020 - Cyber-Incident Monday

Show Notes

Welcome to Cyber Incident Monday. Shopping is now a 24/7 occurrence with people shopping online, on their phones, or in stores. Data breaches always spike during the holidays, which is why consumers must be vigilant about protecting their information. There are potential pitfalls about shopping and putting your PII (Personal Identifiable Information) everywhere, but what are they? 

Learn how to safeguard your secret numbers and passwords? Join the Vancord team as they share the warning signs and provide some safety tips to ensure your identity remains yours during the holiday season. 

Transcript

[00:00:01.210] - Speaker 1

This is CyberSound, your simplified- and fundamentals-focused source for all things cybersecurity with your hosts, Jason Pufahl and Steven Maresca.

[00:00:11.510] - Jason Pufahl

Hi, welcome to CyberSound. I'm Jason Pufahl, as always, joined by Steve Maresca and Matt Fusaro.

[00:00:16.770] - Jason Pufahl

Hey, guys.

[00:00:17.290] - Matt Fusaro

How are you doing?

[00:00:19.070] - Jason Pufahl

So, I think we decided to call this one ”Cyber Incident Monday?”

[00:00:22.030] - Steve Maresca

I think so.

[00:00:24.530] - Jason Pufahl

Right, so it's the holiday season. People are shopping, right? I think fewer people are going out to the malls. More people are shopping online. The reality is we know it's happening during work and there's legitimate reasons for it. People are buying things for gifts, maybe for staff. They could just simply be buying things for the office like normal. Clearly, people are also going to shop in their lunch hours or random times during the day for personal shopping, right? So, the reality is—it's happening. You're probably not going to put controls in to stop it.

[00:00:57.860] - Jason Pufahl

So, I think the discussion we really want to have here is, how do we actually sort of enable employees to do it safely? Are there tips that we can give them? What are some of the potential pitfalls to somebody shopping online at work?

[00:01:14.650] - Jason Pufahl

And I think we did want to start with a story around...I guess it's certainly an incident, right? It might not have been your traditional ransomware, but an event that occurred at one of our clients when an email administrator, if I recall, was shopping and directed to a kind of an illegitimate site that looked correct, right?

[00:01:37.170] - Steve Maresca

Yeah, I think the main takeaway is that the outcome was that because of shopping activity, as sort of the prelude to this attack, an attacker was able to take over a domain by intercepting email, by modifying credentials, and altering the fundamental information associated with this customer's website. That impacts a lot of things. It's reputational. It's huge impact for email flow. All of the customers of that entity were affected themselves. They couldn't reach anything.

[00:02:12.280] - Matt Fusaro

It's hard to recover from, too, when you have a domain take over like that…

[00:02:16.350] - Steve Maresca

It's a nightmare.

[00:02:16.390] - Matt Fusaro

…now you're getting the entity involved with the hosting provider.

[00:02:20.050] - Steve Maresca

Yeah, it took days to resolve.

[00:02:21.940] - Jason Pufahl

It did, and days by design, right? Because your time to live for this stuff was set to actually take a long time to recover from.

[00:02:27.800] - Steve Maresca

Right.

[00:02:28.950] - Jason Pufahl

So, the hard part about it, though, was from some of the useful tips is the email administrator, in this case, I think was using the administrative credentials as the local logon for a PC. So, it was easy to collect those for the attacker when that attack started.

[00:02:47.300] - Steve Maresca

Right, and there was a phishing component also. They were visiting a shopping website. They were expecting some sort of notification. And they supplied their credentials. From there, it was a really straightforward step to log into systems as if this individual…and obtain the credentials, and effectively subvert the workflow of domain management of network engineers. And from there, the domain takeover is really quite straightforward—modify the service associated with the domain, and off they go.

[00:03:18.220] - Jason Pufahl

So, an event...an attack that probably took an hour to execute, I think resulted in...I have ten plus people's time over the course of a week to recover from.

[00:03:31.200] - Jason Pufahl

It was a hugely disruptive event. The institution was mad because they had a reputational issue, more than anything else. Of course, it happened over the holidays, because it's a really popular time to do it. If I recall, it probably happened, I want to say, it happened on Christmas Eve. I'm not 100 percent positive that going back, but it was a common thing like that, right?

[00:03:52.540] - Jason Pufahl

It's a Friday. It's the day before a holiday. It's on the holiday. That's the time that these things actually are executed.

[00:03:58.070] - Steve Maresca

Right, there are secondary impacts. Difficult to reach support. You have to prove your identity. How you would normally do that? Well, via codes delivered to your email, which you can't receive because your domain has been hijacked. It's just a vicious cycle.

[00:04:11.750] - Jason Pufahl

So huge amount of disruption, because an individual wanted to purchase something online, which we see all day, every day during this time of year. How do we protect against that? How do we enable people short of really complex firewall rules, and some of these other things that people like to implement that, in my opinion, don't really provide a lot of value? And I think training and awareness is one of the bigger helps here.

[00:04:39.690] - Matt Fusaro

Yeah. I think that early 2000s mentality of “let's block as much as possible.” Web filtering has gotten, I think, has become much more permissive over the past five, 10 years or so. I don't know if you guys agree with that or not.

[00:04:54.880] - Group

[crosstalk 00:04:54] 

[00:04:55.210] - Matt Fusaro

I'm sure it depends on where you are, but a lot of places, they're pretty open. That's kind of the ideal. They want people to feel like they're not being censored at work. But that also means now you can get to a lot of websites that you wouldn't have normally gotten to.

[00:05:07.650] - Jason Pufahl

They don't want to drive people home, right? They want people staying in the office, which means enabling them.

[00:05:11.850] - Matt Fusaro

Yeah, protecting when you do allow all those things, it gets significantly more difficult, right? Making sure that browsers are up to date. You don't have extensions allowed all over the place. Our SOC is probably very sick and tired of seeing all the coupon extensions out there that get alerted on all the time.

[00:05:34.690] - Steve Maresca

The bigger issue, aside from the actual activity itself, is that it's being performed on a system that's being used for legitimate business activity. It's the confluence of maybe personal shopping with business systems. That's the actual fundamental problem, and that's exacerbated by the use of organizational credentials and identities at that moment.

[00:05:58.960] - Steve Maresca

So, some organizations choose to have an Internet-only guest network that employees can use for this type of activity. And most people use their phones quite comfortably to do that. That's a fine way of facilitating something that might be culturally permitted.

[00:06:16.270] - Steve Maresca

Alternatively, just having separate accounts for privileged activity and unprivileged activity. That will put up a giant stumbling block for an attacker trying to take over accounts or otherwise subvert systems.

[00:06:29.410] - Matt Fusaro

Right, yeah, agreed.

[00:06:32.170] - Jason Pufahl

It's an interesting point you make because we always recommend keeping your personal activities on personal devices, and your professional ones on professional devices. Don't co-mingle email accounts. Ideally, to your point Steve, use your phone or maybe your personal laptop for shopping.

[00:06:50.050] - Jason Pufahl

The reality is, if I'm being honest, there's probably been a Zoom meeting or two where I've browsed websites instead of listening to the meeting, right? It's way harder to pull out your phone and surf on Amazon during a Zoom meeting. We all spend a lot of time on that.

[00:07:08.410] - Jason Pufahl

We don't want to pretend that people are only going to use personal devices for this stuff, right? I think the point about making sure you have your non-administrative credentials is really, a key one. That was such a critical component to the incident we talked about earlier.

[00:07:23.650] - Steve Maresca

Yeah, I think I agree with your other point, which is effectively they're going to do it anyway.

[00:07:29.020] - Jason Pufahl

They're going to do it anyway.

[00:07:29.850] - Steve Maresca

Everyone does it anyway. The only way to prevent it realistically is a draconian environment that no one actually implements, in reality. So, what do you do realistically? Well, defend browsers.

[00:07:43.390] - Matt Fusaro

Spam filtering.

[00:07:44.770] - Steve Maresca

Yeah, spam filtering. Use ad blockers if it's permissible. Defend against the likely paths for that type of attack. You want to make sure that workstations are up-to-date and they're not using browser plugins that are out-of-date. That's the typical drive-by attack. You get rid of that, and you have a more subdued attack surface.

[00:08:06.570] - Matt Fusaro

Yeah, I was just going to mention with that. Most of these are going to be, like Steve said, drive-by attacks or they're going to be opportunistic. You're not going to see a lot of advanced APT-type malware that is going to take over systems like this. This is going to be your average, everyday stuff.

[00:08:25.630] - Steve Maresca

Absolutely.

[00:08:26.560] - Matt Fusaro

Some of them aren't even really targeting businesses. They're really targeting the at-home user. They're just looking to disrupt or get them to call a number and steal a credit card or something like that, right?

[00:08:37.670] - Steve Maresca

Exactly.

[00:08:38.830] - Matt Fusaro

So yeah, it's not always the advanced things.

[00:08:42.800] - Steve Maresca

But recognizing that, generalized security awareness training is how you equip general users to avoid these types of issues. Unrealistic expectations are that every user is going to detect something, but at least you'll make them think twice when they receive an email that is a little strange, or encounter a website that's unexpected in terms of its representation. That's where you start.

[00:09:09.010] - Jason Pufahl

Make it interesting. And I think the trouble with security awareness training all the time is we say the same things. “When you see phishing, look for a malformed email address” or “Be suspicious of the URL.” But the reality is have a conversation with your employees that it's the holidays and you're going to see these types of attacks. Be explicit about it. And I think if you anchor that in something that's going to happen over the next, say, 3-4 weeks, people will pay more attention.

[00:09:35.600] - Jason Pufahl

Don't be as vague as I think we often are. We're our own worst enemies in that regard sometimes.

[00:09:39.850] - Steve Maresca

Yeah, I mean, realistically, the holidays—whether we're talking about Thanksgiving or Christmas or you name it—that's when our guard is down, people are on vacation. There needs to be some sort of secondary, "Hey, have your heads up, look for things" type of advisor. Yeah, absolutely. Paying attention is critical.

[00:09:59.810] - Jason Pufahl

So, I think we talked a tiny bit as we were preparing for this, around the idea of sort of third-party processors and some of these other payment mechanisms out there. I think we're used to seeing things now.

[00:10:11.550] - Steve Maresca

Right.

[00:10:11.740] - Jason Pufahl

Clearly, credit card's common. PayPal integration. And maybe, like an Apple Pay, much more common. But we probably see some other payment processors out there that are less frequently...that you run into less frequently. Is there a risk to those in your opinion, or is there any reason to avoid some of these other things?

[00:10:33.890] - Matt Fusaro

It's tough to answer the avoid question. There's good reputations. There's bad reputations, too. You've got places like Affirm that are pretty popular now, Shopify, a lot of them are “buy now, pay later”-type style.

[00:10:48.130] - Steve Maresca

But still new to many people.

[00:10:49.700] - Group

[crosstalk 00:10:49] 

[00:10:51.620] - Matt Fusaro

But you have to also remember is that a lot of them are doing credit checks, so they're going to be asking for a lot more personal information than just your credit card. It's easy to recover a credit card. But, once your Social Security number is out there, that's a little bit more difficult. So being aware of that and not necessarily using your corporate network to be transmitting your Social Security number to buy a laptop for your little Johnny.

[00:11:19.550] - Steve Maresca

And ultimately, if you're using one of them because it's attractive because you don't have the amount of money that's necessary at that very moment, then do some secondary research, open another tab, determine if it's legitimate. It doesn't take very much searching, realistically.

[00:11:33.780] - Matt Fusaro

Exactly.

[00:11:35.330] - Matt Fusaro

Yeah, it's easy to vet most of these things. If you have questions...I haven't personally tried this before, but I'm sure you can reach out to either your banks or your credit monitoring. If you do have it, ask them about it. I'm sure they've got helplines that can kind of attest to whether those are legitimate organizations or not.

[00:11:54.700] - Jason Pufahl

Yeah, that's fair. And I think you named a couple of really common ones. But it is interesting to see that the integration is in some of these third-party services and people really using, are spending money in different ways, or accessing money in different ways now. So, you have to be mindful of that

[00:12:08.740] - Steve Maresca

Again, returning to the gift-giving aspect. This is the time for gift cards. Gift card scams are very common.

[00:12:14.980] - Jason Pufahl

That's a good point.

[00:12:16.790] - Steve Maresca

Incentives during the holidays in the form of gift cards are actually occurring in the workplace. So, you know, distinguishing between real and fake in that context might be a challenge for some people. Really, just make a phone call; ensure it's legitimate.

[00:12:31.370] - Matt Fusaro

Phone call, walk over to the office or something like that. Verify that they're actually asking for that gift card.

[00:12:36.420] - Jason Pufahl

Let's face it, there's really never an emergency gift card giving requirement. You just don't have the, "You have to buy it this second or else some bad thing's going to happen.” So be suspicious of those. And we see it all the time, and they work and they're persistent. They'll try a variety of different ways to get people to spend money on that.

[00:13:01.590] - Jason Pufahl

Coming back to this, really at the beginning, we do want to talk to our employees about the fact that it is the season, and you probably don't want to say, spend all your time shopping, but you don't want to pretend they're not going to.

[00:13:14.840] - Jason Pufahl

And I think it's important to have these conversations to do your best to protect your organization from kind of, the common things that we talk about, really in a lot of these episodes. Again, these are really complicated attacks that we're talking about. It's basic awareness and just sort of being careful about where you're at.

[00:13:31.920] - Steve Maresca

Yeah, acknowledging it without sounding punitive so that people feel inclined to listen and think on the behalf of the organization. And recognize there's a personal component too.

[00:13:42.630] - Jason Pufahl

Yeah. I mean, that's fair. Know that it will probably quiet down in a few more weeks. We're in that season. So, you do your best to weather the storm and kind of get through it.

[00:13:56.070] - Jason Pufahl

Any final thoughts at all? I think we talked a little bit about pop-up blockers and coupon trackers and some of these other interesting things people encounter. Anything that jumps out as a final idea?

[00:14:10.070] - Steve Maresca

I think I'd say if your organization does have website filtering by category or something like that, just recognize that they're not 100-percent solutions. They're at best 40, 60 percent, if you're lucky.

[00:14:24.060] - Jason Pufahl

Yeah.

[00:14:24.510] - Steve Maresca

There's always a new vendor out there that's not been classified. It's the nature of the beast. So, if you have them and you rely on them because you think that they are reliable, know that it's an arrow in the quiver, but not the be-all-end-all.

[00:14:39.190] - Matt Fusaro

Yeah, doing things like that and just making sure that your visibility systems are up and working. You're getting at least some logs from your firewalls. The usual things we talk about.

[00:14:50.060] - Matt Fusaro

Make sure that your systems are actually catching the day that you want. And if it does come down to having an incident, at least to be ready.

[00:14:56.890] - Jason Pufahl

Yeah, that's reasonable. So, I think as a quick ending, we just want to say happy holidays. Don't be afraid of holiday shopping. Talk to your employees, of course. If you have concerns around this that run any deeper than this conversation, feel free to reach out to us at Vancord on LinkedIn or VancordSecurity at Twitter. And as always, thanks Steve and Matt for joining us today, and we hope that people got value out of this.

[00:15:20.470] - Steve Maresca

Take care.

[00:15:22.650] - Speaker 1

Stay vigilant, stay resilient. This has been CyberSound.