Cybersecurity Awareness Month – IT Nation

Troy Newman will be speaking at IT Nation November 1st 2019 in Orlando

Cybersecurity Awareness Month October 2019

I am sharing our Office 365 Hardening Checklist here today to help others “tighten-up” their own O365 security posture.

Office 365 Security Checklist

  • Secure Score in portal – portal.office.com
  • Enable Logging via PowerShell
  • Set MFA 
  • Block Legacy Authentications – IMAP POP3 – PowerShell or Conditional Access Policy
  • Disabled OWA if it is not needed or used – PowerShell or Admin Center
  • Review/Block External Forwarding Rules – PowerShell
  • Review/Cleanup Inbox Rules – PowerShell
  • Review Calendar details sharing – PowerShell
  • Set Alert Policies in portal – Admin portal
  • Disabled Remote PowerShell per user setting – PowerShell
  • Designate more than one Global Admin – emergency access account
  • Review APP Passwords
  • Set Outbound Spam Notifications – Admin portal
  • Review Role Changes – CloudApp for new Global Admins
  • Configure External Sharing links defaults – SharePoint Admin and sharing
  • Enable Versioning on SharePoint Document Libraries
  • Oauth and data sharing – Cloud App control
  • Conditional Access – geographic fencing and other policies – Azure admin
  • Azure Information Protection and Document Classification and Handling & DLP Rules
  • Exchange
    • Connection Filtering – may be leveraged if needed, and verify no unexpected settings
    • Outbound Filtering – may be leveraged, and verify no unexpected settings
    • Mail Flow Rules – may be leveraged, set notification of external email
    • ATP Spam Filtering
    • ATP Malware Settings
    • ATP Phishing & Spoof Protection
    • ATP Link Protection
    • ATP Safe Attachments
    • Mobile Device Policy – require password & encryption
  • DNS
    • SPF Record
    • DKIM Record
    • DMARC Record
  • Domain Admin Accounts
    • Set MFA
    • Conditional Access – restrict by Country or IP

Weekly Tasks – many automated through CloudApp

  • New mailbox forwarding rules – CloudApp
  • Mailbox non-owners access – CloudApp
  • Malware detections – CloudApp & Security & Compliance
  • Account Provisioning Report – Detector
  • Multiple Sign-In Failure Report – Power BI
  • Access from infrequent country – CloudApp
  • Impossible travel – CloudApp
  • Cloud App alerts review – CloudApp
  • Cloud Backups – outside of Microsoft (Datto, Axcient, Skykick)

April Update – Increase in Cyber Threats

I need to call your attention to a current security matter. In the past several weeks there has been a measurable increase in sophisticated email phishing attacks orchestrated through intense targeted social engineering.

There has been a sharp rise in email cyber threats across the nation. I have been made aware of this situation on a national level through my affiliation with the FBI and my participation in a national information technology peer group. Throughout the United States, the FBI has seen an increase in these cyber breaches and a significant increase in losses reported to the internet cybercrime division, IC3. Managed Service Providers across the nation have been battling this increased email threat level. I have seen evidence of the immediate cyber threat in our own client base here in Houston as well.

Executive level awareness is of paramount importance. For our clients whose network is managed by MergerTree, multiple layers of network security are in place and actively managed. The current attack is a direct cybersecurity threat with the ability to circumvent network security. The vulnerability to our clients is via the susceptibility of staff to social engineering. Network security can lock up the network and secure the data, but if a staff member falls victim to a phishing email and inadvertently gives their access to a criminal then they have effectively opened the door and invited the perpetrator into your network. This is what we are seeing over and over across the country.

There is an intangible element to cyber threats that can make them difficult to grasp. It is simpler to illustrate with an example of physical security. Let me explain .

  • Suppose you purchase and have installed strong locks on all the doors and windows of your home. Then you purchase and have installed a security system with cameras that record events such as doors opening. You have alert levels set for things like smoke, or a window breaking. You have established multiple layers of home security as we have established network security for your organization.
  • You talk to your family about stranger danger and tell them to lock the doors when they leave and lock up again when they come back inside. You have established a security procedure.
  • Now suppose someone with bad intentions comes to the door and your family opens the door. Security is breached.
  • Aware of a higher threat level you may counsel your family not to open the door to strangers, reestablishing a higher security level as we have by warning clients not to open suspicious emails or click on unknown links.

Cyber-attacks have evolved.

  • Suppose someone texts a member of your family and says they are in the drive way and need help carrying things inside. Suppose the text looks like it is coming from you, the words in the text sound like you, they know things only you should know; nicknames, speech patterns, common phrases. But it isn’t you. It is a criminal with knowledge gained from intelligent phishing using social engineering to manipulate access through your carefully constructed layers of security. That is where we stand with this current cybersecurity threat.

The  largest threat vector in our client base is through staff awareness. These criminals are not brute forcing their way in, they are cleverly disguising themselves and being ushered through security. Your strongest action for mitigating this threat is to immediately make it clear to staff that this is an executive priority and insure your team pays attention to the alerts and training coming to them from MergerTree.

CALL TO ACTION:

  1. Make it known this is an Executive priority.
  2. Immediate emphasis on procedure where any money transfer or irregular payment is confirmed by phone prior to transaction.
  3. Instruct employees to pay attention to emails from MergerTree and complete offered training.

What to know about Meltdown & Spectre

Credit – Stu Sjouwerman of KnowBe4

“Computer researchers have recently found out that the main chip in most modern computers—the CPU—has a hardware bug. It’s really a design flaw in the hardware that has been there for years. This is a big deal because it affects almost every computer on our network, including your workstation and all our servers.

This hardware bug allows malicious programs to steal data that is being processed in your computer memory. Normally, applications are not able to do that because they are isolated from each other and the operating system. This hardware bug breaks that isolation.

So, if the bad guys are able to get malicious software running on your computer, they can get access to your passwords stored in a password manager or browser, your emails, instant messages and even business-critical documents. Not good.

So, What Are We Doing About This?

We need to update and patch all machines on the network. This is going to take some time, some of the patches are not even available yet. We also may have to replace some mission-critical computers to fix this.

In the meantime, we need you to be extra vigilant, with security top of mind and Think Before You Click.”

Thank you Stu! You have a knack for bringing the techno-babble to layman’s terms!

 

 

Recent increase in breach attempts against remote access vectors.

Our security systems have recently detected numerous breach attempts originating from IP’s in Europe attacking remote access ports. Specifically we are seeing remote access systems targeted with DDoS and Brute Force password attacks. While these attacks are active, your staff might not be able to access their business applications.

Our threat detection systems and procedures have protected our managed services clients from breach. Just curious if others are also seeing an increase in this threat vector. I suspect many organizations may be seeing the same, but lack the systems to detect and prevent these threats.

 

From <https://www.linkedin.com/post/edit/6354353081727143936>

Important Notice regarding WannaCry/WannaCrypt Ransomware threat

News is spreading fast about this global ransomware threat. Over the weekend Europe, China, and Russia based computer systems were struck heavily by this new threat. We are still seeing this threat grow and it has reached the U.S. as well.

For MergerTree Managed services clients we run endpoint protection and Windows updates to protect your systems from such threats. However, there are still necessary precautions and considerations for your home systems and friends and family that may not have such system protection.
Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date. (Webroot is included with MergerTree Managed Desktop services).
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks. (Server backups are included in the MergerTree Managed Services Agreements).
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.

A Message From Webroot:

Webroot does currently protect you from WannaCry ransomware. In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before. It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.

In addition to deploying Webroot as part of a strong endpoint control strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.

Read the full Alert from US-CERT:
https://www.us-cert.gov/ncas/alerts/TA17-132A

Cybersecurity Tips

Cyber threats continue to evolve at an alarming pace. I recently came across a couple of cybersecurity awareness tips and felt that I should pass these along. The first tips came from the SANS Institute https://www.sans.org/tip-of-the-day . I have mentioned some of these tips in previous blog posting, but repetition is the greatest form of emphasis.

Email Auto-Complete

Be careful with email auto-complete. This is an email feature that automatically completes a name for you when you begin typing it in the TO field. However, your email client can easily complete the wrong name for you. If you are emailing anything sensitive, always be sure to check the TO field a second time before hitting the send button.

To learn more, check out this OUCH! newsletter.

Plugins

Every plugin or add-on you install in your browser can expose you to more danger. Only install the plugins you need and make sure they are always current. If you no longer need a plugin, disable or remove it from your browser via your browser’s plugin preferences.

To learn more, check out this OUCH! newsletter.

Patch and Update

One of the most effective ways you can protect your computer at home is to make sure both the operating system and your applications are patched and updated. Enable automatic updating whenever possible.

To learn more, check out this OUCH! newsletter.

Back up Your Files

Eventually, we all have an accident or get hacked. And when we do, backups are often the only way to recover. Backups are cheap and easy; make sure you are backing up all of your personal information (such as family photos) on a regular basis.

To learn more, check out this OUCH! newsletter.

IoT Trojan Horse

The new “Trojan Horse” loT

The IoT, Internet of Things, has been a discussion point for many security experts this year. The more technology we introduced into everyday life brings great automation and convenience. But it also brings substantial risk. Consider last Friday’s DDoS (distributed denial of service) attack on the Dyn data centers. This attack took down Netflix, Twitter, PayPal, and other online businesses. What looked like a data center issue at Dyn was really a well-orchestrated cyber-attack. But by whom? While we may not have the answer to this yet, we do know what happened.

It all begins with Chinese manufactured web cameras (IoT devices). Millions of said cameras are in operation and connected to network around the world. They are online so that the owners can connect and monitor their cameras. Everything connected to the Internet is a target for bad actors and hackers.

A new malware named Mirai was created to hunt out and breach these and many other camera systems. And it was REALLY easy. You see the cameras have security, but most users never take the time to change the default credentials. Meaning they just plug in the cameras and are happy they are working. Never giving thought to any security risk! These and all devices connected to the Internet must be secured and must not be left with default settings!

As Mirai searched the internet with a list of 60 known default credentials, it planted a Trojan Horse and reported back to the bad actors awaiting command. Last Friday the bad actors began their attack using the compromised IoT devices to send malicious traffic at the Dyn data center. This traffic hit with such a pace and volume that the data center could not keep up and resulted in service outages. No fault to Netflix or Twitter or PayPal, but it certainly appeared that their systems were down. The reality was they just could not be reached due to this DDoS.

After half a day the threat was mitigated. The Dyn security team was able to deflect traffic and restore services. But there is still a huge risk on the internet and millions of breached IoT devices. The Chinese manufacturer has offered a recall on many of the cameras, and many other models can be fixed with a firmware update. But who really will take action on this? How do people know if they have a breached camera? And would they understand how to update the firmware? There are far more questions than answers at this point.

I can’t help but consider that this could be a nation state sponsored threat. Isn’t anyone else concerned that a foreign nation propagated millions of cameras with embedded credentials that could allow them to take control of them at any time?

This time we lost Netflix and Twitter for a few hours. What if the attack had been directed at our financial institutions or national infrastructure?

A case of Corporate Spying

Oil and natural gas intellectual property (IP) includes a company’s trade secrets, proprietary information, and research. This ranges from drilling equipment to pipeline insulation, which if stolen could result in lost revenue, lost employment, damaged reputation, lost investment for research and development (R&D), and interruption in production.

Who might steal your IP?

  • Domestic and foreign commercial rivals
  • Domestic and foreign start-up companies
  • Foreign Intelligence Officers (spies)
  • Disgruntled employees (insider threat)
  • Organized criminals

A good description of actual economic espionage was reported by the FBI. In 2012, two Chinese nationals were arrested by the FBI for attempting to pay $100,000 to a Project Manager employee for “Pipeline Insulation,” a trade secret belonging to a well-known US company. The two individuals were seeking the technology to open a plant in China to compete with US companies. They solicited the company’s employee via a newspaper ad seeking “technical talent” with 10 or more years’ experience in “Pipeline Insulation” and a willingness to work in Asia.

The Chinese nationals used low-tech and careless methods of collection. Given the high risk of getting caught, these individuals displayed minimal concern for possible repercussions of their actions. Outlined below are espionage indicators noted during the course of the FBI investigation:

  • Supplying a company insider with a requirements list through unclassified e-mail.
  • Seeking specific types of information at selected companies.
  • Targeting a 24-hour operational facility with the highest production of trade secrets, allowing for more opportunities to acquire technology.
  • Providing inconsistent information when confronted by plant management for trespassing.
  • Asking that trade secrets be provided on a thumb drive.
  • Knowingly purchasing documents with proprietary markings with the intention to remove the information.
  • Seeking a consultant who can travel to China two to three times a year to support plant developments

The example above is but a brief summary of threats in today’s world. Companies hold IP in drilling fluids, pipeline testing, chemical plant unit design, waste disposal, power generation, rig automation, geoscience data and analytics and much more.   These are all valuable commodities to bad actors bent on stealing them for profit or stealing market capture. This puts companies at extreme risk of loss of market share, profit and employment of US citizens. Now is the best time to review your physical security and cybersecurity defenses.

Click here to read more.

Zero-percent cybersecurity unemployment, 1 million jobs unfilled

Given the reported shortage of cybersecurity talent, it makes sense that Managed Cyber Security providers offer numerous leveraged advantages for SMBs that want to bolster their IT security. These advantages include:

  1. Extensive resources– Many SMB owners and managers said they believe their businesses are more prone to cyber attacks because they lack the resources to maintain their defenses. Conversely, an MSP possesses the skills and know-how to minimize such issues.
  2. Better preparation– Many SMB’s note that they are unprepared to deal with insider threats, while almost half say they are unprepared for unsecured internal or external networks. An MSP can help an SMB understand and manage these problems.
  3. Specialization– One third of SMB IT staff say they juggle security along with their other IT responsibilities. However, an MSP can focus exclusively on security and ensure an SMB gets the cybersecurity support it needs at all times.

MSPs, like MergerTree Solutions, that offer platforms that leverage cloud-based security architecture are becoming increasingly important because they allow SMBs to implement protection without investing in new infrastructure or being burdened by upfront deployment and management costs.

Contact us today to learn more about the MergerTree Solutions Managed Cybersecurity Platform troy@mergertree.com