturer credentials with strong passwords and use two-factor authentication (2FA) whenever possible. Recently, Barracuda network devices were impacted by an LDAP vulnerability similar to the one described in this article; all users were impacted except for those enrolled in 2FA.
System administrators should avoid adding printer service accounts to privileged Active Directory groups, and – in general – they should keep the number of administrative users to an absolute minimum.

Although it should be incumbent on vendors and device manufacturers to validate users before allowing them to change crucial device settings (like LDAP IP address), the truth is that today’s vendors cannot be trusted to enforce rigorous security controls. Organizations must take the initiative to strategically protect their networks.

Bridging the IoT Security Gap

In the past, we have talked about the IoT security gap and lax controls from hardware manufacturers. Sadly, the vulnerability covered in this article is a case-in-point: today, networked devices are being pushed to market faster than they can be secured, and security is rarely a priority in development. This leaves many organizations with blind spots in their security position as a host of seemingly benign devices (like printers) provide a wide attack surface for malicious actors.

IoT and networked devices are the future – but meeting the technological needs of your business and protecting your investment are not mutually exclusive goals. As the average cost for a data breach climbs to historical highs, organizations cannot afford to be caught off guard by easily prevented security vulnerabilities. This year insure your organization against future threats by taking inventory of your IT assets and assessing them for risk.

Securicon’s risk management solutions are based on the industry standards for safety and professionalism. With years of experience in IT and critical infrastructure, we are here to protect your organization and ensure the highest quality of compliance. Contact us for more information on our risk assessment framework

How to Survive a Data Breach: 14 Disaster Response Tips

November 6, 2019November 6, 2019

cyber warfare, How to protect against data breaches

Twenty years ago, data breaches were uncommon, and when they happened, they tended to be small. But thanks to digital infrastructure, a worldwide community of skilled attackers with powerful tools and a black market for personally identifiable information (PII), login credentials and financial accounts, large-scale data breaches are now a significant threat to organizations large and small.

In 2018, more than 6,500 data breaches resulted in billions of compromised consumer records. This year, 28% of organi z ations polled by the National Cyber Security Alliance reported a breach within the past 12 months. There’s a price to pay for negligence: the average cost of every stolen record is $242, and – according to one study – 60% of small businesses are forced to close their doors within 6 months of a cyber-attack.

Today’s businesses bear a great responsibility to their customers and shareholders. Protecting data can mean the difference between staying open and facing bankruptcy: strict security compliance is therefore required to combat the growing number of attackers both domestic and abroad.

But no matter how prepared an organization is for the worst, data breaches can still occur, and when that happens, rapid response is required to mitigate damages. In this article, we’ll share 12 tips for surviving in the aftermath.

What to Do Immediately After a Breach

In the hours after a data breach is discovered, an organization’s actions can potentially save millions of dollars. Staying focused and following strategy is paramount to survival and damage reduction.

1. Isolate the breach – locate the systems affected by a breach and – if possible – physically isolate them from both the Internet, and the rest of an organization’s network infrastructure. However far the attacker has already penetrated, this will prevent them from going any further.

2. Locate threat source – study the location of a breach and determine the origin of an attack. If you aren’t already using traffic monitoring tools, start packet capture to monitor inbound and outbound traffic. Tools such as Wireshark, Snort or Bro will assist in determining type of data being exfiltrated, ports/protocols being utilized, and source and destination of files.

3. Remove threat source – when the malicious actor has been discovered, block further access through blacklisting. Analyze logs to find the attacker’s entry point, and reset any credentials used along the way.

4. Record and document – while working to eliminate the threat source, record and document any discoveries. Ensure that logs from the time of attack are preserved. Note system configurations, the type and extent of data accessed, entry point, and path of propagation for later analysis

5. Harm reduction – if login credentials were accessed by the attacker, immediately reset them and send a notification to users. Even encrypted information can be cracked, sold, and used to access user accounts.

Dealing with The Public

In the past, organizations often hid data breaches for a long period of time before informing the public, if they ever did at all. Today, emerging legislation requires publishers to disclose a breach soon after it occurs – 72 hours under GDPR. Handling it well is important for maintaining trust.

6. Seek legal counsel – before taking any other actions, prepare for the possibility of litigation under consumer privacy laws. Calculate the probability of a lawsuit, likely expenses, and decide on a course of action should defense be necessary (settlement, or fight?)

7. Inform everyone affected – if a crime has occurred – especially by insider threat – begin by informing law enforcement. Afterwards, inform any victims of data theft directly, then move to tell stakeholders, relevant government entities, and finally the public. Be transparent about the breach itself, and the steps taken in response.

8. Prepare for questions – in collaboration with your legal, PR, business and IT departments, prepare honest and informed answers to probing questions. Doing this ahead of time allows an organization to maintain their reputation by staying in control of the narrative and helps them to avoid sharing confidential details.

Analyze the Incident

After a breach occurs, an organization will likely spend several months analyzing the incident to avoid a similar one in the future. Areas to analyze include Severity, Vector, root cause, and financial impact.

9. Determine severity of breach – what was stolen, what was its value, and what systems were compromised in the course of the attack? Answer these questions as thoroughly as possible to find areas of priority.

10. Determine attack vector – determine the exact parameters of the intrusion, including any vulnerabilities exploited. Interview staff members to determine whether social engineering was used to gain access credentials.

11. Conduct a security audit – beyond the nitty-gritty of an attack, audit your organization’s security strategy, infrastructure and staff training to find areas of weakness that may have contributed to the breach.

Prevent Future Attacks

In some cases, a data breach can be a blessing in disguise. It provides organizations with the impetus to modernize infrastructure and allocate resources to security. Armed with new information and better safeguards, organizations can avoid more serious incidents down the road.

12. Calculate expenses – determine the cost of infrastructure that needs replaced and include it in future budgets. Expenses may include networking equipment, storage and security systems, software licenses and building plans.

13. Improve infrastructure – aging infrastructure is inherently vulnerable, and a data breach can prove that. Based on information gathered in the aftermath of a breach, update anything that may have contributed to the breach, prioritizing critical systems first.

14. Train personnel – ensure security administrators are prepared for rapid response in the event of another data breach; train personnel throughout the organization for cyber hygiene practices, especially if attackers gained entry through social engineering, phishing attacks, or malware originating through email and web.

Building an Incident Response Plan

Work to reduce the impact of a data breach through rapid and effective response. The best form of harm reduction is harm prevention, and that can be achieved through a proactive enterprise security strategy that includes a protocol for incident response.

Before a cyberattack hits, invest in thorough risk, management, and compliance solutions to prepare your company for the worst. With the help of vulnerability and penetration tests, cyber hunt and asset management, your organization can stay one step ahead of attackers and prevent the worst from ever happening.

Securicon’s risk management solutions are based on industry standards for safety and professionalism. With years of experience in cyber security, we are here to protect your organization from data breaches. Contact us for more information.