Advanced Security Solutions
Watch our recorded webinar below and learn how IT Radix has added layers to our security solutions to better protect your organization.
As seen on the news, there’s been a tremendous growth in cybercrime due to the widespread availability of internet access and the continued expansion of the hybrid/remote workforce. Cyberattacks, like ransomware, are sophisticated; and the reality is that no organization is immune. Security experts claim that 95% of companies are not properly protected.
Watch the replay here:
Complete transcript below:
Time to Upgrade Your Cybersecurity Solutions
More and More Businesses are Working Remotely
Help Desks for Cybercriminals?
Even Unsuccessful Cyber Incidents Cost
Have a Systematic Way to Address Cybersecurity
1st - Identify What is Important
2nd – Protect It with ZeroTrust
The next thing you want to do is, of course, protect it. One of the concepts I want to introduce today is something called Xero Trust. It’s a relatively new buzzword in the cyber world but it’s been around for a long time, and I think this picture does a nice job of trying to sort of depict the concept behind Zero Trust. Pre-pandemic, pre-high-speed internet and folks working remotely… computer networks and everyone were generally together, and they were working inside of an office. We would put something like a firewall in place to protect the perimeter of the office—everything inside the office trusted each other and it trusted nothing from the outside. So that was the sort of old model. Now as time has evolved and technology has evolved, we’ve suddenly blown those walls away and there are no more borders in terms of how your corporate network works. This is where Xero Trust really becomes extremely important because it’s no longer dependent on the perimeter and those securities. It is actually down to the individual devices networks and applications that you’re running.
If you think about what the traditional antivirus is doing… it was alerting on behavior it could, but it couldn’t tell the difference between copying from Dropbox or just copying files from your PC up to the Internet. It couldn’t tell the difference if it was someone like ourselves helping you do remote support or a threat actor that was controlling your machine. It doesn’t know the difference. Xero Trust completely flips the whole model around and the concept simple deny everything by default, don’t allow anything, trust nothing, and then only as over time you build up the list of what you do trust and then you grant trust to those whether it’s a person data device endpoint something on your network over time. Then, you need to constantly continue to evaluate that.
If you’re going to do this from end to end, typically what you will do is implement a solution something like an application whitelisting piece of software. The idea again only allows what’s needed for every day. This has been blessed by and endorsed by the White House regardless of your politics. This is an extremely effective tool for preventing cyber breaches or incidents. Again, you’re assuming everything is bad until you’ve authenticated that it’s not and then you need to explicitly authorize to the least privilege required. Application whitelisting is way more proactive in terms of your defense in terms of your security than a reactive defense of something like an antivirus. So, you trust nothing, and you block it. Then, what you do is you watch, and you learn and we develop that whitelist of what is trusted and then at that point we allow that. You are in control and nothing’s going to run unless you improve it.
So, let’s sort of play this out in a real-world example. Let’s pretend a threat actor wanted to replace behind the scenes outlook.exe, a program many people use, and they replaced it with a weaponized version of Outlook. The application whitelisting solution knows that this piece of software from Microsoft has something called a hash, which I like to equate to a fingerprint that basically certifies this is the one that Microsoft gave us. If it doesn’t match this fingerprint exactly, it is not Microsoft’s Outlook and I’m not going to allow it to run. So, if the perpetrator tries to replace Outlook with a weaponized version of it, the whitelisting software will absolutely prevent it from running because it’s not going to pass the trust criteria that you’ve put in place.
3rd – Restrict Privilege Access
User Access
The next thing you want to do is you want to really restrict privilege access. You know local administrators, back in the day, were very commonly given to all users because as they’re working on their machine rather than having to request to download Dropbox or something like that, they would just take care of that and move on their day and continue to work.
Local admin accounts are extremely sought after. They can be used to move laterally inside of a network. So, once they’ve gotten access to one particular machine, they might then try to move across your network to other machines, other devices, things of that nature. So, you want to make sure that you’re constantly limiting the access of the local admin, and the application whitelisting software can help you enforce that. The other thing that you can do is use the same software to help with some of the restricting of the access to the data or the devices that they need. For example, if you don’t want to allow your users to use a USB key, you can restrict that. If you don’t want them to get to a particular device on the network, you can use the software to help restrict that as well. So again, you want to make sure that your least amount of privilege is to do your job. We want you to be functional and we want you to do your job, but you don’t need to be this super user who can do just about anything. This will significantly reduce the likelihood that some kind of a bad actor has the ability to exfiltrate or steal your data.
Applications Access
What I was just speaking about was more about the individual users. But in this particular slide, I want to spend a little bit of time talking about the applications that you actually use. So just like you would have least privilege for individual users, you want to do the same thing for applications and not all software application is written in such a way that it is well behaved. So as an example, it is little known that when you launch Chrome behind the scenes it opens something called a PowerShell window that allows it to do some really powerful stuff, and this is in a Windows environment. But there are others in the Mac environment as well where it can do things behind the scenes leveraging something called a PowerShell script. We launch Chrome and we start our browsing, and we don’t realize that we’ve gone to a malicious link. Behind the scenes, that malicious link is now using that PowerShell window that you’ve got open to start encrypting your machines, changing settings on your machines, perhaps again proliferating out throughout your network. So,what we can do with the application whitelisting solution is that we can put a fence around Chrome so the only thing that Chrome can do is web browse. It can no longer use that PowerShell script that’s open behind the scenes and it basically prevents them from moving any further inside of your environment. This applies to many things. There are many applications out there, Adobe is one of them and Blue Jeans is another one, that I had found recently that was attacked. There’s a bunch of them out there.
All of this application whitelisting is designed to do that, proactive protection. Now nothing is 100 percent bulletproof, so you still need to continue to do detection. So, God forbid something does happen, now you’re going to find it, you’re going to detect it, and you’re going to do something about it.
Decoys and Ransomware Canaries
So, what we like to see now in our clients’ environment and then in terms of having in our Toolbox is something that’s putting out some decoys or ransomware canaries, they’re often called. These are files that are sprinkled around perhaps in an individual user’s machine, they might be named things like passwords or HR data or things like that that might be tempting to the hackers and the software engines that they develop and they’re put out on the machines and they’re intended to be there so that if something trips it, if something touches it for any reason, just like the old model of the canary in the coal mine, when you know the bad gases were coming out and the miners couldn’t breathe, the ransomware canaries are there and monitored by the agents that we put on the software on the machines. So, if something trips those canaries, the decoys, then we know something’s going on, something not natural is going on this machine and we need to dig in. Once you’ve done that, the hunt is on. We’re going to start looking for things called persistent footholds. We’re going to watch the user and behavioral analysis and see what’s going on. The idea with the persistent footholds is they put something in place that even if you reboot the machine or you log off, it just starts up again so you could kill the process. Once you reboot the machine, it starts back up again and continues on its merry way encrypting or hacking into your machines.
You want to be looking for those persistent footholds, the user, and entity behavioral analysis. What is that doing? It’s looking at things like, “Hey, Cathy doesn’t normally log on at two in the morning. That’s unusual. Let’s see what’s going on. Let’s see what they’re doing maybe she just couldn’t sleep or maybe some hacker has taken over her machine and is doing something nefarious.” So the solutions here, what they do, is they tend to use a combination of Artificial Intelligence (AI) and human intelligence because humans still can kind of spot patterns and see things a little more quickly in certain situations than the AI. So, the AI is feeding everything to the humans and then the humans of course are laying an eye on it and say no, this looks normal, or no, this doesn’t and certainly if the AI sees something where it’s encrypting, it’s going to immediately raise the alarm and alert folks that something bad is going on. So, let’s say something bad is going on. The first thing you want to do is you want to make sure you’re prepared. You want to have a plan in advance. You don’t want to be dealing with this after the fact. You want to have an Incident Response Plan so that you can decide what you’re going to do and how you’re going to respond. If it’s a particular file, you want to analyze those files, you want to investigate the attack, and as much as possible, isolate it maybe to just one or two machines. You don’t want it spreading throughout your entire organization, and then of course, you want to remediate, recover and get yourself back up and running.
If you don’t have an Incident Response Plan, I strongly encourage you to get one. We are seeing that Cybersecurity insurance is now requested, asking these questions on their renewals, and when you have them that is in your favor. They want you to practice these just like you would practice a Disaster Recovery Plan. So, with that, we encourage you to upgrade your cybersecurity posture. If you want to have a review, we can do that and talk about what you may or may not have in place. Of course, we never want a client to have an incident and turn into this angry red monster that you see here.
We want to rewind back to where we were at the beginning. What you have in place may no longer be sufficient and we are encouraging users and our clients to upgrade before the end of March so that we can lock in some of the pricing that we have available to us in the first quarter.
Let me introduce my wonderful colleagues from IT Radix this morning. We’ve got Ken, Paula, Robin, Dan, Zach and Diane and a couple folks are hiding behind the scenes. Dan is my Wizard of Oz today.
Let’s see… we have some questions.
Question #1: Would you say this upgrade is more critical if you have a lot of people or you're working completely remotely versus in your office?
Question #2: Are remote workers more hackable? Are they more insecure?
Question #3: My question is about email security. One of the things that you showed in the beginning was a classic credential harvesting site, Facebook, and the way that those often get delivered to end users is via email. There are default options with Microsoft that are not so effective and often let phishing emails like that through. Do you recommend upgrading the Microsoft license for one of their premium services called Advanced Threat Protection? Or would you recommend going with a third-party tool that's built on top of Microsoft and integrates with it?
Question #4: We migrated our email to Office 365 and most of our files are on SharePoint. By its very nature Office 365, how protected is that automatically from hackers, hijacking, and ransomware? Did Microsoft build protection in?
Yes, so they build in some security protections but not everything to the level of what I was describing. I’ll give you an example of something that actually happened to one of our clients. The person got infected and it then encrypted their files in their SharePoint site because the user (this goes back to that concept of the least amount of privileges) did have access to these files in the SharePoint site and so not only did it encrypt the files on this person’s machine, it also encrypted everything that they could see in the SharePoint site as well as anything they could see on their internal server. So, I love the fact that our clients trust all their staff and their employees, but what we often find is they will have a common storage area, whether it’s in SharePoint or on their server, that they let everybody have access to. That’s great as long as there’s nothing that’s super sensitive in there or that you’re concerned about. But let’s just say my friend Robin gets infected and she can see all this stuff in the common area. She’s going to be able to encrypt it and the data. What they’re also starting to do is just steal the data. They’re not necessarily telling you that they encrypted, so the least privileges is always the best. We had a client who worked with doctors to do speaking events and they have to pay the doctors. The doctors would send them a 1099 which had their Social Security number on it and the person at that company would store it in this common area. Well, not everybody in the company needs to see this doctor’s 1099 Social Security number. They really should limit that down to the small subset of people that need to see that data. For many organizations, it’s been years of data. I’ll let you know they’ve got lots and lots of data that they haven’t really stopped to think about what data do they have. It wasn’t until they had an incident that they’re like, oh we’ve got all these social security numbers stored in a place where we really shouldn’t, and we had to help them now re-architect and carve out and move and shuffle their data around really to isolate some of it to smaller subsets of people within the company. So that’s why it’s easy to gloss over that and identify what’s important, what’s truly important. What you don’t really realize is how some of the folks inside and especially the bigger the organization gets how your folks are handling their data, where they’re saving it, and where they’re putting it. You want to make sure you set some very strict guidelines and rules and policies that they know and train them, so they know and understand what to do with the information that they have so that they’re handling it properly. So, to answer your question, Microsoft has some security in place. I think some of it can be tightened up and, in some cases, clients relax it. So, to answer your question, you cannot rely on Microsoft to protect your information. They certainly don’t just let anybody hop in and tool through your files in SharePoint but if you, for example, shared something in like a whole folder in your SharePoint to a person outside of your organization, you’ve now opened a door to your data that’s in SharePoint. So, the responsibility of protecting it still stays with you, not Microsoft.