In the first episode of Cybersecurity After Dark, Sean McDermott, CEO of Windward Consulting Group, and Dan Williams, Cybersecurity Strategist at RedMonocle, discuss the latest news and trends on the cybersecurity landscape. In particular, cybersecurity implementation and what enterprises should do to protect themselves from threats.
Topics on cybersecurity implementation in this episode include:
- Kaseya patch on the REvil ransomware attack
- British Airways Class Action Settlement Over 2018 Data Breach – Settled?
- Cybersecurity Hazards in the Remote Work Environment
Let’s take a deeper dive into the article topics and the takeaways from Dan and Sean.
Speaker 1 (00:01): Welcome to Cybersecurity After Dark. This weekly series features discourse on topics pertinent to the C level conversation about cybersecurity and government and business enterprises. Discover the latest cybersecurity trends, best practices and valuable technology integrations, discuss business perspectives, the latest breaches and industry research. That’s paving the way for the next generation of cybersecurity initiatives. And don’t stay in the dark on the latest cybersecurity news. Join the Cybersecurity After Dark community to stay connected and subscribe to the show at cybersecurityafterdark.com. Now let’s join our hosts, Sean McDermott and Dan Williams, cybersecurity visionaries, it thought leaders and the voices on the other end of the mic for the latest cybersecurity after dark episode.
Speaker 2 (00:54): Welcome to everybody to the Cybersecurity After Dark broadcast. I’m your host, Sean McDermott. My co-host Dan, how are you doing today? Dan? Happy Friday. That’d be Friday. So excellent. So this week we are going to as, as every week, we we’re going to do a Roundup of some interesting news around the cybersecurity space. And today we are going to, so we’ve got Dan, we’re going to talk about, Kaseya like all over the news we are in or evil revel revile. Yeah, yeah, yeah. How do you say that? Is it revolve? I’m going with revolt. Okay, well it’s okay. You go through revolt and pull you, go pull your people. I’ll go with our eat well, and I’ll go pull some people and we’ll write them on behind each other’s backs on a piece of paper and this little table at the same time.
Speaker 1 (01:50): All right. So next week we’re going to firmly decide, you know, which, which way we’re going, because I’m sure we hear about these guys some more. Then we’ll talk a little bit about British airways and their suit. And then we’ll talk a little bit about security remote working in security. So really, so let’s start off with talking about Kaseya lots of articles coming out about that. I, I wish I could just refer to one, but there’s just so many yet another massive attack. This one is a really interesting to me too. The solar winds is a really interesting, but this one’s even more interesting as it was interesting. Dan, I’ll let you kind of go into a little bit about how it happened and, and that, but for me, the thing that was, it hit they said about 60 MSPs and about 1500 customers of those MSPs.
Speaker 2 (02:48): And these are off of these are like dentists offices and lawyers and things like that. So like the thing that strikes me about this is just, you know, if you’re a dentist, right. And you’re, you don’t know anything about cyber security and you’re doing, trying to do the right thing and you hire one of these MSPs and then they get hit and all their stuff, your servers get locked up. Right. I mean, like what’s a small business supposed to do, like, they don’t know anything about this stuff and they go to like an organization and, you know, and then they still get hit. Yeah. Right. It’s, it’s one of those things. That’s the whole purpose behind hiring an MSP is, do you know, keep your stuff secure for you. And then something like this happens. I mean, it, it would be like, you know, the fire department showing up because your house is on fire and they’re, Hey, do you guys have any hoses laying around, like, you know, you got any, but I mean really rough.
Speaker 1 (03:43): I mean, it’s really unfortunate. I mean, not, you know, not trying to poke fun. But I mean, that’s, yeah. It’s one of the things like, what do they do? I mean, you know, the, the recourse for that is, you know, you talk about like, like big corporations, you know, brand reputation has been damaged. Well, I mean, like when you’re like a local dentist and all, you know, 90 of your clients or whatever, find out that, you know, there, this breach and, you know, they’re like what, you know, like their data has been compromised and everything want me, if they just go to the dentist across the street, I mean, what do you do? Like pack up and like head out west. I mean, how does that work? You know? Yeah. You know, it’s interesting. I took my car into the shop about a month ago and they were supposed to have it done in a day and two days go by and I haven’t gotten a car back three days ago and they’re not even calling me back.
Speaker 2 (04:32): And by the fourth day, I’m just so livid. I’m like, at least call me back and tell me what’s going on. And the guy’s like, we had a ransomware attack and locked up our computers. So like, they almost didn’t even know what they had in the shop, you know? And it took her down for like three days. So, you know, and it’s, they’re not a, they’re an auto shop. Like what do they know about cyber security? So it just leaves the fact that, you know, these Emma’s you and trust yourself with an MSP and you still get hit, you know? So where, where are the safe guards? And I guess, I guess the question is, is like, if you’re now a, if you’re now a, a law firm and you know, how do you make a selection on an MSP? Like is like, you need help.
Speaker 1 (05:14): You need people to like, run your network and run it. I mean, how do you, how do you know if the guy you’re hiring knows what they’re doing? Like, and, and are you in, are you even smart enough to not smart enough? Are you experienced enough to even ask the right questions about this MSP or about to hire? Like, they probably don’t even know what they don’t know what to ask. Yeah, exactly. Not having that type of information, like no experience in that area. Like you’re talking about, I mean, nine times out of 10, you’re just going to go with the lowest bidder. Right. Cause it’s like, that’s like really your data point is like, well, I want to spend as little money as possible. And then you ended up paying, you know you know, millions of dollars potentially in a breach and as you know, fines and you know, I’m going to Sue you, all these other things.
Speaker 2 (05:58): I mean, yeah, that’s, I mean, you pretty much just ended up dumping all your faith into the MSP. Then this happens. I mean, it’s kind of like a very awkward position to be in right now. And, and these MSPs, like what’s interesting too, is that I’ve, I’ve actually, I know a number of people who run these MSPs. They’re not big, you know, I mean, there’s obviously some big ones out there, but you know, being in Orlando, I mean, I’ve met a number of these MSPs and some of them, you know, they have like seven people, eight people and they’re running maybe 20 offices, 20 clients. And then, I mean, you’re talking about a ransomware attack, they wanted $70 million. But they, but they lowered it to 50. So, you know, we got that going for I mean, that’s a million dollars per MSP if these MSPs or any of the ones that I know about and know down here in Orlando, they’re out of business.
Speaker 1 (06:48): They, I mean, they can’t pay that, you know, and they probably don’t have cyber insurance at that level. So just great. You know, and then it, this other article I read, it said that revival I’m going with that they’ve earned a hundred million dollars in 20, 20 alone. Wow. That’s those are some good margins there, you know, they’re, they’re, they’re legitimate corporations that can’t pull that down, so, yeah, it’s good. Crazy. I wonder how big their team is. Well, I mean, the good news about this Casa and this is what, what I, what I also found interesting is this how they did it. So why don’t you why don’t you kind of outline how they did this? Cause I thought it was kind of interesting. Well, they actually did fix a few other vulnerabilities in the patch that went out on Saturday those were just ones that they had found you know, in light of all this, but with this attack in particular, it was actually a three zero day exploits.
Speaker 2 (07:50): And yeah, yeah. One of them was the ability to bypass two factor authentication, which in terms of best practices, that’s what we always say after this kind of a breach happens, you know, we say, oh yeah, they, they didn’t have a multifactor authentication you know, turned on. So that’s how they got in. Well, if you do, and there’s some type of software vulnerability that allows you to bypass that it’s pointless, you know, not necessarily pointless, but you know, prevention failed. That’s where it’s all on. Like the people like watching for this type of thing happen. Yeah. So that was one the other one you had cross-site scripting attack. The, you know, those are pretty common. I mean, a lot of, you know, if, if you’re not, you know, really you know, like performing, you know, you’ve got like pen tests and, you know, you’ve got like built in, you know, scanners, you know, in the CIS CD pipeline, things like that.
Speaker 1 (08:42): Yeah. For web applications. I mean, if, you know, cross site scripting attack, you know, pops up, I mean, that’s, that’s going to be combined with the credential disclosure, which was the other zero day. So really these competent Tory kind of attacks, they may have come up in a scan, maybe it was a cross site scripting and they had so many other issues. There were, I don’t worry about all the one yellows that popped up in the test. We’ll get to those later. Well, once you end up with a bucket of like 25 of these, I mean, you know, you can work those out into, you know, these common Detory attacks and then you throw in some zero days. And I mean, you’re in, I mean, yeah. It’s game over from that point. Yeah. I thought it was also kind of interesting how they, they basically got around Microsoft defender, so they disabled it and then a loaded, some malicious code that basically re-installed legitimate by an area, an older version of defender with a library that had the malicious code in it.
Speaker 2 (09:43): And then the malicious code ran. So it was like the, what they call sideloading techniques. So interesting stuff. All right, so let’s move on. Let’s talk about British airways. I read I read the other day that British airways settled their class action suit from twenties 18. Right. And you know, what, the reason I bring this up is because I think what people don’t really understand is a lot of these companies, when they get attacked, you know, it goes on for years, not only in, in paying, you know, not only in basically, I mean, I don’t know how many credit card credit checking things I have now, because I’ve had so many vendors that I work with get breached. But you know, you got to pay those, sorry, this is just a part of life now. Yeah, yeah. It really is.
Speaker 1 (10:38): And but then they go into like class action suits and those take years to work out in court. I think, you know, target just settled something that happened five years ago. So these are, I mean, when you get hit, I mean, it’s not like, oh, we’ve got to get our stuff under control. And, and I mean, you do, you have to get your systems locked down and clean these things up and tighten things up, but you may be dealing with this legally for years. Yeah, absolutely. Yeah. And I heard the settlement and U us dollars. It was like over 27 million. And when you think about it yeah, because I had actually read that didn’t actually include compensation on the per user basis and it’s over like 420,000. So you start adding up the fines, they had to pay from the government, you know, like, which is the around like 20 million British pounds.
Speaker 2 (11:34): So you got the 20 million and then you factor in how much it’s going to take to compensate each of those users. I mean, you’re talking about over a billion dollars and it’s like you just said for these things that keep resurfacing, because we don’t really understand the extent or how deeply embedded it is, you know you know, in infrastructure or processes or whatever. I mean yeah. That’s, you know, over a billion dollars now. I mean, who’s to say it’s not gonna be 2 billion next year. Yeah. And what’s interesting about this British airways is that they, they said that over 500,000 people were affected by this. But only 16,000 were included in the class action suit. So that’s like 3%. Right. Right. And, and it’s interesting. Cause you know, I think that there’s probably people, you know, over at British airways that think that, Hey, this class action suits been settled, we’re moving forward. You know, one of the lawyers basically said we will continue to fight for appropriate level of damages to be awarded to our clients. And we hope that the first round of settlements will give victims the confidence to come forward and hold the airline to account doesn’t sound like anyone’s given up on British airways anytime soon. Right?
Speaker 1 (12:49): Yeah. So yeah, it’s actually saw they had a website for the for the settlement, you know, basically like I don’t think it was like the, a data breach.com or something, and they had a timer on it, you know, like a timer there, like countdown to, or, you know, like, you know, super bowl or something like that. So it’s all zeros now. Cause it’s, you know, it’s too late. The, you know, like this lawyer saying like, no, I mean, we’re going to pursue, so you almost wonder if the timer being put up there was to deter, you know, all the, all the late comer already from jumping onto the lawsuits. That’s an interesting point. So who put up that timer? So, all right. So those are a couple interesting news things this week. So let’s, let’s turn our attention to remote working.
Speaker 2 (13:32): Right. And I’ve written about this on LinkedIn and a couple other places. And you know, I think this is, it’s a very timely subject right now because you know, a lot of companies are trying to figure out how to get back into the office and whether work from home is the way to go. We’ve made the decision that in my companies, we’re a remote working company. What it means is that for us, is that we’ve got to start looking at a lot of things as part of a, what I would consider a remote working program. Right. And a program is not just a policy, right. It’s, it’s a number of policies, but it’s also ways of enforcing things and ways of helping employees be more productive and things like that.
Speaker 1 (14:25): So but you know, cybersecurity, what, what, what I think is very interesting about this is that we used to have a lot of conversations about insider threats. Right. And, and we still should be having, you know, things about insider threats. Right, right. But, but now in this remote working environment, I think that there’s a fair number of people or, or, and it’s pretty pervasive with people who trying to get their work done and circumventing procedures and policies to do that, which then open up the company to potential security vulnerabilities and viability and things like that.
Speaker 2 (15:09): So what are your, what are your thoughts on that? Well, when you think about it, I mean, when we were all on crim and, you know, just like over the years, I mean, people have been trying to do that anyway. Right. You know, you get the systems administrator, you know, that’s tired of going to, you know, Tom’s desk because Tom is always asking for things that require administrative privilege on his machine. So, you know, eventually, you know, you’ll have like, even like a help desk guy, you can grant that authority. That’s like, just get, make Tom a local admin, let him worry about all of his own problems. Like I’m busy. Like I, like I’ve got dumpster fires, galore. So mean like we already kind of dealt with that, but then you swing at the home and there’s nothing. I mean, other than like what we have on our actual end points that we’re sending our employees home with.
Speaker 1 (15:51): I mean, you don’t control their wireless router and any security configurations for their wireless router. I mean, even like the route, like, I mean, yeah, things like BGP security, things like that. I mean, you have no control over, you know, the internet connection going into your employee’s home, even. So, I mean, there, there are a lot of links in the chain that can be broken from home. And it’s just, it’s one of those things you know, those policies, I mean, there are companies that still don’t have really great remote work policies. Like they’re still just kind of winging it. Right. Yeah. And I think there’s a lot of companies out there that don’t have the systems in place. Right. So you, you go into, you know, you want people to connect up to your corporate network through the VPN and access some of the systems, but then some of the systems are SAS based applications and you can access them directly without going through the VPN for, or they’re meant to be go through the VPN, but they’re open to the outside and, and, and they go around it or, you know, you’ve got developers that are like, Hey, I’m going to spin up a couple of VMs on some cloud servers and move data out there and do some testing while I’m on the corporate network, doing some other stuff.
Speaker 2 (17:03): Right. And they’re moving data out to these, these you know, some kind of cloud vendor to run testing and things like that. And then the it organization doesn’t know anything about it, you know? And I think that the point is that these people are not being malicious. Right. They’re doing it with the best intentions are trying to be more productive, you know, they’re trying to get more work done. Right. They may not know. They may not know that, you know, certain ways of doing things are opening up vulnerabilities for the, for the company. Yeah. And that’s the thing, you know, when we say insider threat, most people think of some type of malicious, like, you know, like Dennis, Nedjeree from Jurassic park, you know, like I want more money, so I’m going to go to a, with all this research and yeah, it’s going to be this prolific, you know, a hack and yeah, there’s an 18 minute window and I gotta be out by the docks and all this stuff.
Speaker 1 (17:58): You know, wow. You’re, you’re really digging on the Jurassic park analogy there. I’m sorry, I’ve got a monitor going all in on that one. Aren’t you? I, I still watch it weekly since it’s a lot of my policies based on yeah. Jurassic park and the dentist and injuries of the world, I think. But yeah, so, I mean, no, man, is that the, oh yeah. All right. Well we’re off topic anyways, so yeah, you’re right. They’re, they’re not trying to be, you know, that, that, that idea of an insider threat is like it’s being malicious, right? Yeah. It could be accidentally. I mean, yeah. I mean, look at fishing. Right. For example, you know, I mean, a lot of that’s accidental. Right. And I’m like, I’ll take it, but yeah, I don’t think anybody’s on purpose trying to click on a phishing email.
Speaker 2 (18:53): And you know, to the credit of a lot of these fishing companies are making some of these phishing attacks are incredibly realistic, you know, so, you know, are you, I mean, I think there’s a combination, you, you, as the it, or the cyber security organization, you need to be putting in the things in place. So like, like you know, like mail filtering solutions and things like that that are looking for emails from known phishing sites link scanning inside the links, you know, obviously attachment scanning, but at the same time, you also need to train your employees and we use this solution called no before. Right. And no before not endorsing no before just saying that we use it. And what it does is it does training, right? So we get, you know, these we have to do training every once in a while on, on certain things, whether it be password protections, things like that.
Speaker 1 (19:55): But also training on phishing attacks and rants, you know, things like that. But then it also does testing. Right. And, and I can actually go in and see, you know, who are our top offenders who keep clicking on phishing links and aren’t really understanding the training. Right. So those are, those are all kind of things that we need to be doing. You know, you can know one thing is the answer. Yeah, exactly. It’s kind of the whole thing of like, we, we go over like the training route and then everybody says, oh, well, you know, the training’s not working. And then it’s like, you know, we need more preventative and, you know, we need more, you know, detection and things like that, you know, at the end user, at the end user device, I mean, you really got to like balance it too, because it’s like, they’re, they’re both like, but it’s like a two key system, like for success, it’s like the user has gotta be trained, but users also click things for living. See how we need those in point solutions. Yeah. Yeah. Good. Well, I think that’s it for the day. So we’ll wrap up here and so thanks for again, another, another great session and we will we will see to all the viewers out there. Thanks for thanks for tuning in. And Dan, I’ll see you next Friday for another week. Roundups.
Speaker 2 (21:15): All right. Take care. Have a great weekend. Bye.
Speaker 1 (21:21): Thank you for joining us in this conversation about the ever-evolving cybersecurity landscape, interested in a deeper dive on these topics. Subscribe to receive the latest firstname.lastname@example.org.
DISCLAIMER: This transcript was auto generated.
Kaseya Patch for REvile Ransomware
This story was covered by Tara Seals at Threatpost and Ravie Lakshmanan at The Hacker News. Hackers associated with the Russia-linked REvil ransomware-as-a-service (RaaS) group were able to distribute ransomware by exploiting several vulnerabilities in the VSA software (CVE-2021-30116), a Kaseya spokeswoman said. By targeting Kaseya’s VSA, the hackers were able to open the door to infect more computers in what is known as a supply-chain attack. Details of the flaws in the system have not been released, but analysts are saying that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers.
“Lakshmanan notes that about 60 managed service providers (MSPs) and 1,500 downstream businesses around the world have been paralized by the ransomware attack. REvil initially demanded $70 million in Bitcoin to release a decryptor tool for restoring all the affected businesses’ data, but lowered the asking price to $50 million, suggesting willingness to negotiate.”
In the end, the incident led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to offer mitigation guidance, urging businesses to enable multi-factor authentication, limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.
- Sean and Dan were struck by how devastating this event was for mid-sized businesses who hire MSPs to avoid incidents such as this.
- For businesses like dentist’s and lawyer’s offices who don’t have a deep knowledge of IT. he question is what are they supposed to do about this? They don’t have $70 million laying around to pay off cyber criminals like REvil.
- The key is adequately vetting your MSP, despite not having internal IT expertise. How do you make a selection on a MSP? Are you experienced enough to ask the right questions to get an effective MSP?
- An additional problem is not having enough capital to support a good MSP. Most companies go for the cheapest option, then have a breach and end up paying hundreds of thousands, maybe even millions of dollars in ransom.
British Airways Settles Data Breach Suit
This story was covered by Eduard Kovacs at SecurityWeek, and BBC News. In the summer of 2018, British Airways fell prey to a system breach which compromised the personal and financial data of roughly 500,000 customers. The theft of data was the result of a Magecart attack. The initial fine from the UK’s Information Commissioner’s Office (ICO) was set to £183.39 million ($230 million), but lowered to £20 million ($25 million) in 2020.
The fine does not include compensation for those affected and British Airways refuses to admit liability. Legal entities representing those affected by the breach submitted a statement vowing to “take further legal action if BA fails to compensate its clients with the appropriate level of damages.”
- When these companies get hit, it is not something that is fixed immediately. They may be dealing with these things for years to come due to legal action on the part of customers whose data was breached.
- It’s almost like these incidents are a part of our everyday lives now. We all have gotten notification in some form of legal documentation that our credit is being monitored, and legal action is being taken to pursue a settlement for lost data.
- But should companies like British Airways be responsible for paying out millions of dollars to customers for data breaches?
Cyber Risks of Remote Working
We discussed this article by Michael Crouse of Forcepoint. When employees came into the office, they were not only contained in the office space, but the IT department had a much better view and reach into protecting the entire, centralized work environment. With remote work – those parameters have been extended. Forcepoint’s Michael Crouse, director of enterprise user and data protection, weighs in on these new “internal threats”. When you extend that perimeter, “some of the processes that were in place by the IT organizations aren’t effective, or they’re inhibiting a person’s ability to get the job done,” Crouse says. “So what people do is they look for alternative ways. So they go, for example, to shadow IT, or they go to working off the VPN because working on the VPN is slow.”
Since the remote workplace is a thing of the now, we have to implement dynamic user protection and adaptive risk mitigation. Companies that have employees working from home must make security behavior a household name. They have to improve employee security behavior by changing the way people think about security. This includes developing new cybersecurity policies, procedures, and technical approaches. This means not asking “what happened” but “why it happened” by doing the following: generating real-time, actionable data derived from employee behavior and industry baselines.
- Lots of companies have decided to continue doing remote work first, so work environment security is a timely topic to discuss. For these companies, they have to start developing a remote work program.
- It’s not only policy, but also ways of enforcing things and helping employees be productive outside of an office space. Cyber threats have always been an issue for companies, but now they are even more heightened with the “work from anywhere” lifestyle on the rise. The greatest point about this article is that most people (remote employees) do not have malicious intentions. They don’t want to open a phishing email and wreak havoc across an enterprise. They are trying to get their work done and end up circumventing procedures to do that. However, these “shortcuts” open an enterprise up to security vulnerabilities and liabilities.
- Even more alarming is that some companies don’t even have procedures and policies in place for remote work environments. This “opens a can of worms” for employees who are uncertain of how to conduct themselves and are unaware of the dangers they are setting themselves and their company up for. These organizations without a plan are most at risk.