Heard the one about the managing director using the same basic password across every email account?
Jake Ives, Senior Cyber Security Consultant at Intersys, sees this kind of thing every day. And much more besides.
In our interview, he looks at the big stories of 2023, emerging trends and some, frankly, epic mistakes by organisations that should know better. Along the way, he peppers his comments with tips and advice for protecting your organisation.
Be informed. Be aware. And be very, very glad if you can say about the following anecdotes:
‘Thank the lord that wasn’t us.’
Here’s the interview…
Jake, in your opinion what are the big cyber security stories of 2023?
The Microsoft Exchange zero-day vulnerabilities that surface every other month are of great concern. ‘Zero day’ vulnerabilities refer to flaws exploited by hackers before developers know about them, so they have ‘zero days’ to address the issue. Unfortunately, this Microsoft service has been exposed to the threat and users can be hit by data theft and remote changes to devices. I’ve heard some horror stories.
In terms of big news, the MoveIT breach is up there, because the file transfer app is used by thousands of organisations across the globe.
The most significant story affecting a single organisation has to be the Police Service of Northern Ireland (PSNI) breach. Over 10,000 officers and staff had personal information disclosed. As the reports at the time said, it was ‘monumental.’
In which areas are criminals particularly making inroads into businesses in the past 12 months? What trends are emerging?
In no particular order, because they are all so significant:
Reverse proxy-based phishing that steals user credentials and MFA tokens such as one-time passwords. Many believed MFA to be incredibly solid – until this scam hit the Internet.
QR codes in emails that lead to phishing websites. They’re so effective because they evade URL detection policies in email security gateway solutions.
Exploiting open ports on firewalls. This has led to the breach of vulnerable routers and IOT devices such as CCTV (which often haven’t been patched for a long time).
Attacks on less secure MFA methods, such as phone and SMS authentication. This is why Microsoft is pushing organisations to use the official Microsoft authenticator app which supports number matching.
Social engineering. This is rife and has prompted an arms race between the likes of Microsoft, who introduce new security features, and threat actors who are using smarter, more sophisticated attack strategies. Businesses must invest in cyber security training and awareness campaigns for users.
Third-party exposure attacks, where threat actors target the ‘weakest link’ in a supply chain. Your third party could be an outsourced IT supplier with a vulnerable remote monitoring and management (RMM) tool, a software vendor with access to a business environment, or a contractor using a foreign device to access the organisation’s information.
How do organisations stay informed about these threats?
We conduct frequent threat intel and keep clients up to date. For example, we began contacting clients about QR code-based phishing before it surfaced in more mainstream news. Any good cyber security provider should do the same.
Also, reading our cyber security and IT blog, and cyber security newsletter are excellent ways to keep informed. Our technical teams contribute directly to these stories, so they have a high level of credibility.
What about some of the changes in working practices since the pandemic? Are they still creating opportunities for criminals?
Absolutely. Threat actors continue to pry on weak networks. Where lots of employees are still working from home, on less secure networks, there is a need for IT departments to bolster the configuration of devices used by employees.
It’s so important to monitor your firewall and anti-virus software, and ensure the principle of least privilege. Employees should also be aware of the risks around placing cheap internet-of-things devices on the same network that their work computer is connected to.
Bring your own device (BYOD) is also a big problem. Unfortunately, mobile application management (MAM) controls present in products such as Microsoft Intune are not widely used. This means that commercially sensitive information exists on employee mobile phones unencrypted and available for interception.
On a more personal note, while respecting confidentiality, can you give us a brief snapshot of work you’ve undertaken this year in cyber security? What have been the most common themes?
We’ve carried out several GAP analyses across multiple sectors. While conducting these, we’ve reviewed sign-in logs across systems and identified ongoing compromises. Also, we’ve seen users consent to applications from untrusted sources that are used by threat actors to access accounts.
Also, I’d like to build on a point I raised earlier about prying on weak networks. One of the worst things I’ve seen is an employee using their work PC on a highly insecure home network. In short, their remote desktop connection (RDC), which is accessed via port 3389, was exposed to the internet. Avoiding this practice is cyber security 101. It’s highly insecure. But I suspect it happens frequently.
Another weak network issue was a recent incident of a woefully outdated CCTV NVR system placed behind a consumer-grade router. The management ports were opened to the internet, something the IT department knew nothing about.
We often talk a lot about the threat. But what’s really encouraging in terms of technology or approaches that are keeping the bad guys out?
When organisations adopt zero trust methodologies, they go a long way towards keeping themselves protected. Always assume potential breaches are occurring, and investigate anything that looks odd.
For instance, if you receive a notification that a user has accessed their account from an unusual location, don’t just assume they’re on holiday. Dig into it more, and understand more about the network that is associated with the login.
I’m going to have to plug Intersys here, too. We see all types of breaches occur and have hands-on experience helping businesses. We advise on the exact steps a business needs to take to dig them out of a precarious situation and direct them toward the light at the end of the tunnel.
It isn’t all doom and gloom. There are solutions and life can return to normal.
The biggest indicator you’re being scammed is when…
There is a sense of urgency. ‘You must do this immediately to protect yourself.’ ‘This offer is only available today.’
Anything that requires an immediate action and heightens your emotions is highly likely to be a scam. We’ve written a post on social engineering that looks at this sense of urgency in criminal campaigns.
What general principle would you like every business to understand and implement in terms of cyber security?
Take security seriously. The cost of investing in good controls may seem expensive, but being subject to a breach and then not reporting it could be a bigger problem.
Your customers may lose trust in you. You could be fined. You simply can’t sweep a breach under the carpet; it will come back to bite you.
Is there such a thing as an amusing cyber security story? If so, we’re all ears…
Yes, and this first one is a common story not specific to any one organisation.
A “CEO” emails an employee and then swiftly pushes for subsequent communication to occur over SMS (which cannot be tracked). Following some back and forth and prompting from the “CEO,” the user goes out of their way to purchase iTunes vouchers for the boss, in an attempt to impress them. The result: scammers one; gullible employee nil.
Then there’s the senior staff using the same weak password across all of their accounts. Let me make this clear: a password such as “Summer2012” is not secure. And if one of your accounts is compromised, you must assume that threat actors will attempt to use the same password on all of your other accounts.
Predictions for 2024. What are we going to see more of, in terms of scams? And what new approaches do you think businesses will increasingly be taking to fend off the threat?
Threat actors are harnessing the power of artificial intelligence to craft very convincing communications. We all need to be on our guard…
Intersys is a specialist cyber-security provider offering a fully managed SOC-as-a-service to businesses, schools and NGOs. We also offer fully managed IT support. To find out more about how we can help you, contact us now.