John Anthony Smith
(John Anthony Smith, president of the highly successful Conversant Group on the Southside, talks about Internet security after an attack by a Russian criminal gang on a U.S. pipeline company that caused many gas stations to run dry for several days).
Most breaches, exploitation events, security incidents, ransomware events, and other malicious activities have very common causes. Mostly, the causes are well communicated and known by the information technology community; however, for a variety of reasons, the solutions never get implemented. Instead, many organizations are exposed. Shockingly, we often find organizations vastly exposed, and leadership is often blind or willingly ignorant to the risks being accepted by the organization. I would say bluntly, “Most organizations are standing in an open field naked, completely exposed.”
Though I didn’t watch it, there was once a show on television called, “Naked and Afraid.” The premise of the show was to take complete strangers and place them in a remote, desolate location without food, water, and clothing. In many ways, these circumstances are similar to most organizations’, and frankly most people’s, security situation. The key difference is it doesn’t take many resources for an individual to properly protect his or her personal accounts, and for organizations, they often have the resources to better invest in security; however, most organizations simply do not. They deprive their organizations of necessary safety by starving their technology teams of necessary resources, leadership, and focus. Also, technology professionals often find themselves in perilous upward political pressure in order to get security done well. Thus, most organizations are naked, but frankly, are not afraid enough!
Two of the most common causes are the lack of strong password policy and two factor/multi-factor authentication (2FA/MFA). You may ask, “What is MFA exactly?” It means that to log into a system your identity must be verified by something you know AND something you have. Ten plus years ago, the something you have was commonly a physical token. Today, the something you have is your phone or your computer. The point is that it requires something more than simply knowing your username and password to get into a sensitive system. Sometimes, the something you have may still be a token, a certificate, a Yubikey, etc.
Most organizations and users of personal systems such as banking, investing, and e-mail web sites, do not use proper password policy. Your Gmail, Hotmail, Comcast, banking, and investment passwords should be 12 characters or greater in length. Further, those same sites should have multi-factor authentication enabled. Gmail calls it 2-step authentication. Hotmail and other systems may utilize Microsoft Authenticator, Google Authenticator, or text messages as the second factor. I know that for deeply in tune security engineers and consultants that you are going to say that the SMS (text messaging) network is also not secure, but that is a discussion for another time. For now, you should enable MFA on all your personal accounts!
For organizations, the old standard was to change passwords every 90-120 days using a length of 8 characters requiring complexity. You must know that length is more critical than complexity! If your passwords are allowed to be less than 12 characters in length, they are far more easily cracked. The modern and best approach is to move toward security pass-phrases: short sentences you can remember. Move toward longer passwords. We prefer 15 characters plus, but 12 characters are adequate.
On assessment, we almost always find externally exposed systems with weak passwords and no MFA.
If you don’t have strong passwords and MFA ubiquitously applied throughout your organization and on your personal accounts: you are in an open field naked. You are exposed, and you should be afraid. Ubiquitously means that you have MFA and long passwords on everything exposed to the Internet. In a company, systems like Outlook Web Access, Office 365, ADP, Paylocity, all admin consoles used by your IT staff, and all externally Internet exposed line of business applications must have long passwords and MFA.
ADP Workforce Now, as an example, doesn’t support MFA, and in my opinion, you should convert to something that does. If you use any externally exposed apps that do not support MFA, you have really one of three choices:
-
Accept the risk.
-
Buy a different product and convert.
-
Remove access to the application from the Internet.
A matter of fact, Conversant has consistently seen organizations exposed by the lack of strong password policy and MFA. Actually, I have heard many times: “Why would we put MFA on our email system? There’s nothing sensitive in my email.” My immediate response to this rebuttal, as an example, is: “Have you ever emailed your bank? Have you ever emailed your accountant? Have you ever emailed your lawyer? Have you ever wired funds?” If you don’t believe me, you will regret not taking this action later, as many other organizations before you have.
If a hacker in China, Russia, Iran, or insert nation state here, obtains your username and password to a sensitive system, by whatever means, you want to stop him or her by forcing a MFA challenge. Because most people don’t practice good password and security hygiene and there are frequent breaches of public systems, passwords are easily obtained by threat actors. Often, passwords are even easily available on the Dark Web.
I implore you. Please apply MFA on all of your externally exposed systems, and please advance your password policies (longer passwords). Further, please do not use your corporate password on any other systems. Your corporate password should be sacred.
If you don’t follow this simple guidance, be afraid. Be very afraid.
Your organization is standing naked in an open field.
Meanwhile, the Conti ransomware gang has hit Ireland’s Health Service Executive, and the HSE has stated that their systems were shut down our of caution on Friday. In light of widespread disruptions to the nation’s healthcare system, the Conti ransomware gang is demanding $20 million in ransom. The gang is believed to be operating from Russia. The Prime Minister of Ireland has publicly stated that the ransom will not be paid.
This group is known to use phishing to obtain credentials by which they can load malicious code to obtain permanent, unfettered access to users’ endpoints. Once this access has been accomplished, they move laterally through the attacked environment using harvested “God-like” credentials. Within the targeted organization’s servers, the group is known to harvest and exfiltrate (send out of the network to the gang’s controlled servers) sensitive data and then leverage that data for exploitation and manipulation to provoke ransomware payment. In this attack on the HSE, they have offered proof of the data that has been exfiltrated.
If the HSE doesn’t have a means of recovery and refuses to pay the ransom (as publicly stated), the effects of this attack group could continue to have far reaching ill effects on patient care throughout Ireland. Further, the group, as is general operating procedure for these types of attacks, will likely publicly expose all the records that have been harvested (assuming the ransom isn’t paid).
This attack should serve as awake up call to all who manage, secure, provide, administer, and deliver critical infrastructure, data, and services. Threat actors are relentless, and they do not care whose lives they harm in their wake.
* * *
John Anthony Smith can be reached at:
|
|
1513 Cowart StreetChattanooga,TN 37408 |
|