John Anthony Smith: Many Companies And Government Agencies Are Shockingly Exposed To Malicious Internet Attacks

Sunday, May 16, 2021
John Anthony Smith
John Anthony Smith

(John Anthony Smith, president of the highly successful Conversant Group on the Southside, talks about Internet security after an attack by a Russian criminal gang on a U.S. pipeline company that caused many gas stations to run dry for several days).

Most breaches, exploitation events, security incidents, ransomware events, and other malicious activities have very common causes. Mostly, the causes are well communicated and known by the information technology community; however, for a variety of reasons, the solutions never get implemented. Instead, many organizations are exposed. Shockingly, we often find organizations vastly exposed, and leadership is often blind or willingly ignorant to the risks being accepted by the organization. I would say bluntly, “Most organizations are standing in an open field naked, completely exposed.”

Though I didn’t watch it, there was once a show on television called, “Naked and Afraid.” The premise of the show was to take complete strangers and place them in a remote, desolate location without food, water, and clothing. In many ways, these circumstances are similar to most organizations’, and frankly most people’s, security situation. The key difference is it doesn’t take many resources for an individual to properly protect his or her personal accounts, and for organizations, they often have the resources to better invest in security; however, most organizations simply do not. They deprive their organizations of necessary safety by starving their technology teams of necessary resources, leadership, and focus. Also, technology professionals often find themselves in perilous upward political pressure in order to get security done well. Thus, most organizations are naked, but frankly, are not afraid enough!

Two of the most common causes are the lack of strong password policy and two factor/multi-factor authentication (2FA/MFA). You may ask, “What is MFA exactly?” It means that to log into a system your identity must be verified by something you know AND something you have. Ten plus years ago, the something you have was commonly a physical token. Today, the something you have is your phone or your computer. The point is that it requires something more than simply knowing your username and password to get into a sensitive system. Sometimes, the something you have may still be a token, a certificate, a Yubikey, etc.

Most organizations and users of personal systems such as banking, investing, and e-mail web sites, do not use proper password policy. Your Gmail, Hotmail, Comcast, banking, and investment passwords should be 12 characters or greater in length. Further, those same sites should have multi-factor authentication enabled. Gmail calls it 2-step authentication. Hotmail and other systems may utilize Microsoft Authenticator, Google Authenticator, or text messages as the second factor. I know that for deeply in tune security engineers and consultants that you are going to say that the SMS (text messaging) network is also not secure, but that is a discussion for another time. For now, you should enable MFA on all your personal accounts!

For organizations, the old standard was to change passwords every 90-120 days using a length of 8 characters requiring complexity. You must know that length is more critical than complexity! If your passwords are allowed to be less than 12 characters in length, they are far more easily cracked. The modern and best approach is to move toward security pass-phrases: short sentences you can remember. Move toward longer passwords. We prefer 15 characters plus, but 12 characters are adequate.

On assessment, we almost always find externally exposed systems with weak passwords and no MFA.

If you don’t have strong passwords and MFA ubiquitously applied throughout your organization and on your personal accounts: you are in an open field naked. You are exposed, and you should be afraid. Ubiquitously means that you have MFA and long passwords on everything exposed to the Internet. In a company, systems like Outlook Web Access, Office 365, ADP, Paylocity, all admin consoles used by your IT staff, and all externally Internet exposed line of business applications must have long passwords and MFA.

ADP Workforce Now, as an example, doesn’t support MFA, and in my opinion, you should convert to something that does. If you use any externally exposed apps that do not support MFA, you have really one of three choices:

  1. Accept the risk.

  2. Buy a different product and convert.

  3. Remove access to the application from the Internet.

A matter of fact, Conversant has consistently seen organizations exposed by the lack of strong password policy and MFA. Actually, I have heard many times: “Why would we put MFA on our email system? There’s nothing sensitive in my email.” My immediate response to this rebuttal, as an example, is: “Have you ever emailed your bank? Have you ever emailed your accountant? Have you ever emailed your lawyer? Have you ever wired funds?” If you don’t believe me, you will regret not taking this action later, as many other organizations before you have.

If a hacker in China, Russia, Iran, or insert nation state here, obtains your username and password to a sensitive system, by whatever means, you want to stop him or her by forcing a MFA challenge. Because most people don’t practice good password and security hygiene and there are frequent breaches of public systems, passwords are easily obtained by threat actors. Often, passwords are even easily available on the Dark Web.

I implore you. Please apply MFA on all of your externally exposed systems, and please advance your password policies (longer passwords). Further, please do not use your corporate password on any other systems. Your corporate password should be sacred.

If you don’t follow this simple guidance, be afraid. Be very afraid.

Your organization is standing naked in an open field.

Meanwhile, the Conti ransomware gang has hit Ireland’s Health Service Executive, and the HSE has stated that their systems were shut down our of caution on Friday.  In light of widespread disruptions to the nation’s healthcare system, the Conti ransomware gang is demanding $20 million in ransom.  The gang is believed to be operating from Russia.  The Prime Minister of Ireland has publicly stated that the ransom will not be paid.

This group is known to use phishing to obtain credentials by which they can load malicious code to obtain permanent, unfettered access to users’ endpoints.  Once this access has been accomplished, they move laterally through the attacked environment using harvested “God-like” credentials.  Within the targeted organization’s servers, the group is known to harvest and exfiltrate (send out of the network to the gang’s controlled servers) sensitive data and then leverage that data for exploitation and manipulation to provoke ransomware payment.  In this attack on the HSE, they have offered proof of the data that has been exfiltrated.  

If the HSE doesn’t have a means of recovery and refuses to pay the ransom (as publicly stated), the effects of this attack group could continue to have far reaching ill effects on patient care throughout Ireland.  Further, the group, as is general operating procedure for these types of attacks, will likely publicly expose all the records that have been harvested (assuming the ransom isn’t paid).

This attack should serve as awake up call to all who manage, secure, provide, administer, and deliver critical infrastructure, data, and services.  Threat actors are relentless, and they do not care whose lives they harm in their wake.

* * *

John Anthony Smith can be reached at:

423-305-7890        
John.Smith@conversantgroup.com
1513 Cowart StreetChattanooga,TN 37408

 

 

 


Latest Hamilton County Arrest Report

PHOTOS: Grateful Gobbler 5K Walk/Run

East Ridge Apartment Damaged By Fire Thursday Morning


Here is the latest Hamilton County arrest report: BENNETT, HENRY LEE 4620 SHAWHAN ROAD CHATTANOOGA, 37411 Age at Arrest: 31 years old Arresting Agency: Hamilton County POSSESSION OF ... (click for more)

An apartment in East Ridge was damaged by fire Thursday morning. East Ridge Fire, East Ridge Police, and Hamilton County EMS responded at 8:52 a.m. to 604 Bacon Trail, to a reported apartment ... (click for more)



Breaking News

Latest Hamilton County Arrest Report

Here is the latest Hamilton County arrest report: BENNETT, HENRY LEE 4620 SHAWHAN ROAD CHATTANOOGA, 37411 Age at Arrest: 31 years old Arresting Agency: Hamilton County POSSESSION OF CONTROLLED SUBSTANCE --- BOONE, JOSEPH BRYAN HOMELESS CHATTANOOGA, 37421 Age at Arrest: 52 years old Arresting Agency: Chattanooga OBSTRUCTING HIGHWAY OR OTHER PASSAGEWAY POSSESSION ... (click for more)

PHOTOS: Grateful Gobbler 5K Walk/Run

Opinion

The I-75/I-24 Interchange Disaster - And Response (4)

We all waited a couple of years for the grand new interchange of I-75/I-24. Little did we know what a disaster it would become. To go right on 75 North, you must get in the left lanes. To go left to I-24, you must get in the right lanes, and that's where the deaths will occur. The overpass from the right lanes onto I-24 West has created a small mountain which brings the tractor ... (click for more)

Roy Exum: The New Samaritan

The stranger at the door was shivering and cold. He asked to use the phone to summon an Uber driver. He was barefoot and said he was homeless, so Daniel Rider loaned him a coat so the man would get warm faster. As they talked, Rider even made him a sandwich. All the while the stranger was polite, cognizant and did not appear nervous or troubled. Then the police surrounded the house ... (click for more)

Sports

John Hunt: Still More Reasons To Be Thankful

It’s hard to believe that yet another year has passed on by, but I guess it beats the alternative. Today is the one day of the year when a nation and world takes some time to express gratitude, giving thanks for all the blessings in their lives. I’ve always said that I celebrate Thanksgiving every day and that my list of things to be thankful for just continues to grow. I ... (click for more)

John Shearer: Recalling Some Memorable Football Games From 50 Years Ago, Including Those Of Red Bank And Georgia

As one who lately has been remembering what all was going on in my life 50 years ago, I cannot forget what was taking place in the world of football in late November 1971, when I was a starry-eyed young fan. Perhaps most significant was the Oklahoma-Nebraska football game played on Thanksgiving afternoon, Nov. 25 – the same day of the month as 2021’s Thanksgiving. No. 1 Nebraska, ... (click for more)