security

Article Dean Dorton

It’s late at night the day before an important deadline. You are rushing to complete a project that you have been diligently working on for months. You run into a snag and run a quick Google search for some software to help you complete your task. You find some software and click download. Next thing you know your computer is frozen from a virus. You notice a particular name that seems odd so you run another Google search from your phone and discover it is a new strand of malware and that the best course of action is to re-install your operating system. All the hard work you have put in is gone, as the latest changes to the project were not saved. You think to yourself, “what could I have done differently? I have an antivirus program installed on my machine, why was this not caught?”

 The harsh reality is that standard antivirus programs are not enough in today’s threat landscape.

In order to adequately protect oneself at an enterprise level, one needs an Endpoint Detection and Response (EDR) tool.

Why is my Antivirus Not Enough?

Most traditional AV providers use signature-based algorithms to prevent malware from being installed on your machine. This means that it identifies the file based off a unique pattern or hash (a mathematical algorithm to generate a unique set of numbers and letters) of the file. For a more in depth explanation of hashing, read this SentinelOne article. For a while, this type of detection worked because new signatures could continuously be generated for files and be blocked, but as always, the threat actors adapted and began heavily obfuscating their code so that the hash generated for the file was not the same as its unobfuscated counterpart leading to it bypassing AV solutions entirely.

What is EDR?

EDR stands for Endpoint Detection and Response. It’s the current generation of protection for endpoints (you may also have heard of XDR which is an attempt to expand the capabilities of EDR, but frankly, the product is in it’s infancy). EDR allows cybersecurity and IT professionals to not only identify threats, but it also allows them to respond. These solutions gather telemetry data constantly from endpoints and rather than using a signature-based solution to detection, it uses a heuristic (or behavioral) approach. These solutions don’t focus on the hash of a file or if the file in unique to the device, it’s monitoring how the file behaves to determine whether it’s malicious or not. A good example is a spreadsheet sent over email with macros enabled. Now the spreadsheet itself may not be malicious, but what if the macro is? The file is detected by the EDR solution and the analyst is able to respond. These solutions are also continuously enriched with the latest threat intelligence. Threat intelligence is essentially a digestible version of the latest threats, threat actors, and their various tactics. Often threat actors are creatures of habit and they follow a specific set of steps in each cyber-attack. The EDR solution will gather this intelligence and incorporate it into the platform. They also will generally include some sort of proactive threat hunting component, actively seeking out potential threats rather than waiting for them to become active.

Why Does Any of this Matter?

A natural thought is: how does this apply to my company and me? The facts is that threat actors are continuously evolving. They are finding new and creative ways to breach environments and you and your business are no exception. This ingenuity creates a headache on the defensive-side as we are often playing a cat-and-mouse game of staying ahead of attackers. A good EDR solution helps to bridge that gap. Instead of an analyst spending their day perusing threat intelligence feeds to gather malicious hashes to input, they can spend their time on other important security tasks, such as vulnerability management.

Another key takeaway here is that no tool is a magic bullet. The people that use the tool are just as important as the tool itself. Without proper training, the alerts could go unnoticed or be inadvertently marked as a false positive, when it is in fact a legitimate threat. Any tool (especially EDR) is only as effective as its wielder. Keep that in mind as an EDR solution is considered.

Within cybersecurity, if you are not evolving, you are dying.

A traditional AV solution is not good enough in 2023. If you are concerned about your current cyber security posture and would like to discuss with Dean Dorton’s Cyber Security Professionals, feel free to reach out using the contact information below.

Jordan Johnson | Cyber Security Consultant
jjohnson@ddaftech.com
859.425.7659

Article Dean Dorton

Anyone who hasn’t just arrived from the Stone Age recognizes the importance of maintaining a healthy cybersecurity program. Healthy things grow and so our cybersecurity efforts should be adapting to the ever-changing threats that are trying to push our organizations towards extinction.

Doing cybersecurity right isn’t cheap. Most colleges and universities have a dinoburger budget and can’t afford the brontosaurus ribs. How do you get the resources to protect your systems and data? One way is to communicate that some cybersecurity efforts are required and not doing them can result in loss of grant funding.

The Gramm-Leach-Bliley Act (GLBA) has been around for years, but only had a real impact on colleges and universities for the last 3 to 4 years. Like a cybersecurity program, data security laws have a need to evolve and adapt to changing threats. The standards for the safeguarding components of GLBA have been updated. Some of the updates revise prior rules while others are brand new.

Old Rule New Rule
Designate the employee(s) responsible for coordinating the information security program. A single “qualified individual” (QI) is designated to oversee, implement, and enforce the information security program. The QI may be an employee, affiliate, or service provider.
Perform a Risk Assessment Perform a risk assessment and update it periodically.
Risk assessment should include criteria for the evaluation and categorization of identifying risks. This is the use of a cyber security framework. I.E., NIST, ISO, CIS.
Risk Assessment should include criteria for the assessment of the confidentiality, integrity, and availability of information including adequacy of existing controls.
Risk assessment should include requirements identifying how risks will be mitigated based on the assessment and how the ISP will address risks.
Identify safeguards for each risk identified Identify safeguards for each risk identified.
Safeguards designed should cover – Access controls, Data inventory, Encryption, Secure application development, Multifactor authentication, Secure disposal, Change management and Monitoring and logging user activity
Annual penetration testing and vulnerability scanning*
Policies and procedures addressing – security awareness training and information security personnel are qualified and trained.
Proper oversight of service providers addressing – selevtion process, contract wording and periodic assessment.
Have a written incident response plan.*
QI to prepare and present a written report to the board of directors, at least annually, on the status of the compliance with the information security program. *

There is a new exemption rule for small organizations. If you maintain student financial aid information for less than 5,000 students, some new rules are not required. Rules marked with an asterisk (*) are applicable to the exemption rule.

The date for having these controls in place is December 9, 2022. At a minimum, you should be able to demonstrate the new rules are being met before your next Single Audit is performed in 2023.

Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit & Compliance Services

Kevin W. Cornwell, CPA | IT Audit Associate Director
kcornwell@deandorton.com
502.566.1011

Article Dean Dorton

Let’s start with the basics: What is ‘callback phishing’?

Callback phishing is a specific type of cyber security email threat. In this type of phishing attack the cyber criminal impersonates a business and claims that a transaction has been made using the recipients information (credit card, bank account numbers, address, etc.). Then, the attacker attempts to entice the recipient to ‘confirm’ the fake transaction by calling a fictional customer support line or by submitting confidential information to validate the transaction. These attacks aim to collect specific, sensitive information from the recipient like credit card numbers and bank account information.

Dean Dorton’s Cyber Security Team has observed callback phishing attacks that impersonate PayPal, McAfee, CrowdStrike, etc., but there are countless companies that could be impersonated in this type of attack and attacks of this nature are on the rise.

Below are two examples of callback phishing attacks:

PayPal Callback Phishing Example:

https://deandorton.com/wp-content/uploads/2022/07/Callback-phishing-image-1.png

CrowdStrike Callback Phishing Example:

https://deandorton.com/wp-content/uploads/2022/07/callback-phishing-example-2.png

Callback phishing emails are unique in the way they often bypass email filters. Since they do not include malicious links or attachments with malware, email filters typically won’t catch them, so it’s important to be able to spot the general warning signs on your own.

Dean Dorton’s Cyber Security Team has a few tips to help you spot this kind of cyber attack:

  1. Review the sender. Ensure that the email is actually from the company it is purporting to be. Even email addresses can be spoofed, so this is not foolproof, but it is a great first step in the investigation process. For example, the PayPal email shown above was sent from a personal Gmail address.
  2. Ask yourself, what does this email want me to do?  If the language in the email is trying to convince you to do something (especially if it insinuates urgency), that is a red flag! In the examples above, the cyber criminal is trying to convince you to ‘callback’, but in other cases, they may try to convience you to click a fraudulent link. Be diligent before clicking any links within emails and do not call phone numbers that you can’t indentify.
  3. If you are sceptical, ask for help. After the intial investigation, you are still not sure, contact your IT team to do some further digging. Remember, causing a false alarm is much better than setting off a real one!

Dean Dorton’s Technology team is here to help. If you have questions about ‘callback phishing’ attacks, or want to discuss how we can help protect your business with cyber security services, contact us today.

 

Cyber Security Services

Jordan Johnson
Cyber Security Consultant
jjohnson@ddaftech.com • 859.425.7659

Article Dean Dorton

Phishing attacks have been occurring for years. You know the story, a threat actor attempts to trick an unsuspecting user into clicking a link or malicious attachment that leads to installing malware or directs them to a malicious domain that could attempt to harvest email credentials, or further penetrate your device. The tactic is still common because unfortunately, it still works. But with the increase of organizations relying on stronger email filtering solutions and better end user awareness training programs, they are not as susceptible to some of these basic attacks. Enter the evolution of more sophisticated and clever tactics.

“But this domain is safe!”

Threat actors are utilizing clever strategies to attempt to bypass even the best email filters. One such strategy is using common, legitimate domains to host a link to their malicious site or attachment. These domains could be Google Drive, ShareFile, OneDrive, Box, Dropbox, Adobe InDesign, etc. On the surface, these services are legitimate and offer users ways to quickly share files amongst one another. This is why most reputation-based scanning used within email filters will not often categorize the initial link as malicious because it is not. The following screenshots provide an excellent example of this in action.

Initial Email Example:

https://deandorton.com/wp-content/uploads/2022/05/1.png

In this example, a threat actor gained unauthorized access to a trusted sender for the recipient. They then sent this email that included a link to open a document. Due to this being a trusted sender, the recipient opened the file because they had no reason to assume that the link was malicious. The link then led to the following:

Ind.adobe.com site hosting the malicous file:

https://deandorton.com/wp-content/uploads/2022/05/2.png

In our example, once the user proceeded to this point, they realized something was off and reported the email to the IT team; however, if they had proceeded on to the next step, they would have received the following:

Malicious Site:

https://deandorton.com/wp-content/uploads/2022/05/3.png

There it is! The true purpose of the email was to try and harvest email credentials. An unsuspecting user could have being successfully phished here and it was all because that initial email was being hosted by a legitimate service. This is not the only variety of these types of emails and certainly will not be the last, so that leaves us with more questions.

So what can we do?

There are few different strategies that can help prevent against phishing attacks:

  1. Never assume that an email is safe just because it came from a trusted sender that you communicate with regularly.  Threat actors are engaging in reply-chain attacks, where they gain unauthorized access to an account and then start replying to emails posing as the hacked user. When in doubt, contact the sender out-of-band (phone call, preferably) to verify the email.
  2. Make end user awareness training a priority. An end user is any organization’s first line of defense! A well-trained staff can bring attacks to a halt. Ensure that your users are provided with regular security training and that they are informed of the latest threats. Ensure that they are trained to review the address bar for any site that is asking them for email credentials. If it’s not a Microsoft (or whatever email system you may be using) domain, then that is a red flag. It is also helpful to periodically test the effectiveness of the training by sending out phishing simulations.
  3. Utilize multi-factor authentication (MFA). In any particular scenario, even if a threat actor was able to harvest email credentials, they would not have be able to perform any actions on objectives if multi-factor was enabled for the account. It is a cybersecurity best practice to ensure that MFA is enabled on all externally-facing systems, email being one of the highest priorities.
  4. Block uncategorized websites in your web filtering solution and/or firewall. Threat actors spin up thousands of domains per day and these are often categorized as, “uncategorized,” where filtering solutions are not sure if they are malicious or not. Blocking these outright could help stop attacks in which the malicious site is uncategorized.

If any of the tips above have given you pause and you would like to know where your security posture stands, please contact Dean Dorton’s team of cybersecurity professionals for assistance.

Jordan Johnson
Cyber Security Consultant
jjohnson@ddaftech.com • 859.425.7659

Article Dean Dorton

C-suite and technology leaders need to assume a more strategic role in organizational intelligence and planning. To do that, you need better visibility into technology, financial, and operational metrics, so you can make better decisions and keep your team members’ productivity high and keep your organization’s information secure working across various platforms in multiple locations.

Virtual Desktop

Significant improvements have been made to virtual desktop platforms during the past five years. In order to keep your productivity high, it’s important to have a system that is fast, secure, and easy-to-access. When is the last time you thought about upgrading your virtual access?

Here are some things to consider:

Hardware Costs in a Virtual World

As you consider your technology costs, it’s important to critically look at your current stance and analyze how best to utilize cloud solutions to help support your organizational goals and mitigate technology expenses. Cloud-based systems are far more secure, easy-to-access, and easier to manage from the technology team’s perspective across your organization. The right cloud-based solutions are scalable to your organization’s size and complexity making them cost-effective and efficient. Additionally, Cloud-based systems ensure your team always has access to the latest tools making working anywhere, anytime easier and more productive.

Cybersecurity Risks

As cybersecurity threats become more sophisticated, it’s not a matter of if but when your company will fall victim. Is your system fully secured against an attack? Do you have the visibility to know where your company is most vulnerable? Do you know what your first five steps should be after you know an attack has occurred? Does your current security insure you can avoid spending hundreds of thousands to millions of dollars in remediation when you get hit?

We worked with many clients throughout the last year who needed remediation assistance for cyber-attack incidents that could have been avoided if they had the right cyber tools in place. We often see companies pushing cybersecurity initiatives out to the next year:

  • Cybersecurity Scorecard for Small Business
  • Cybersecurity Risk Assessments (for medium and large businesses)
  • Multi-factor Authentication Platforms
  • User Awareness Training (for your team members as they are often prime targets)
  • Security tools and technology that integrates seamlessly with your existing systems

If you’d like to explore how to better control costs to meet your company’s needs and keep projects on budget, please contact me.  I am happy to answer your questions and offer meaningful recommendations.

David Rice
Senior Infrastructure Engineer
drice@ddaftech.com • 859.425.7735

Article Dean Dorton

Traditional authentication methods that rely on usernames and password integrity are widely considered to be broken. In fact, “Broken Authentication” sits at #2 in the OWASP Top 10 for application security risks. As organizations begin to move more sensitive data to cloud apps to take advantage of the productivity gains, the traditional perimeter expands to wherever the user is logging in from.

In other words, the identity becomes the perimeter.

Threat agents have recognized this as a security gap and are exploiting the natural proclivity for your employees to trust an inbound email from a familiar source, or their tendency to reuse passwords across personal and professional accounts.

Let’s discuss the identity attacks that are most likely to impact your organization.

Attack #1: Broad-based phishing campaigns

Why are phishing campaigns such a popular method of attack? Simply put, the numbers are in the attacker’s favor.

A broad-based phishing campaign recognizes that threat agents have to gain access to only a few accounts or one admin account to compromise the organization. Yet with just a light touch of social engineering and a list of email addresses, phishing attacks can successfully compromise 1 out of 20 employees from even a well-trained organization.

Credential theft from phishing is often the first stage of the cyber kill chain. According to the Verizon 2017 Data Breach Investigations Report, 81% of breaches used stolen and/or weak credentials.

Anatomy of the attack

1. The attacker acquires a list of emails or phone numbers and designs a generic call to action that’s relevant for that list (such as a fake Google login page).

2. The phishing message is broadly distributed, and the attacker waits to see which credentials are collected.

3. The attacker uses stolen credentials to access the data they are after or adopts that identity for a more targeted attack on a high-value employee.

Attack #2: Spear phishing campaigns

Spear phishing is a targeted form of phishing that often involves more research designing the target list and phishing message. As opposed to broad-based campaigns, spear-phishing typically focuses on a small number of employees to evade automated filters.

The level of social engineering is also more sophisticated, with messages being more personal and the malicious call-to-action playing on emotions such as curiosity, fear, or rewards.

Anatomy of the attack

1. Attacker picks targets carefully, doing extensive research across available resources such as social media or web presence.

2. Attacker crafts a phishing message designed to appear legitimate, such as pretending to be a colleague and referencing a topical situation, such as a recent company party that the attacker learned of online.

3. The victim is compelled to enter credentials by appealing to his or her emotions, such as a curiosity to see photos from the party behind a fake login page.

4. The attacker uses the credentials from the high-value target to access sensitive data or execute the next stage of their attack.

Attack #3: Credential stuffing

Credential stuffing is a form of brute force attack that takes advantage of our struggle to select unique passwords across our various accounts. This is hardly surprising when you consider that the average American internet user has 150 online accounts requiring a password. Yet many of us have had account credentials compromised as part of a data breach.

Attackers leveraging credential stuffing will use these compromised credentials on several other websites to test if the login details are re-used. And they often are: 73% of passwords are duplicates, according to the TeleSign 2016 Consumer Account Security Report.

These types of attacks can be done at scale by bots, leading to a higher likelihood of these attacks affecting your organization. According to a recent report from Akamai, “more than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks”.

Anatomy of the attack

1. Attacker acquires credentials from a website breach or password dumpsite.

2. Automated tools are used to test credentials across a variety of different sites.

3. When a successful login occurs, the attacker harvests the sensitive data or executes the next stage of their breach.

Attack #4: Password spraying

Password spraying is another form of brute force attack whereby an attacker takes advantage of our tendency to rely on common passwords such as “password1” (which according to Pwned Passwords has appeared in a data breach over 2.3 million times!). Anatomy of the attack

1. Attacker uses a small list of commonly-used passwords that match the complexity policy of the domain.

2. Instead of trying multiple passwords for one user, the attacker uses the same common password across many different accounts which helps avoid detection.

3. Once the attacker encounters a successful login, the attacker harvests the sensitive data or executes the next stage of their breach.

Attack #5: Man-in-the-Middle (MitM) attacks

A MitM attack on an organization is a highly targeted attack that can result in a full take of credentials and data-in-transit if executed correctly. After intercepting a network connection, an attacker can take also take advantage of “session hijacking” that compromises the web session by stealing the session token.

Anatomy of the attack

1. Attacker intercepts a network connection, often by leveraging tools to mimic a legitimate wifi access point (such as Starbucks Wifi).

2. If data is encrypted, the attacker may attempt to decrypt data by tricking the user into installing a malicious certificate or other technique.

3. If an attack is successful before the initial authentication, the credentials may be stolen as the attacker is monitoring all the user inputs.

4. Alternatively, the attacker steals the session token and is able to authenticate into the account and execute the next stage of their breach.

How Multi-Factor Authentication (MFA) can prevent these identity attacks

As the identity becomes the new security perimeter, organizations that take an identity-driven approach to security are finding that these attacks are able to be prevented without impacting user experience.

While it’s certainly important to educate employees of these identity attacks and implement best security practices like data encryption and certificate pinning, implementing MFA across your apps will significantly reduce the risk of successful attacks.

MFA prevents phishing attacks by requiring a second factor to access sensitive corporate data, such as a lightweight push to the user’s mobile device for authentication. This means that even if an attacker has your credentials, they still will not be able to be authenticated into the app. MFA therefore also prevents credential stuffing and password spraying since stolen or weak credentials are not sufficient to gain access. If MFA is paired with modern identity solutions, organizations can also set policies against the use of compromised or common passwords that leave employees vulnerable to these attacks.

Minimizing MFA prompts should also be a key consideration, and by implementing modern Adaptive MFA, the second-factor challenges are only surfaced under more risky scenarios, such as when the login occurs off the corporate network.

Moreover, organizations can apply especially strict MFA policies for business-critical apps or privileged users, providing an effective layer of defense against spear-phishing attacks.

Finally, MFA can prevent man-in-the-middle attacks by ensuring that if credentials are stolen in transit, a second factor is still required to access the account. Even more sophisticated attacks that attempt to steal a one-time password as part of the attack can be prevented by leveraging more secure authenticators like a U2F security key.

In light of these identity risks, NIST has recommended organizations implement MFA as part of their Digital Identity Guidelines.

Check out Dean Dorton’s User Identity page to learn more about implementing Adaptive Multi-factor Authentication with Okta and how we can help prevent identity attacks on your organization.

User Identity Management Solutions