It's a (Least) Privilege Thing

In This Issue:

  • We Hate to Say “I Told You So,” But …
  • A+ Response to Ransomware
  • It's a (Least) Privilege Thing
  • IoT Has 9,999 Problems—and Humans Are One of Them

We Hate to Say “I Told You So,” But …

Back in May, we advised The Countermeasure readers to brace for regulatory impact after months of Facebook fiascos got government officials growling. 

Well, it's starting. Senator Proposes Data Privacy Bill with Serious Punishments. Late last week, U.S. Senator Ron Wyden proposed the Mind Your Own Business Act, which would give Americans GDPR-like privacy protection … and a little something extra. Under the proposed bill, executives who lie to regulators face between 10- and 20-year prison sentences.

There's no guarantee that the bill will become law. But the proposal is happening within a global context of increasingly harsh punishment for privacy violations and data breaches. Only a few weeks ago, there was an Arrest Made in Ecuador's Massive Data Breach.

Criminal prosecution of executives is rare (for now), but previous The Countermeasure editions have been stuffed with headlines about companies losing contracts, facing fines, and being hit with lawsuits in the aftermath of privacy-violating cyberattacks. Even if Wyden's bill doesn’t become law, it becomes a template from which future attempts to get the bill passed can be based. Stringent privacy regulation will be passed sooner or later. Probably sooner.

 

 

Countermeasure:

A summary of the Mind Your Own Business Act is here. Read it, and start planning ways to meet these requirements. Whether or not this specific bill passes, some kind of additional privacy regulation is nearly inevitable, and compliance programs take time to implement. 

Oh, and executives … if your company is breached, don't lie about it. If anything even remotely like this makes it into law, piercing the corporate veil for privacy violations looks set to become a thing.

Read More >

A+ Response to Ransomware

This week, it was Billtrust's turn to be hacked. The cloud-based B2B payment service was infected by ransomware last Thursday. Ransomware Hits B2B Payments Firm Billtrust. The company had usable backups, and was able to get almost all of its customer-facing IT up and running within a couple of days of the attack. 

Just as important, Billtrust communicated quickly and clearly with its customers about what happened, what was being done to fix it, and what customers could expect next. One of those customers posted copies of their communication. Billtrust Service Interruption – Updated 10/21.

 

Countermeasure:

Billtrust did several things right. It had backups, and its backups seem to have been stored out of reach of the ransomware—probably offline. (You're doing that, right?) The data on its production systems was strongly encrypted, so anything stolen would be extremely difficult to decipher. (You should be doing that, too.) And the company’s post-breach communication was unusually well done. 

Anyone in your organization who’s involved in incident response planning should definitely read the Wittichen Supply Company post showing the communication from Billtrust. To consider: honesty, competence, and quick action are a much better way to retain customers' confidence after a breach than the foot-dragging, minimizing, and finger-pointing that are more common tactics. (Plus, if the Mind Your Own Business Act passes, this kind of response to a breach is less likely to get you thrown in jail.)

 

Read More >

It's a (Least) Privilege Thing

Among the breaches reported this week were hacks at Avast and NordVPN. These two articles provide details: Avast Fends Off Hacker Who Breached Its Internal Network in Copycat CCleaner Attack and Row Erupts over Who to Blame After NordVPN Says: One of Our Servers Was Hacked via Remote Management Tool.

Security analyst Brian Krebs pointed out that both hacks exploited the same type of vulnerability. Avast, NordVPN Breaches Tied to Phantom User Accounts. "Forgotten user accounts that provide remote access to internal systems—such as VPN and Remote Desktop services (RDP)—have been a persistent source of data breaches for years."

This can be an extra-special security nightmare if the remote access accounts in question have administrative privileges. Then it becomes trivial to install malware, steal data, or delete resources. (Just Say the 'Magic Password': Boffins Turn up Potential Backdoor in SQL Server 2012, 2014 is one recent example of how administrative credentials can be misused.)

It's just about impossible to overstate the security impact of viciously pruning the number of accounts with admin privileges. BeyondTrust Research Discovers that 81 Percent of Critical Microsoft Vulnerabilities Mitigated by Removing Admin Rights.

Finding inactive accounts and deprovisioning them used to be a task that got shoved to the bottom of the pile of burning fires for overworked IT staff to deal with later. Much later. As in "never." This was because manually hunting and killing the many, many accounts associated with a single person was very time-consuming.  

However, there are now plenty of centralized identity management products available. Accounts can be efficiently deprovisioned. This weeks' news demonstrates why that needs to be a basic part of any security strategy. 

 

 

Countermeasure:

Does your organization have a deprovisioning policy? If not, you need one. List the business processes to follow if an employee is fired, goes on extended leave, or changes roles within the organization. How do IT staff find out about the need for a change? What do they need to do in response? How much of this can be automated?

Also, use multifactor authentication wherever possible. Krebs adds, "Almost all of these breaches could have been stopped by requiring a second form of authentication in addition to a password, which can easily be stolen or phished."

 

Read More >

IoT Has 9,999 Problems—and Humans Are One of Them

One aspect of security is thinking about all the non-standard ways someone might use a device or service … and what might happen if they did. In this sordid little tale, one company (Samsung) seems not to have done that. But another company (retailer John Lewis) managed to do better.

These two articles provide the background: Welcome to the World of Tomorrow, Where Fridges Suffer Certificate Errors. Just Like Everything Else and Samsung on Fridge Cert Error: Someone Tried to View 'Unsavoury Content' in Middle of John Lewis.

The Internet-connected fridge in question has a tablet-like screen for "non-stop music, video & TV entertainment." Inevitably, somebody walking past the fridge display decided to browse some “entertainment” of the adult variety. The John Lewis, the store selling the fridge, had network policies in place to prevent that sort of thing from happening, so instead of naughty pictures, the fridge displayed a certificate error. 

This raises some questions: If that fridge were in an employee break room, would similar protections be in place? (Remember, they're not built into the fridge.) Also, if the fridge can download pornography, can it download malware? (Almost certainly, yes.)

 

However, there are now plenty of centralized identity management products available. Accounts can be efficiently deprovisioned. This weeks' news demonstrates why that needs to be a basic part of any security strategy. 

 

 

Countermeasure:

It's probably simplest to avoid "smart" devices wherever possible. But this story also highlights the importance of configuring corporate networks to limit access to important stuff. Translation: Your guest Wi-Fi (and your fridge) should be on a separate network from the rest of your company data, and should be set up to prevent visits to dodgy sites.

 

Read More >

Resource of the Week

Storing Your Stuff Securely in the Cloud

Tool of the Week

Oracle Releases Free Tool for Monitoring Internet Routing Security 

 

Podcast(s) of the Week

Quick Links

Get Your Copy.