SMB Security

Insider Threats and Reducing Risk

According to the 2020 Cost Of Insider Threats Global Report study presented by Ponemon Institute and sponsored by ObserveIT and Proofpoint, insider threat related incidents are averaging a 12-month cost of $11.45M for those organisations polled. You might be thinking that you’re just a small business and you know that known of your employees would be party to a cyber attack, you may want to reconsider.

What is an Insider Threat?

An insider threat isn’t just an employee who wishes to do damage to their company. An insider threat can also be defined as a careless employee, or contractor, as well as any form of credential theft. More generally, an insider threat is any threat that is performed by anyone associated with your organizations who may have inside information (non-public information) regarding your organization’s policies, security practices, data, systems, and even people.

Types Of Insider Threats’ 1

An insider threat goes beyond intentionally taking advantage of access that was legitimately given. Insider threats are broken down into the following three categories:

Negligent InsidersMalicious InsidersInfiltrators
Current or former employees, contractors, or business partners who unknowingly or carelessly make errors, and disregard policies. Current or former employees, contractors or business partners who knowingly disregard policies. and attempt to inflict harm to an organization using the information and access they have available to them. External threat actors who obtain legitimate access to an organization.

Negligent and malicious insiders are more common than infiltrators, however, infiltrators are apt to do much more damage.

Reducing The Risk Of Insider Threats

Insider threats are a risk that your organization can reduce without necessarily spending additional money on security controls. The one commonality between the different categories of insider threats, is people. There are a number of administrative and technical security controls that you can implement today.

Employee Hiring/Termination and Awareness Procedures

  • Have appropriate employee screening during the hiring process for persons who handle sensitive or proprietary data, such as background and credit checks.
  • Processes and procedures for employee termination and offboarding including roles and responsibilities for those involved.
  • Raise awareness to the various types of insider threats to both new and tenured employees.

Access Control

  • Having an appropriate access control strategy documented and reviewed annually, is essential for any information security program, but can also reduce the risk of experiencing an insider threat.
  • Principle of Least Privilege states that each user should only have access to the accounts and services that they need to do their jobs, day-to-day.
  • Separation of Duties is an important concept that encourages the act of access separations based on duties. An example of this is a Desktop Support Analyst having two corporate accounts (joe.analyst & joe.analyst-admin), one account for standard use and the other for elevated/administrator needs.

Device Management

  • Policies and procedures for the appropriate use of company devices and BYOD devices.
  • Ensure that employee devices are keeping logs if audits are needed.
  • Endpoint monitoring or data loss prevention (DLP) technical controls can detect and prevent various insider threat actions.

Third-Party Risk Management

  • Third-party vendors, consultants and clients must not only follow any outlined security policies within your organization, but should also have policies and procedures of their own surrounding insider threats.

1 https://en.wikipedia.org/wiki/Insider_threat

The Dangers of Reusing Passwords and Password Security Tips

You don’t need to tell me how annoying keeping track of your passwords is, and you really shouldn’t be expected to remember a subset of unique passwords for every login that you have; that might be a lot of passwords. So why is it then, that passwords are still the primary authentication mechanism for most of our logins?

The first use of password authentication is suspected to date back to the 1960’s at the Massachusetts Institute of Technology (MIT) during the development of a time-sharing computer, the Compatible Time-Sharing System (CTSS). Even then, passwords were not very effective and they have only gotten worse.

Risks of Reusing Passwords

I know many people who have a few passwords that they use over and over again on the different accounts that they need passwords for. This includes both work accounts and personal accounts. This wouldn’t normally be a problem if it weren’t for the almost 7 billion people in the world, very powerful computers, and data breaches. Let me explain.

How Data Breaches Increase Password Reuse Risk

Every time a data breach occurs there is the risk that an attacker will obtain usernames and passwords. What is increasingly happening is that these password repositories (both encrypted and unencrypted) are being sold, or traded between cyber criminals. This allows a cyber criminal to obtain large subsets of possibly legitimate credentials without doing much work.

Using these credential repositories cyber criminals can automate checks and logins to determine if any of the credentials are still valid. Once they’ve determined if any of the credentials still work, they can either use it to continue the cyber attack or sell the credentials to other criminals including nation states such as Russia and China.

Moore’s Law and Increasing Microprocessor Capabilities

Moore’s Law is an observation that the density of transistors in microprocessors doubling approximately every two years. This increase in density has lead to a direct effect of the increase of microprocessor capabilities

Passwords can only be as complex as our language, as well as any other limits we place on passwords (i.e. special characters), thus our passwords have limits. As computers become more and more powerful, they become more and more capable of performing a lot of calculations in a short period of time. Cracking or guessing a password involves using hardware in order to try and recover passwords.

There are a number of different methods and applications for password cracking but they also work similarly. They attempt to take a given input, cryptographically hash it, and compare it to the hash of an encrypted password that we have. If they match, then we’ve guessed the password.

Due to this increase in power, passwords have actually become weaker over time in terms of how quickly a certain length can be cracked. Here are some estimates from betterbuys.com.

Password cracking times decreasing between 2000 to 2016.

As you can see, a 9 character alphanumeric password in the year 2000 would take almost 4 years to crack. As of 2016, this same 9 character password takes just under 3 months.

Password Security

As I mentioned earlier, it’s not feasible to remember a large subset of unique passwords for every account that we may have. So stop trying to remember them!

Password Managers

Password Managers such as LastPass and BitWarden not only allow you to store passwords, but they also allow you to generate random passwords based on needs. Your password manager will have a single password to access, and then will provide you with complete plain-text access to all of your passwords.

By using your password manager, generating a random password for every login, and storing it securely, you will never have to remember any of your passwords other then the one that you use to login to your password manager.

Even if your password is stolen, it’s uniqueness prevents it from being used on any of your other accounts.

Multi-factor Authentication

I’ve mentioned Multi-factor Authentication (MFA) many times before. In short, MFA adds a second and even third authentication method that must be successfully entered, along with the password.

Authentication methods fall under three categories; something you know, something you have, and something you are. A true MFA solution must have at least two of these methods involved. Here are some examples of authentication types that fall under these categories.

Something You KnowSomething You HaveSomething You Are
PasswordSmart CardFingerprint
Software RSA Token (Mobile Phone)Voice
Hardware RSA TokenRetina/Iris
Face

Length Is More Important Than Complexity

Although it’s recommended that we include not just letters, but also numbers and special characters in our passwords. At the end of the day, the length of your passwords is going to be more important then the complexity. An 8-character complex password will still be cracked before a 20-character simple one.

How SMBs can Lower Risks of Being a Victim of a Ransomware Attack

Ransomware Prevention

As small and medium businesses are more frequently becoming victims of cyber attacks, just 28% of SMBs, who were polled in a recent study, were actually concerned about ransomware. This must mean that small and medium businesses are taking security seriously, right? Wrong! That same study reported that 85% of SMBs have reported at least one cyber attack.

With ransomware becoming big business for cyber criminals, SMBs need to consider what they can do in order to protect themselves from being a victim of a ransomware attack in the first place. Given the recent uptick in ransomware attacks, let’s discuss options for reducing the risk of being a victim of ransomware.

Use Multi-factor Authentication

Using only a username and password to login is simply not secure anymore. Multi-factor authentication (MFA) adds a second, and sometimes third form of authentication. For example, you may login with your username and password, and then need to enter a 6-digit number that is available via an app on your phone, or a hardware token.

Ransomware attacks require a method for the attacker to initiate the ransomware on the target network. Today’s ransomware attacks involve an attacker gaining access to a network, stealing the data, and only then will they initiate the ransomware attack.

Using MFA on logins, especially remotely and on email systems, can make it more difficult for an attacker to gain a foothold.

Change passwords regularly and don’t reuse them

Password changes should be done regularly. This adds a moving target for an attacker who may have found one of your passwords in a data breach somewhere, especially if you don’t reuse passwords.

Control the use of Removable Storage Devices

Removable storage devices, such as USB drives and external hard drives, are the perfect weapon for the transport of Malware including ransomware which will replicate itself to external devices.

Controlling the use of these types of devices may involve something as simple as purchasing a standard USB and only allow its use, to something as complex as a Data Loss Prevention (DLP) solution that prohibits actions. Many anti-virus solutions, like BitDefender, also provide device security controls.

Make security awareness a priority

Clicking on a suspicious link, or entering credentials onto a credential phishing site could inevitably lead to the same results as above. There are many ways that attackers can use to gain access to your company’s computer network, and they should all be discussed and tested as part of a continuous security awareness solution. Topics might include:

  • Being aware of suspicious links
  • Not opening attachments from unknown senders
  • Secure password management using password managers
  • Secure use of removable storage devices

Have Backups

This technically won’t help you to lower the risks of being a victim of a ransomware attack, and you hope that you never have to use them, but, having backups might be critical to your recovery from a ransomware solution and should be taken at regular intervals. These backups should be stored offsite, onsite and on the cloud for the most protection.

No one is 100% safe from cyber attacks but we there are things that we can all do to help reduce the risk.

DNS Security For Individuals and Small Businesses

What Is DNS?

DNS, or Domain Name System, is an Internet system that is completely decentralized, and provides a capability to translate IP Addresses (example: 172.217.12.163) to a Domain Name (example: roguesecurity.ca). The DNS system is the reason that we don’t have to type in the ip address for the website that we wish to visit, and instead are able to type in a friendly domain name that is more representative of the website. Whether I enter the domain name in my address bar, or the ip address for google.ca, I’ll be taken to the same website.

Many medium and large businesses operate their own DNS servers on their own network, but most small businesses and individuals rely on downstream DNS servers that may be owned by their Internet Service Provider (ISP) or perhaps they are using one of the many open DNS providers such as Google Public DNS.

How Does DNS Work?

Without going into too much detail, a DNS request is fairly simple.

  1. You enter a domain name, roguesecurity.ca, into the address bar of your web browser, and hit Enter.
  2. A request is sent to your designated DNS server with the domain, asking for details on the ip address.
  3. The DNS server receives the request and looks up the domain name in its table of information.
  4. If the DNS server finds a matching domain name, it sends the ip address of the domain back to your browser, which your browser uses to actually connect to the website.
    4a. If the DNS server is unable to find a matching domain name, or isn’t able to find an ip address, it will respond with an error.

DNS Cache: Our devices keep a history of DNS requests that we make in order to save some work when we revisit a website that you’ve previously visited. The DNS cache updates once in a while to make sure that you have the latest information, and can be emptied manually.

How Is DNS Attacked?

DNS, like most software, has vulnerabilities, exploits, and can cause issues when used inappropriately. DNS itself has existed since the 1980’s and even though it’s received numerous updates over the years, the underlying concepts really haven’t changed much. This has given people more time to understand the Domain Name System, and as an important aspect of how the Internet operates, is a very commonly attacked protocol.

The most direct of DNS attacks is when a cyber criminal gains access to your DNS server directly. However, it’s quite common to see host-based attacks on your local devices that include Cache Poisoning (aka Cache Spoofing). This is one of the most common types of DNS attacks and involves an attacker injecting malicious data into your devices DNS cache. If an attacker replaces the ip address of roguesecurity.ca in my local DNS cache with an ip address that connects to a malicious website, then every time I go to roguesecurity.ca I’ll be taken to the malicious website instead.

The Domain Name System can also be used to steal data. Let me explain. We know that we send a domain name each time that we send a request to a DNS server. DNS queries are simply strings, and strings can include data, including encoded data. DNS Tunneling is where an attacker includes data, either plain-text or encoded, in what appear to be normal looking DNS requests. The attacker needs to get these queries so this may also involve gaining access to an internal DNS server or modifying local DNS.

DNS servers are also perfect for generating DDOS attacks via DNS Flooding or NXDomain attacks. In these instances an attacker floods a DNS server with requests, or generates a large number of invalid requests in order to overwhelm the server with the goal of bringing it offline.

DNS Security

Use a Trusted Provider

The best protection from DNS-based attacks is to use a secure DNS provider that you trust. Google and Cloudflare are two companies that offer free DNS services to the general public, and are quite reliable.

Pi-hole

Most home users can’t afford and don’t need their own DNS server, but perhaps you have children and you like the idea of some extra security. That’s where Pi-hole comes in. Pi-hole is a software that acts as a DNS sinkhole and can be used to protect devices on your network from unwanted content, block ads, and even manage network device access.

Pi-hole originated on the Raspberry Pi, but can be installed on most Linux distributions.

Cross Site Scripting Attacks On Your Company Website and How to Protect Against Them

Your business’ website and the domain (.com, .ca, .net, etc..) that goes along with it, is an important part of the identity of your organisation and is slowly becoming the first place that consumers will go to find out more about who you are and what you do. The last thing that you want, especially during an already strained moment in the world’s economy, is for a potential client to receive an ad or get redirected to another website when visiting yours.

Cross-site Scripting Vulnerability
There are many ways for an attacker to take advantage of you through your website including a technique called Cross-Site Scripting or XSS for short-hand. A XSS vulnerability allows an attacker to insert (or inject) a piece of code into your website. One intended result from this action is that the code is then displayed to your visitors in the form of ads, malware, or just about anything else. In effect, the attacker is using your website as a median to deliver malicious content to unsuspecting visitors.

A XSS vulnerability exists when an input on your website doesn’t properly validate or sanitize the data given to it prior to that data being used in an output. These inputs might include contact forms, shopping carts, and login forms. Essentially, any point of data entry on your website can be the target of a XSS attack.

Protecting Against XSS Vulnerabilities
The most effective manor of protecting against a XSS vulnerability is by not allowing your visitors to use any special characters (<,>,/,\,,,!,&,etc) when entering data on your website. HTML encoding is the most common method for ensuring that HTML characters are converted output in safer manner. XSS vulnerabilities can be identified during development by using both Static and Dynamic Application Security Testing (DAST) techniques, and should be remediated prior to pushing code to production.

Many websites, including this one, rely on a Content Management System (CMS) to manage and display content. WordPress and Drupal are just a couple of examples of what a CMS is. When using a CMS you willl rely on plug-ins to provide functionality like contact forms, and while you can’t know with 100% certainty what security controls were used in the development of the plug-in, you do have the ability to keep them updated with the latest software patches. Your CMS will allow you to update your plug-ins through its distinct administration dashboard. WordPress 3.7 introduced the capability to turn automatic update plug-ins, but it needs to be turned on!

Resources
OWASP – Cross Site Scripting (XSS)