30-Minute Tech Talk:
Advanced Security Solutions
Watch our recorded webinar below and learn how IT Radix has added layers to our security solutions to better protect your organization.
As seen on the news, there's been a tremendous growth in cybercrime due to the widespread availability of internet access and the continued expansion of the hybrid/remote workforce. Cyberattacks, like ransomware, are sophisticated; and the reality is that no organization is immune. Security experts claim that 95% of companies are not properly protected.
Watch the replay here:
Complete transcript below:
All right by my clock it is 12:10, so I'm going to go ahead and get started. I see people generally nodding in agreement that it's 12:10, so thanks for joining us. If you have questions throughout, please use the Zoom raise-your-hand feature to raise your hand, otherwise you're going to be muted. So, if you have any questions feel free to ask in the chat or raise your hand and we'll unmute you, and you can ask those audibly. We're going to take feedback at the end; we always send out a feedback form so if you could please fill that out and let us know what you'd like to hear more or less of that would be super awesome.
I am Cathy Coloff, I think I know most of you so far that I see on the call today. Thank you for joining us as we talk about advanced security solutions that can help you face today's cybersecurity challenges.
Time to Upgrade Your Cybersecurity Solutions
So, some of you have been working with us for many, many years since 1998 and a lot of things have changed since then. You may remember using phones that looked like this, and then maybe they started to look like this, and now they look like this. So just like the phone technology has evolved, so has the cyber landscape and what can and cannot happen to you, and just as you've upgraded your phones over time it is now time that you start to think about upgrading, if you haven't already, your cybersecurity situation and your solutions that you have in place.
More and More Businesses are Working Remotely
They showed that statistically two and five businesses, with the pandemic, they transitioned from working remotely into working remotely with no real cybersecurity plan in place. Kind of a dangerous thing if you think about it in hindsight but obviously out of necessity folks did it and what we know is what we used to have is no longer enough, and just as all of this technology has gotten better along the way, so have the cybercriminals. They're able to do things faster, more effectively, more efficiently, and this sort of shows you a little bit of a timeline of what's gone on there. You know they've advanced just like all the other technology, and you know it used to, I mean think back, it was on floppy disks is how they used to do it and then at one point you know they introduced bitcoin and that actually was a real boon for the cybercriminals because now nobody could trace what they were doing. You know they had a way to collect your money without being traced back to them.
Help Desks for Cybercriminals?
Then they started launching things like crypto locker and email phishing and exploiting vulnerabilities and software and it's just gone on and on and on to now we’re at a point where they've got ransomware as a service you connect. They actually have help desks for the cybercriminals to help them steal your credit cards. If the credit card numbers, they've stolen don't work you can call and say hey you know the card I bought from you, the card number I bought from you isn't valid, and they've even taken it up a notch. If you look at some of the various things that have happened, they've moved into extortion. So, what they're saying is okay maybe you had a backup so you don't necessarily need to pay the ransom because you're able to recover from the incident. But now what they're doing is they're actually extorting you and saying, “Hey, that's great. You still have to pay, otherwise we're going to expose all your data out on the dark web, and of course nobody wants that, and so that is where we are today. Of course, one of the things that we tell you about training your users. The real question becomes is when you're training them, can they actually tell the difference. If you look at these two web pages and you look very closely, they are identical. Now I've lighted out a little bit of the URL of the one on the right, but if you look at them, both of them are identical. I don't want actually going to the website that's on the right, that's the dangerous one. But if you were to click on those links, you know it will capture your credit card information or your login information and from there, they will just try to use that to go into other places on the dark web. So, you know maybe you've been educating your users, and I know I have a lot of smart people on the call that I deal with a lot. Now, here's another one. Can you really tell the difference between these two screens? Which one is the one that's the real one? All the links along the bottom are all valid. They will take you to a valid place. Though, in this particular example, the one on the left is the one that is actually the fake and the only thing on here that's dangerous is the click… when you click on the sign-up button. Everything else on the one where you sign up is across the top. The rest of it will take you to Facebook. So, it is super hard for the average user to tell the difference between these web pages until something like this happens. You get a message on your screen that says, “Hey, you've been hacked,” and so having just detection is no longer enough and the statistics around what a cyber incident.
Even Unsuccessful Cyber Incidents Cost
Even if it's not a breach, even if nothing happens, the amount of time and business disruption that occur as a result of a cyber incident can become staggering. If you want to just do a quick little calculation, we can. We'll do that with you offline because it's based on the number of employees and things of that nature. But this is a is an eye-opening exercise to sort of evaluate what it would cost if you had an incident, even if it's an unsuccessful one.
Have a Systematic Way to Address Cybersecurity
So, what we want you to do is to start being systematic and developing a framework around how you address your security. At IT Radix, we follow something called the NIST. It's sort of a generic one but some industries have specific ones that they framework, that they should be following. In our case we follow NIST. I don't actually remember off the top of my head what NIST stands for but the idea here is that you have a process and a systematic way of how you're going to address cybersecurity within your organization.
1st - Identify What is Important
The first thing that every organization needs to be doing is identifying what is important. Is it this information on this computer, is it all of your information, is it certain services, but maybe not others that you deliver that are critical? Once you've identified that and prioritize them, they're going to help you identify how you want to protect and move forward from there, from a security standpoint. Of course, once you've identified it, you protect it. God forbid something does happen, you want to detect when an incident occurs and then be able to respond and quickly recover from it. So, I'm going to delve a little deeper into some of these other layers here after you've identified the data.
2nd – Protect It with ZeroTrust
The next thing you want to do is, of course, protect it. One of the concepts I want to introduce today is something called Xero Trust. It's a relatively new buzzword in the cyber world but it's been around for a long time, and I think this picture does a nice job of trying to sort of depict the concept behind Zero Trust. Pre-pandemic, pre-high-speed internet and folks working remotely… computer networks and everyone were generally together, and they were working inside of an office. We would put something like a firewall in place to protect the perimeter of the office—everything inside the office trusted each other and it trusted nothing from the outside. So that was the sort of old model. Now as time has evolved and technology has evolved, we've suddenly blown those walls away and there are no more borders in terms of how your corporate network works. This is where Xero Trust really becomes extremely important because it's no longer dependent on the perimeter and those securities. It is actually down to the individual devices networks and applications that you're running.
If you think about what the traditional antivirus is doing… it was alerting on behavior it could, but it couldn't tell the difference between copying from Dropbox or just copying files from your PC up to the Internet. It couldn't tell the difference if it was someone like ourselves helping you do remote support or a threat actor that was controlling your machine. It doesn't know the difference. Xero Trust completely flips the whole model around and the concept simple deny everything by default, don't allow anything, trust nothing, and then only as over time you build up the list of what you do trust and then you grant trust to those whether it's a person data device endpoint something on your network over time. Then, you need to constantly continue to evaluate that.
If you're going to do this from end to end, typically what you will do is implement a solution something like an application whitelisting piece of software. The idea again only allows what's needed for every day. This has been blessed by and endorsed by the White House regardless of your politics. This is an extremely effective tool for preventing cyber breaches or incidents. Again, you're assuming everything is bad until you've authenticated that it's not and then you need to explicitly authorize to the least privilege required. Application whitelisting is way more proactive in terms of your defense in terms of your security than a reactive defense of something like an antivirus. So, you trust nothing, and you block it. Then, what you do is you watch, and you learn and we develop that whitelist of what is trusted and then at that point we allow that. You are in control and nothing's going to run unless you improve it.
So, let's sort of play this out in a real-world example. Let's pretend a threat actor wanted to replace behind the scenes outlook.exe, a program many people use, and they replaced it with a weaponized version of Outlook. The application whitelisting solution knows that this piece of software from Microsoft has something called a hash, which I like to equate to a fingerprint that basically certifies this is the one that Microsoft gave us. If it doesn't match this fingerprint exactly, it is not Microsoft's Outlook and I'm not going to allow it to run. So, if the perpetrator tries to replace Outlook with a weaponized version of it, the whitelisting software will absolutely prevent it from running because it's not going to pass the trust criteria that you've put in place.
3rd – Restrict Privilege Access
The next thing you want to do is you want to really restrict privilege access. You know local administrators, back in the day, were very commonly given to all users because as they're working on their machine rather than having to request to download Dropbox or something like that, they would just take care of that and move on their day and continue to work.
Local admin accounts are extremely sought after. They can be used to move laterally inside of a network. So, once they've gotten access to one particular machine, they might then try to move across your network to other machines, other devices, things of that nature. So, you want to make sure that you're constantly limiting the access of the local admin, and the application whitelisting software can help you enforce that. The other thing that you can do is use the same software to help with some of the restricting of the access to the data or the devices that they need. For example, if you don't want to allow your users to use a USB key, you can restrict that. If you don't want them to get to a particular device on the network, you can use the software to help restrict that as well. So again, you want to make sure that your least amount of privilege is to do your job. We want you to be functional and we want you to do your job, but you don't need to be this super user who can do just about anything. This will significantly reduce the likelihood that some kind of a bad actor has the ability to exfiltrate or steal your data.
What I was just speaking about was more about the individual users. But in this particular slide, I want to spend a little bit of time talking about the applications that you actually use. So just like you would have least privilege for individual users, you want to do the same thing for applications and not all software application is written in such a way that it is well behaved. So as an example, it is little known that when you launch Chrome behind the scenes it opens something called a PowerShell window that allows it to do some really powerful stuff, and this is in a Windows environment. But there are others in the Mac environment as well where it can do things behind the scenes leveraging something called a PowerShell script. We launch Chrome and we start our browsing, and we don't realize that we've gone to a malicious link. Behind the scenes, that malicious link is now using that PowerShell window that you've got open to start encrypting your machines, changing settings on your machines, perhaps again proliferating out throughout your network. So,what we can do with the application whitelisting solution is that we can put a fence around Chrome so the only thing that Chrome can do is web browse. It can no longer use that PowerShell script that's open behind the scenes and it basically prevents them from moving any further inside of your environment. This applies to many things. There are many applications out there, Adobe is one of them and Blue Jeans is another one, that I had found recently that was attacked. There's a bunch of them out there.
All of this application whitelisting is designed to do that, proactive protection. Now nothing is 100 percent bulletproof, so you still need to continue to do detection. So, God forbid something does happen, now you're going to find it, you're going to detect it, and you're going to do something about it.
Decoys and Ransomware Canaries
So, what we like to see now in our clients’ environment and then in terms of having in our Toolbox is something that's putting out some decoys or ransomware canaries, they're often called. These are files that are sprinkled around perhaps in an individual user's machine, they might be named things like passwords or HR data or things like that that might be tempting to the hackers and the software engines that they develop and they're put out on the machines and they're intended to be there so that if something trips it, if something touches it for any reason, just like the old model of the canary in the coal mine, when you know the bad gases were coming out and the miners couldn't breathe, the ransomware canaries are there and monitored by the agents that we put on the software on the machines. So, if something trips those canaries, the decoys, then we know something's going on, something not natural is going on this machine and we need to dig in. Once you've done that, the hunt is on. We're going to start looking for things called persistent footholds. We're going to watch the user and behavioral analysis and see what's going on. The idea with the persistent footholds is they put something in place that even if you reboot the machine or you log off, it just starts up again so you could kill the process. Once you reboot the machine, it starts back up again and continues on its merry way encrypting or hacking into your machines.
You want to be looking for those persistent footholds, the user, and entity behavioral analysis. What is that doing? It's looking at things like, “Hey, Cathy doesn't normally log on at two in the morning. That's unusual. Let's see what's going on. Let's see what they're doing maybe she just couldn't sleep or maybe some hacker has taken over her machine and is doing something nefarious.” So the solutions here, what they do, is they tend to use a combination of Artificial Intelligence (AI) and human intelligence because humans still can kind of spot patterns and see things a little more quickly in certain situations than the AI. So, the AI is feeding everything to the humans and then the humans of course are laying an eye on it and say no, this looks normal, or no, this doesn't and certainly if the AI sees something where it's encrypting, it's going to immediately raise the alarm and alert folks that something bad is going on. So, let's say something bad is going on. The first thing you want to do is you want to make sure you're prepared. You want to have a plan in advance. You don't want to be dealing with this after the fact. You want to have an Incident Response Plan so that you can decide what you're going to do and how you're going to respond. If it's a particular file, you want to analyze those files, you want to investigate the attack, and as much as possible, isolate it maybe to just one or two machines. You don't want it spreading throughout your entire organization, and then of course, you want to remediate, recover and get yourself back up and running.
If you don't have an Incident Response Plan, I strongly encourage you to get one. We are seeing that Cybersecurity insurance is now requested, asking these questions on their renewals, and when you have them that is in your favor. They want you to practice these just like you would practice a Disaster Recovery Plan. So, with that, we encourage you to upgrade your cybersecurity posture. If you want to have a review, we can do that and talk about what you may or may not have in place. Of course, we never want a client to have an incident and turn into this angry red monster that you see here.
We want to rewind back to where we were at the beginning. What you have in place may no longer be sufficient and we are encouraging users and our clients to upgrade before the end of March so that we can lock in some of the pricing that we have available to us in the first quarter.
Let me introduce my wonderful colleagues from IT Radix this morning. We've got Ken, Paula, Robin, Dan, Zach and Diane and a couple folks are hiding behind the scenes. Dan is my Wizard of Oz today.
Let’s see… we have some questions.
Question #1: Would you say this upgrade is more critical if you have a lot of people or you're working completely remotely versus in your office?
It does not matter how many people you have; you need to protect this information. The quantity of people in my opinion does not matter. In the office versus remote? I don't really have remote workers. I believe because of the level of what the cyberattackers are doing, you need to do more than just what you're doing in your office. What you had in your office—the firewall—it's going to protect some things but really the bigger problem is that it's someone like yourself, you click on something and it starts to do something behind the scenes that you're not even aware of. It's the end user, at the end point level, that is the biggest risk really, and these new solutions help to combat that. You may not realize you clicked on a phishing email, and it will just essentially stop it right in its tracks. It stops it… doesn't even let it go any further than that. That's really what you want.
Question #2: Are remote workers more hackable? Are they more insecure?
Well, there's certainly no doubt that remote hackers are more vulnerable, but I don't want to say that just because you're in your office you're protected, because you're not. Okay, so I think in your office you have a couple of layers of protection that you don't have at home, but you need them regardless, in my opinion. This is obviously my opinion, but remote workers are certainly more vulnerable because in your office for example most of our clients have something called a firewall most home users don't necessarily have that, but the firewall is not the end-all as you saw. You know, things can still just get right through those firewalls because they've changed the way they're attacked. The attack vector is no longer just trying to do what's called like a denial service attack or things like that, they are actually going after the end users because that is the bigger payload for them, quite honestly.
Question #3: My question is about email security. One of the things that you showed in the beginning was a classic credential harvesting site, Facebook, and the way that those often get delivered to end users is via email. There are default options with Microsoft that are not so effective and often let phishing emails like that through. Do you recommend upgrading the Microsoft license for one of their premium services called Advanced Threat Protection? Or would you recommend going with a third-party tool that's built on top of Microsoft and integrates with it?
Generally, in our experience, we typically recommend a third party, like having two sets of eyes on things. Some clients for cost reasons tend to just do the first solution which is just the upgraded filtering; but for most of our clients, we do recommend a third-party solution layered on top that's doing the filtering and preventing that stuff from coming through. But I do want to mention, it's not just email. These days the advertising on web pages is infected. There are a lot of different ways it can get in. Email is certainly one of the most common, especially when you've got all these various people working remotely. You know they're moving quick, they're clicking, they're not necessarily paying attention to what they're clicking on, and they can easily introduce something that they didn't really intend to.
Question #4: We migrated our email to Office 365 and most of our files are on SharePoint. By its very nature Office 365, how protected is that automatically from hackers, hijacking, and ransomware? Did Microsoft build protection in?
Yes, so they build in some security protections but not everything to the level of what I was describing. I'll give you an example of something that actually happened to one of our clients. The person got infected and it then encrypted their files in their SharePoint site because the user (this goes back to that concept of the least amount of privileges) did have access to these files in the SharePoint site and so not only did it encrypt the files on this person's machine, it also encrypted everything that they could see in the SharePoint site as well as anything they could see on their internal server. So, I love the fact that our clients trust all their staff and their employees, but what we often find is they will have a common storage area, whether it's in SharePoint or on their server, that they let everybody have access to. That's great as long as there's nothing that's super sensitive in there or that you're concerned about. But let's just say my friend Robin gets infected and she can see all this stuff in the common area. She's going to be able to encrypt it and the data. What they're also starting to do is just steal the data. They're not necessarily telling you that they encrypted, so the least privileges is always the best. We had a client who worked with doctors to do speaking events and they have to pay the doctors. The doctors would send them a 1099 which had their Social Security number on it and the person at that company would store it in this common area. Well, not everybody in the company needs to see this doctor's 1099 Social Security number. They really should limit that down to the small subset of people that need to see that data. For many organizations, it's been years of data. I'll let you know they've got lots and lots of data that they haven't really stopped to think about what data do they have. It wasn't until they had an incident that they're like, oh we've got all these social security numbers stored in a place where we really shouldn’t, and we had to help them now re-architect and carve out and move and shuffle their data around really to isolate some of it to smaller subsets of people within the company. So that's why it's easy to gloss over that and identify what's important, what's truly important. What you don't really realize is how some of the folks inside and especially the bigger the organization gets how your folks are handling their data, where they're saving it, and where they're putting it. You want to make sure you set some very strict guidelines and rules and policies that they know and train them, so they know and understand what to do with the information that they have so that they're handling it properly. So, to answer your question, Microsoft has some security in place. I think some of it can be tightened up and, in some cases, clients relax it. So, to answer your question, you cannot rely on Microsoft to protect your information. They certainly don't just let anybody hop in and tool through your files in SharePoint but if you, for example, shared something in like a whole folder in your SharePoint to a person outside of your organization, you've now opened a door to your data that's in SharePoint. So, the responsibility of protecting it still stays with you, not Microsoft.
Question #5: The two main databases that we use like SQL server type databases would be for accounting and we have a management system for tracking documents and events on a ship. So, in order to get into each of those, you have to go through a VPN to get to those sites or servers. Is the fact that you're running a VPN exclude hackers from bad actors let's say from following you into those sites?
The answer to that is, yes and no. So, me, Cathy, just trying to jump into your stuff, I can't. I would have to have a userid and password… VPN credentials to get through. If I hack you, working on a laptop remotely, and now I'm on your laptop and you have access to VPN, yes, I'm going to follow you right through the door. Just keep that in mind. VPN is intended to keep the non-authorized people out, but if you've had something happen to you, they're just going to ride the coattails of your permissions into your environment.
Question #6: How do I find out if any of my staff have local admin rights to their computers?
If you're a managed service client of ours, we can actually scan the machines remotely and tell you who has that and who doesn't? If you are not a managed service client of ours, the only way to figure that out would be to literally sit down at the machine and check. For managed service clients, we have an agent that allows us to do that in an effective way without having to jump from desk to desk to desk. If you're remote, just imagine trying to coordinate that. That's no fun. You would have to manually check it if you don't have something like the management software that we have in place.
Question #7: Should I be concerned that a staff deletes a canary? What would happen if I do? Will they see them?
Canaries do get hidden away in folders usually and then often there's something called file attributes that we can toggle that a bot running through your computer could see it, but a human couldn't without doing something special. So technically, a human could go in and play with those. You can make it so that they can view things with those hidden attributes, but most typical users aren't doing that. So let's just pretend for whatever reason a user did trigger a decoy, then at that point it would raise an alarm in the management platform that we have the monitoring platform that we have and we would dig in and start investigating and ideally isolate and dig in and find out what's going om. Was it Paula being a bad girl deleting files that she shouldn't have or doing some housekeeping or was this really a bad threat actor working its way through your machine?
Question #8: What are your thoughts about moving the workforce data to be less desktop centric local access based to a more web exclusive like box SharePoint, Teams, or One Drive browser only so that local data is not exactly accessible and data access is behind a single sign on and multi-factor?
That is absolutely an approach that you can employ. For example, SharePoint. You can interact with it only through the web. So, you would have to open a web browser and you'd have to do all your file manipulations through a web browser. In our experience, most users dislike that. They're used to having that file open on their local machine. It's not as convenient. It will still pull a temporary version of it down if you open it in Word on in in the browser. Let's just say you open a file in SharePoint and then you open in the desktop app, it is putting a temporary copy on your machine behind the scenes that does get pushed back up to the cloud. Though, it's not 100 percent bulletproof, it is definitely better than allowing folks to manipulate the files local on their individual machines. So yes, that is a good approach. Some applications do not support that, so it will depend on what software you're running inside of your organization. For example, we use a piece of quoting software, but it does not let you save a file directly to SharePoint. It's just not written that way today. That doesn't mean it won't be down the road, but today it does not support that. So you do have some limitations inside of what you're using inside of your organization as to where you can store the data, but that is an important thing to think about, and in your case you know if you're able to get folks to be comfortable working through the web, then yes, that's going to help. Do I think that's going to protect you forever? No. The hackers are going to find a way.
That’s a Wrap!
Thank you so much. I ran way over time. I apologize, but hopefully this was helpful. If you have any other questions, the entire team at IT Radix is here to help… just reach out. Thanks everyone.