Cyber

Article 01.24.2023 Dean Dorton

It’s late at night the day before an important deadline. You are rushing to complete a project that you have been diligently working on for months. You run into a snag and run a quick Google search for some software to help you complete your task. You find some software and click download. Next thing you know your computer is frozen from a virus. You notice a particular name that seems odd so you run another Google search from your phone and discover it is a new strand of malware and that the best course of action is to re-install your operating system. All the hard work you have put in is gone, as the latest changes to the project were not saved. You think to yourself, “what could I have done differently? I have an antivirus program installed on my machine, why was this not caught?”

The harsh reality is that standard antivirus programs are not enough in today’s threat landscape.

In order to adequately protect oneself at an enterprise level, one needs an Endpoint Detection and Response (EDR) tool.

Why is my Antivirus Not Enough?

Most traditional AV providers use signature-based algorithms to prevent malware from being installed on your machine. This means that it identifies the file based off a unique pattern or hash (a mathematical algorithm to generate a unique set of numbers and letters) of the file. For a more in depth explanation of hashing, read this SentinelOne article. For a while, this type of detection worked because new signatures could continuously be generated for files and be blocked, but as always, the threat actors adapted and began heavily obfuscating their code so that the hash generated for the file was not the same as its unobfuscated counterpart leading to it bypassing AV solutions entirely.

What is EDR?

EDR stands for Endpoint Detection and Response. It’s the current generation of protection for endpoints (you may also have heard of XDR which is an attempt to expand the capabilities of EDR, but frankly, the product is in it’s infancy). EDR allows cybersecurity and IT professionals to not only identify threats, but it also allows them to respond. These solutions gather telemetry data constantly from endpoints and rather than using a signature-based solution to detection, it uses a heuristic (or behavioral) approach. These solutions don’t focus on the hash of a file or if the file in unique to the device, it’s monitoring how the file behaves to determine whether it’s malicious or not. A good example is a spreadsheet sent over email with macros enabled. Now the spreadsheet itself may not be malicious, but what if the macro is? The file is detected by the EDR solution and the analyst is able to respond. These solutions are also continuously enriched with the latest threat intelligence. Threat intelligence is essentially a digestible version of the latest threats, threat actors, and their various tactics. Often threat actors are creatures of habit and they follow a specific set of steps in each cyber-attack. The EDR solution will gather this intelligence and incorporate it into the platform. They also will generally include some sort of proactive threat hunting component, actively seeking out potential threats rather than waiting for them to become active.

Why Does Any of this Matter?

A natural thought is: how does this apply to my company and me? The facts is that threat actors are continuously evolving. They are finding new and creative ways to breach environments and you and your business are no exception. This ingenuity creates a headache on the defensive-side as we are often playing a cat-and-mouse game of staying ahead of attackers. A good EDR solution helps to bridge that gap. Instead of an analyst spending their day perusing threat intelligence feeds to gather malicious hashes to input, they can spend their time on other important security tasks, such as vulnerability management.

Another key takeaway here is that no tool is a magic bullet. The people that use the tool are just as important as the tool itself. Without proper training, the alerts could go unnoticed or be inadvertently marked as a false positive, when it is in fact a legitimate threat. Any tool (especially EDR) is only as effective as its wielder. Keep that in mind as an EDR solution is considered.

Within cybersecurity, if you are not evolving, you are dying.

A traditional AV solution is not good enough in 2023. If you are concerned about your current cyber security posture and would like to discuss with Dean Dorton’s Cyber Security Professionals, feel free to reach out using the contact information below.

Jordan Johnson | Cyber Security Consultant
jjohnson@ddaftech.com
859.425.7659

Article 10.19.2022 Dean Dorton

Anyone who hasn’t just arrived from the Stone Age recognizes the importance of maintaining a healthy cybersecurity program. Healthy things grow and so our cybersecurity efforts should be adapting to the ever-changing threats that are trying to push our organizations towards extinction.

Doing cybersecurity right isn’t cheap. Most colleges and universities have a dinoburger budget and can’t afford the brontosaurus ribs. How do you get the resources to protect your systems and data? One way is to communicate that some cybersecurity efforts are required and not doing them can result in loss of grant funding.

The Gramm-Leach-Bliley Act (GLBA) has been around for years, but only had a real impact on colleges and universities for the last 3 to 4 years. Like a cybersecurity program, data security laws have a need to evolve and adapt to changing threats. The standards for the safeguarding components of GLBA have been updated. Some of the updates revise prior rules while others are brand new.

Old Rule	New Rule
Designate the employee(s) responsible for coordinating the information security program.	A single “qualified individual” (QI) is designated to oversee, implement, and enforce the information security program. The QI may be an employee, affiliate, or service provider.
Perform a Risk Assessment	Perform a risk assessment and update it periodically.
	Risk assessment should include criteria for the evaluation and categorization of identifying risks. This is the use of a cyber security framework. I.E., NIST, ISO, CIS.
	Risk Assessment should include criteria for the assessment of the confidentiality, integrity, and availability of information including adequacy of existing controls.
	Risk assessment should include requirements identifying how risks will be mitigated based on the assessment and how the ISP will address risks.
Identify safeguards for each risk identified	Identify safeguards for each risk identified.
	Safeguards designed should cover – Access controls, Data inventory, Encryption, Secure application development, Multifactor authentication, Secure disposal, Change management and Monitoring and logging user activity
	Annual penetration testing and vulnerability scanning*
	Policies and procedures addressing – security awareness training and information security personnel are qualified and trained.
	Proper oversight of service providers addressing – selevtion process, contract wording and periodic assessment.
	Have a written incident response plan.*
	QI to prepare and present a written report to the board of directors, at least annually, on the status of the compliance with the information security program. *

There is a new exemption rule for small organizations. If you maintain student financial aid information for less than 5,000 students, some new rules are not required. Rules marked with an asterisk (*) are applicable to the exemption rule.

The date for having these controls in place is December 9, 2022. At a minimum, you should be able to demonstrate the new rules are being met before your next Single Audit is performed in 2023.

Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit & Compliance Services

Kevin W. Cornwell, CPA | IT Audit Associate Director
kcornwell@deandorton.com
502.566.1011

Article 09.7.2022 Dean Dorton

Recent years have seen a dramatic increase in the amount of publicly accessible web applications. As more organizations have expanded their internet presence, web application attacks have become increasingly profitable for threat actors. Recent vulnerabilities such as Log4j have also brought more intense scrutiny to web applications. If your organization hosts business-critical applications or is allowing customers to access their data through the web, it is no longer sufficient to rely simply on traditional external security assessments.

Why network testing is not enough

While traditional external vulnerability testing may include some light unauthenticated web application scanning, automated scanning cannot be relied upon to validate the security of web applications in the same way that it can be for network and host vulnerabilities. Every web application is unique, and automated scanning tools lack the context to catch many vulnerabilities. The only effective way to test web applications involves manual testing, supplemented with the targeted use of automated tools.

Testing from an unauthenticated context is also a problem. According to a review of 2021 breaches performed by Verizon, around 80% of the web application breaches in 2021 were attributed to stolen credentials rather than technical vulnerabilities. This represents a significant increase since 2017, when the number was 50%. The increase in this can be attributed to two attack methods: phishing and credential stuffing.

Phishing continues to be a major and successful attack vector for stealing credentials. Despite improvements in detection and response capabilities, threat actors have continued to find success with this technique. Credential Stuffing leverages large sets of usernames and passwords, usually stolen in data breaches and sold on the dark web.

An attacker will take these sets of credentials and use automated tools to test them against a wide array of websites, looking for sites where the user reused the same username and password combination. Because these methods involve the attacker gaining authenticated access to the application, it is important to ensure that any security testing is performed from an authenticated perspective.

How to perform an authenticated web application assessment

When evaluating if your web application is sufficiently comprehensive, a good resource to use is the Offensive Web Application Security Project (OWASP) Top 10. OWASP monitors web application vulnerabilities and breaches and compiles the most common types of vulnerabilities. The current list was updated in late 2021 and includes the following categories from most to least prevalent:

Broken Access Control
Cryptographic Failures
Injection
Insecure Design
Security Misconfiguration
Vulnerable and Outdated Components
Identification and authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery

If your organization is hosting externally accessible web applications that store sensitive data, it is important to ensure that your security assessment methodology is covering at least the areas covered in the OWASP Top 10.

Penetration testing can be used to cover the majority of the OWASP Top 10 categories. The goal of the penetration test is to identify vulnerabilities from an external perspective using manual testing and targeted automated tools. The test should be performed with a white or grey box perspective, where the tester is given access to the application and one or two accounts of each role in order to sufficiently cover access control issues both between users of the same privilege level and between users of different privilege levels. With a white box approach, the tester could also be provided the source code of the application. Additionally, the tester should be provided with information about the architecture of the application and the software suites and tools in use on the back end to better understand how to attack the application.

Why penetration testing is not enough

Not all areas of the OWASP Top 10 can be covered sufficiently by a penetration assessment, so the testers should also meet with the developers to discuss the areas of Insecure Design, Software and Integrity Failures, and Logging and Monitoring. These areas cannot be observed from an external perspective so a collaborative approach should be used to ensure coverage.

With this approach, you can ensure that your application is secure against the most prevalent web application vulnerabilities in the threat landscape right now and ensure that your user’s data is secure.

Cyber Security Services

Gui Cozzi
Cybersecurity Practice Lead
gcozzi@ddaftech.com • 859.425.7649

Article 07.21.2022 Dean Dorton

Let’s start with the basics: What is ‘callback phishing’?

Callback phishing is a specific type of cyber security email threat. In this type of phishing attack the cyber criminal impersonates a business and claims that a transaction has been made using the recipients information (credit card, bank account numbers, address, etc.). Then, the attacker attempts to entice the recipient to ‘confirm’ the fake transaction by calling a fictional customer support line or by submitting confidential information to validate the transaction. These attacks aim to collect specific, sensitive information from the recipient like credit card numbers and bank account information.

Dean Dorton’s Cyber Security Team has observed callback phishing attacks that impersonate PayPal, McAfee, CrowdStrike, etc., but there are countless companies that could be impersonated in this type of attack and attacks of this nature are on the rise.

Below are two examples of callback phishing attacks:

PayPal Callback Phishing Example:

https://deandorton.com/wp-content/uploads/2022/07/Callback-phishing-image-1.png

CrowdStrike Callback Phishing Example:

https://deandorton.com/wp-content/uploads/2022/07/callback-phishing-example-2.png

Callback phishing emails are unique in the way they often bypass email filters. Since they do not include malicious links or attachments with malware, email filters typically won’t catch them, so it’s important to be able to spot the general warning signs on your own.

Dean Dorton’s Cyber Security Team has a few tips to help you spot this kind of cyber attack:

Review the sender. Ensure that the email is actually from the company it is purporting to be. Even email addresses can be spoofed, so this is not foolproof, but it is a great first step in the investigation process. For example, the PayPal email shown above was sent from a personal Gmail address.
Ask yourself, what does this email want me to do? If the language in the email is trying to convince you to do something (especially if it insinuates urgency), that is a red flag! In the examples above, the cyber criminal is trying to convince you to ‘callback’, but in other cases, they may try to convience you to click a fraudulent link. Be diligent before clicking any links within emails and do not call phone numbers that you can’t indentify.
If you are sceptical, ask for help. After the intial investigation, you are still not sure, contact your IT team to do some further digging. Remember, causing a false alarm is much better than setting off a real one!

Dean Dorton’s Technology team is here to help. If you have questions about ‘callback phishing’ attacks, or want to discuss how we can help protect your business with cyber security services, contact us today.

Cyber Security Services

Jordan Johnson
Cyber Security Consultant
jjohnson@ddaftech.com • 859.425.7659

Article 06.3.2022 Dean Dorton

Phishing attacks have been occurring for years. You know the story, a threat actor attempts to trick an unsuspecting user into clicking a link or malicious attachment that leads to installing malware or directs them to a malicious domain that could attempt to harvest email credentials, or further penetrate your device. The tactic is still common because unfortunately, it still works. But with the increase of organizations relying on stronger email filtering solutions and better end user awareness training programs, they are not as susceptible to some of these basic attacks. Enter the evolution of more sophisticated and clever tactics.

“But this domain is safe!”

Threat actors are utilizing clever strategies to attempt to bypass even the best email filters. One such strategy is using common, legitimate domains to host a link to their malicious site or attachment. These domains could be Google Drive, ShareFile, OneDrive, Box, Dropbox, Adobe InDesign, etc. On the surface, these services are legitimate and offer users ways to quickly share files amongst one another. This is why most reputation-based scanning used within email filters will not often categorize the initial link as malicious because it is not. The following screenshots provide an excellent example of this in action.

Initial Email Example:

https://deandorton.com/wp-content/uploads/2022/05/1.png

In this example, a threat actor gained unauthorized access to a trusted sender for the recipient. They then sent this email that included a link to open a document. Due to this being a trusted sender, the recipient opened the file because they had no reason to assume that the link was malicious. The link then led to the following:

Ind.adobe.com site hosting the malicous file:

https://deandorton.com/wp-content/uploads/2022/05/2.png

In our example, once the user proceeded to this point, they realized something was off and reported the email to the IT team; however, if they had proceeded on to the next step, they would have received the following:

Malicious Site:

https://deandorton.com/wp-content/uploads/2022/05/3.png

There it is! The true purpose of the email was to try and harvest email credentials. An unsuspecting user could have being successfully phished here and it was all because that initial email was being hosted by a legitimate service. This is not the only variety of these types of emails and certainly will not be the last, so that leaves us with more questions.

So what can we do?

There are few different strategies that can help prevent against phishing attacks:

Never assume that an email is safe just because it came from a trusted sender that you communicate with regularly. Threat actors are engaging in reply-chain attacks, where they gain unauthorized access to an account and then start replying to emails posing as the hacked user. When in doubt, contact the sender out-of-band (phone call, preferably) to verify the email.
Make end user awareness training a priority. An end user is any organization’s first line of defense! A well-trained staff can bring attacks to a halt. Ensure that your users are provided with regular security training and that they are informed of the latest threats. Ensure that they are trained to review the address bar for any site that is asking them for email credentials. If it’s not a Microsoft (or whatever email system you may be using) domain, then that is a red flag. It is also helpful to periodically test the effectiveness of the training by sending out phishing simulations.
Utilize multi-factor authentication (MFA). In any particular scenario, even if a threat actor was able to harvest email credentials, they would not have be able to perform any actions on objectives if multi-factor was enabled for the account. It is a cybersecurity best practice to ensure that MFA is enabled on all externally-facing systems, email being one of the highest priorities.
Block uncategorized websites in your web filtering solution and/or firewall. Threat actors spin up thousands of domains per day and these are often categorized as, “uncategorized,” where filtering solutions are not sure if they are malicious or not. Blocking these outright could help stop attacks in which the malicious site is uncategorized.

If any of the tips above have given you pause and you would like to know where your security posture stands, please contact Dean Dorton’s team of cybersecurity professionals for assistance.

Jordan Johnson
Cyber Security Consultant
jjohnson@ddaftech.com • 859.425.7659

Article 10.26.2021 Dean Dorton

Recent and highly visible ransomware attacks such as the one on Colonial Pipeline should serve as a wakeup call for organizations that do not see themselves as “typical” targets of cyber-attacks.

The size and industry of the organization often does not matter for cyber criminals who are always looking for opportunities.

According to the 2020 Verizon Data Breach Investigations Report (*), 67% of all breaches come from three attack types: credential theft, errors, and social attacks. The average cost for a data breach is $2.64 million for organizations under 500 employees. Phishing and ransomware remain two of the top Cyber risks for most industries, including the Construction industry.

The first thing that organizations can do is to perform a Security Assessment to ensure that they understand where their vulnerabilities are and to assess their resilience against cyber attacks.

Key controls to consider are:

Multifactor authentication (MFA) – for all remote access to systems and information (including emails) to mitigate credential theft attacks.
Strong password policy – making sure weak passwords cannot be used and that users cannot reuse passwords.
Endpoint security – many cyber attacks start with a user clicking on a bad link from their devices. Having a strong endpoint detection and response software on all endpoints is critical.
Vulnerability management – the “cyclical (never-ending) practice of identifying, classifying, prioritizing, remediating, and mitigating” software vulnerabilities.
Logging monitoring – this detective control can allow organizations to quickly react to suspicious activities and can provide information after an attack to determine what was accessed by the threat actors.
Security Awareness – employees and business partners need to understand how to identify and report potential security issues. Security Awareness is especially important if you are working with a workforce that might not be totally comfortable with computers.
Resilient backup – employ a “3-2-1 strategy” which means having at least three total copies of your data, two of which are local but on different mediums (or devices), and at least one copy off-site.
Incident Response and Business Continuity Plans – contain specific information and playbooks on how to react when an incident occurs and how to quickly resume operations.

Having cyber insurance coverage is critical, but this is becoming more complex: organizations have to be careful to make sure that they have the appropriate coverage for common attacks scenarios. We often see sublimit in coverages specific to ransomware and even no at all coverage for email frauds. Insurance companies are also asking for more assurance that security controls to be in place during the underwriting process.

Many organizations have transitioned to a hybrid remote work since the pandemic started and the security controls need to be reviewed and tested for this new environment.

Of course, these measures should apply to contractors and subcontractors working with organizations. If their companies do not have the level of sophistication needed to mitigate these risks, they put their customers and partners at risk.

Construction organizations must improve their security posture and implement measures to mitigate cyber risks.

Gui Cozzi | Cybersecurity Practice Lead
gcozzi@ddaftech.com
859.425.7649

Lexington, KY

Louisville, KY

Louisville, KY

Cincinnati, OH

Blue Ash, OH

Ft. Wright, KY

Indianapolis, IN

Raleigh, NC