Quantcast
Channel: Cyber Security Consultant – Mike Foster, CEH, CISA, CISSP

If You Get Hacked, Do Not Email Anyone About It

0
0

You’ve trained your users to be vigilant for symptoms of cybersecurity issues. Now teach them to share their concerns confidentially.
Alert your users today: Tell them to, if they suspect something, avoid opening a support ticket or emailing your IT professionals about the concern.

More often than ever before, bad actors infiltrate organizations in a slow, methodical way. They can remain undetected for weeks, months, even years. The FBI uses the term dwell time to designate the period from when attackers infiltrate systems until you discover them. The FBI warns businesses that attackers can cause significant damage during dwell time. Bad actors quickly establish backdoors to ensure access, even if you block their first point of entry. They deploy keyloggers on systems to record keystrokes. If your cyber assets are compromised, the bad actors can potentially monitor your messages to find out when you discover their presence in your network, computers, applications, cloud resources, websites, or anywhere else.

Once attackers know you’ve discovered their infiltration, that triggers them to move forward with their next phase, often contacting you to demand a ransom. Sometimes they threaten severe consequences if you attempt to recover your system in any other way than paying them. Since they are in your systems, you must take the threats seriously.

Establish a protocol for workers to communicate suspicions in some method other than email.

Even your IT department must avoid emailing each other questions such as, “I received an alert that someone is resetting an administrator password. That’s odd. Is that you?” Instead, they must communicate by mobile phone or radio.

If you suspect a breach and contact us, consider phoning. If you must email, use a personal account outside of your company account, and use a phone or some device other than a company computer’s keyboard to send the message.

I’m not talking about when users receive a phishing message. I’m talking about if they receive a phishing message that includes customer account information, if an important file is missing or won’t open, or if they receive an unexpected login request on a website or to open a file. IT needs to investigate these early-warning signs.

Please forward this to other executives who you care about to establish a mobile hotline number for users to reach the IT team to report suspicious activity. Help avoid triggering attackers’ responses before your IT team has time to react and, hopefully, mitigate a potential cybersecurity disaster.

The post If You Get Hacked, Do Not Email Anyone About It appeared first on Mike Foster, CEH, CISA, CISSP.


Attackers Can Take Control of Your Network in Three Seconds, and How to Stop Them

0
0

An attacker can plug into any network port in your building and, within 3 seconds, take control of your entire network.

The attacker does not need to know any passwords; they do not even need a username. They plug in a cable, and 3 seconds later, they’ve completely compromised your network. An attacker posing as a visitor, a copier repair person, or a member of a cleaning crew can all compromise your organization. They can steal sensitive information, install ransomware, and can shut down operations entirely. They bypass the majority of, if not all, of your other protections because now they’re a Domain Administrator.

This exploit is so severe that the Department of Homeland Security directed all federal agencies to apply the patch in accordance with the Federal Emergency Directive 20-04.

Take these three steps ASAP:

First, ask your IT team if they’ve backed up your Domain Controller servers and applied Microsoft’s patches that address the Zerologon exploit CVE-2020-1472. They must do this immediately. Be compassionate if they’ve not. IMPORTANT: Realize that if an attacker already took over a network, the patch doesn’t help.

Second, if you have Domain Controllers using operating systems older than Windows Server 2008 R2, your IT professionals must shut them down for good. Be sure to migrate any mission-critical services to other servers.

Third, does your organization rely on third parties to support you? What if one of your major suppliers, a distributor, or your biggest customer falls prey to an attack? Prepare your organization now for an interruption of their operations. Be sure their executives know about this flaw and these three steps. You do not want a catastrophe at their organization to domino and cause a disaster for you, even though you’ve protected your systems.

Additional steps:

Inform your work-from-home team members that, in some cases, the attacker can take over your network using a VPN connection. Do you have an armed guard at every work-from-home user’s home to watch visitors? Of course not. But your entire organization might rely on their security. What if a teenager’s friend feels like playing around, experimenting, with this new cool exploit on a mom or dad’s computer?

The patches only protect you from attacks from Windows devices. If an attacker accesses a network port or cable with a non-Windows machine, the attacker can still take control of your network. Microsoft will release a second patch on February 9, 2021. Ask your IT team to configure alerts now to monitor security log events 5827 thru 5831 to see when connections are allowed or denied.

The average time for IT Professionals to apply critical security patches is five months, but you need to help yours be above average. Ask them what you can do to help them have time to test and install all critical security patches within 14 days or sooner. They might want to have a patch management tool. They might need more time to devote to applying updates.

Confirm that your IT Team disconnects or disables all unused Ethernet ports, including those in conference rooms. Lock doors to any offices and conference rooms that contain active Ethernet ports. Train everyone to be proactive and remove opportunities for anyone, including guests and repair people, to plug a device into a network port.

Keep in mind that 911 systems, airlines, governments, and every organization that you depend on are at risk for Zerologon exploit CVE-2020-1472 until they take action too.

Please forward this to fellow executives you care about so they can support their IT Professionals successfully backing up servers and applying the emergency patch.

The post Attackers Can Take Control of Your Network in Three Seconds, and How to Stop Them appeared first on Mike Foster, CEH, CISA, CISSP.

Beware: Attackers Buy Top Search Engine Results to Trick You

0
0

What seems to be the best way to find a company’s website? Use a search engine, of course. The danger is that scammers can pay for top spots on search engine results to trick you into accessing a malicious site.

Here is how the scam works: Suppose you want to look up a company online named Super Duper, so you type the store’s name into your favorite search engine. An attacker might have purchased the top result to take you to the website superduperco.com. However, if you knew to scroll down past the paid-for-results, you would have seen that the real website is superduper.com. Attackers set up a website and named it superduperco.com.

Their deceptive site might contain malicious advertising, ask you to enter credit card numbers during checkout, or tempt you to download malicious programs and apps. They might ask you to login or reset a password, and they capture the password you type in.

If you look up a retailer in a search engine, skip past the ads and paid results. Scroll down to see real search results. Even then, be skeptical in case attackers used SEO techniques to appear at the top of the actual search results.

Please forward this to your friends to alert their users that top search engine results can be a trap.

The post Beware: Attackers Buy Top Search Engine Results to Trick You appeared first on Mike Foster, CEH, CISA, CISSP.

Emergency Update if Your IT Team Uses SolarWinds Products, and How to Protect Against Supply Chain Attacks

0
0

Bad Actors compromised a product called SolarWinds Orion and then used that as a vector attack organization. Ask your IT team if they use SolarWinds products, and if so, they must visit SolarWinds dot com/security advisory immediately for more information.

SolarWinds is a well-respected organization, and many organizations utilize their products. Not enough details are known to discredit their organization. Clearly, attackers see them as valuable enough to use as an infection vector.

This is called a supply chain attack because bad actors use a trusted product in an organization’s supply chain to attack the organization. A similar well-publicized attack happened with a popular tool, with many benefits, called CCleaner. The attackers successfully compromised 2.3 Million PCs.

The CCleaner supply chain attack is an illustration of dwell time. Attackers waited five months from the time they gained access to CCleaner before they launched the attack on CCleaner users. Many computers were safe, but not 2.3 Million of them.

Remember: Just because your organization fixes a vector through which the infection came does not eliminate damage already done. As an analogy, if you were the king or queen of a castle, and you found that attackers entered your castle walls to attack your city, raising the bridge over your moat does not eliminate the attackers who already made it inside.

Supply chain attacks are one of many reasons to eliminate as much software as possible at your organization. If a program is not essential, remove it asap. SolarWinds is vital for many organizations.

Please forward this to your friends so they can alert their IT departments to address this situation, and know to remove all non-essential software from all computers.

The post Emergency Update if Your IT Team Uses SolarWinds Products, and How to Protect Against Supply Chain Attacks appeared first on Mike Foster, CEH, CISA, CISSP.

Three of the Most Useful Links About the SolarWinds Attack:

0
0

Even if you don’t use SolarWinds, your suppliers and customers might. In some cases, your security is only as good as their security.

There are so many webpages about the Solar Winds attack. Here are three of the most useful. Please forward this to your IT team.

Do not let the title of this Microsoft article fool you. Microsoft explains how the attack starts and progresses, complete with diagrams. Not only is this page fascinating reading about this horrible attack, understanding the tactics helps your team protect you from future supply chain attacks:
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Microsoft’s recommendations about how to protect Office 365: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754

SUPERNOVA is malware that different attackers made to impersonate the SolarWinds SUNBURST attack, and it is dangerous too. SolarWinds addresses both in their comprehensive information about determining if SolarWinds installations are affected and how to protect your organization: https://www.solarwinds.com/securityadvisory

Please forward this message to other organizations you care about, especially your suppliers, so their IT Pros have three of the most useful links amongst the dozens of others.

The post Three of the Most Useful Links About the SolarWinds Attack: appeared first on Mike Foster, CEH, CISA, CISSP.

Tips and Tricks: An Unconventional way to Protect Yourself from SolarWinds and Future Hacks

0
0

Will running one rarely used program stop future attacks? It will in the SolarWinds attack and perhaps stop future compromises too.

It makes sense that malware uses strategies to infect and hide inside of networks undetected. Here is some fascinating insight into that self-preservation: The malware related to SolarWinds attack looks for specific security related software, including a free program named WireShark, before installing itself. If Wireshark is running in Windows, the virus installation terminates itself.

Should you run WireShark on your computers 24×7? Ordinarily, IT Professions remove WireShark in case attackers installed it. Paradoxically, running WireShark will stop the initial activation of the SolarWinds attack. WireShark is not the only choice. Open this Microsoft article and use CTRL-F search for the word WireShark to see the other security related tools that will horrify some malware: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

But, after SUNBURST installs itself, it is too late. It doesn’t look for security related tools after installation.

This message is not a recommendation to run these applications, nor is it intended to dissuade you. If organizations start adopting this strategy to thwart cautious attacks, it will be interesting to see how malware responds.

Forward this article to your friends so they receive this insight into how bad actors strive to avoid detection and discuss implementing this unconventional approach to stopping malware installations.

The post Tips and Tricks: An Unconventional way to Protect Yourself from SolarWinds and Future Hacks appeared first on Mike Foster, CEH, CISA, CISSP.

Prepare Now to Recover Quickly from Ransomware on Mac and Windows Computers

0
0

Equip all of your Work from Home users with a cloned drive so they can help protect your network and get up and running quickly if they get ransomware or if their hard drive crashes. Protect your home family computers the same way.

Cloning a hard drive creates a second drive that looks, to a computer, identical to the source drive. If your laptop or computer gets ransomware or seems infected somehow, you can restore a cloned drive’s image to effectively reset the computer to how it was when you most recently made a clone. Additionally, if the hard drive crashes, the clone could quickly replace that drive’s functionality.

Create frequent clones of your computer’s hard disk to one or more external USB hard drives. Keep making your other backups too.

For Windows computers, Microsoft provides the System Image Creation feature. Commercial options include Shadow Protect Desktop from StorageCraft and Acronis True Image.

For Macs, options include Carbon Copy Cloner, Acronis True Image, and SuperDuper! Check compatibility with your version of OSX. Apple Time Machine is always compatible, and it is possible to boot into recovery mode to restore a drive from Time Machine, but it’s not a clone.

(We do not receive compensation for, nor do we endorse specific products. It is essential to give you examples.)

Please forward this to your friends to ensure they know cloned hard drives often permit speedy recovery of ransomed computers. If they have a clone image of a hard drive, work from home users can likely stay productive even when their computer malfunctions.

 

The post Prepare Now to Recover Quickly from Ransomware on Mac and Windows Computers appeared first on Mike Foster, CEH, CISA, CISSP.

Your Phone, Tablet, and Computer Started Hiding You – and How to Overcome the Associated Problems

0
0

A friend contacted me a few days ago and said, “Every few weeks, I’ll go to a site, and it will say that this appears to be a new device? For example, I’ve looked at my Twitter account this morning, and it put up my username and asked me for my password again. Is this anything to be concerned about?”

When you use a wireless network, your phone, tablet, and computer might disguise themselves to hide your identity. The new behavior strives to help keep you more anonymous on public networks at hotels and coffee shops. However, being anonymous on your business or home network can break essential security features, including:

1) As my friend did, you might start receiving alarming alerts that another person connected a new device to one of your websites or accounts. The warnings are concerning until you realize it is your computer reconnecting with a new unique index. After a time, you might ignore the alerts. But then you won’t know if a real attacker broke into your account with some other computer, tablet, or phone.

2) Parental controls at home fail if the safety restrictions are unique for each family device. When a youngster disconnects and reconnects to your network, sometimes they are no longer protected.

3) Your company keeps an inventory of your computers, tablets, and phones. It is challenging to keep the list current when your IT team must track three times as many devices as you have.

How do you solve this? It is possible to disable the randomization feature, but it takes time to reconfigure. Time is a precious commodity for you and your IT team too. An example of how to disable the behavior on iPhones, iPads, and Apple Watches: support.apple.com/en-us/HT211227

However, your employees or kids could change the feature back again to help them hide on your networks.

The answer to my friend’s question is that if the website tells you a date, time, and location of that person’s login, and you know you weren’t logging in from there at that time, yes, you need to be concerned. Otherwise, your experience may be because your device is disguising itself from the website. Disable the randomization feature, and the problem might go away.

Please forward this to your friends so that if they, or their IT team, cannot figure out why some of your security features are breaking, they will know to suspect their devices are rotating through MAC addresses.

If you want more technical details, a network identifies your device with an index number called a MAC address when you connect. There are more than 280 trillion possibilities for a MAC address; the odds are that nobody you know has the same number as your device. The first half of the number identifies the manufacturer; that makes it easier to find unidentified devices on a network.

Other problems you’ll notice because of rotating MAC addresses include:

4) Security tools at the office fail to work if the security tools rely on associating users with their computers, tablets, or phones. This problem affects both BYOD and company-issued devices.

5) IT Professionals can configure necessary reservations for computers, tablets, and phones. Those reservations are based on index numbers. When the index changes, the reservation stops working, and systems can fail or lose security.

6) Your websites will forget you. Some sites have a feature to Remember This Computer, so you do not need to go through as many steps each time you log in. The sites identify your devices by their index numbers. Your device will need to be re-remembered when your index changes.

MAC addresses look like FF:FF:FF:FF:FF:FF:FF:FF where each value I listed as F can be a hexadecimal digit 0,1,2,3,4,5,6,7,8,9, A, B, C, D, E, or F. If you know where to look, your phone, tablet, and computer can tell you the MAC addresses of each network interface.

The new behavior is causing lots of frustration in the cybersecurity world. This battle isn’t over yet.

The post Your Phone, Tablet, and Computer Started Hiding You – and How to Overcome the Associated Problems appeared first on Mike Foster, CEH, CISA, CISSP.


Protect Loved Ones from Tech Support Scams and Share this Hilarious Video

0
0

A wonderful person who is tech-savvy sent an e-mail message yesterday explaining that she cannot trust her mom with a computer or phone anymore because scammers posing as Microsoft stole $2000 from her.

Take a few moments to have the anti-scammer conversation with those you love. Their computer screen might display Microsoft’s logo stating that there is a virus on their computer. It is a scam, and they should not phone the tech support number on their screen.

Encourage your loved ones to watch the hilarious TED talk video: ted.com/talks/james_veitch_this_is_what_happens_when_you_reply_to_spam_email

Please forward this to your friends, so they alert their trusting loved ones.

The post Protect Loved Ones from Tech Support Scams and Share this Hilarious Video appeared first on Mike Foster, CEH, CISA, CISSP.

Hacker Contest Nets Winners Hundreds of Thousands of Dollars

0
0

Hackers competing in this year’s PWN2OWN competition earned hundreds of thousands of dollars. Who paid them?

The companies they hacked. But it isn’t ransomware; this is an example of bug bounty activities. Companies, including Microsoft, Zoom, and Apple challenge hackers to break in and reward them when they do.

The rules are simple: Attackers have 15 minutes to exploit a vulnerability that allows them to run a program on the target computer. In real life, an attacker could run a virus or some other malicious program.

An attack team calling themselves DEVCORE successfully took control of a Microsoft Exchange Server and earned two hundred thousand. An attacker who calls themselves OV broke into Microsoft Teams and earned another 200K. Daan Keuper and Thijs Alkemade from Coputest netted two hundred thousand for taking over a computer using Zoom messenger.

The great news is that Microsoft, Apple, and the other participants will create updates and patches to protect their products. Provide your IT team with time to install the updates to protect your organization. See more about the results here: https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results

Please forward this to your friends in case they are not aware of hacking contests that ultimately make the world a safer place.

The post Hacker Contest Nets Winners Hundreds of Thousands of Dollars appeared first on Mike Foster, CEH, CISA, CISSP.





Latest Images