Recently, a software vendor in the I.T. space suffered a breach, and a number of their customers ended up infected with ransomware. Thankfully, ECN was not affected in any way since we do not use that software. In this post, we'll give some details about what happened, what it means for current ECN customers, and what ECN is going to be changing in the future.
What Was The Hack?
The recent attack in the I.T. community was on a piece of software that many I.T. service provider's use. Because the criminals were able to take advantage of that software, there were able to deploy ransomware to the I.T. service provider's customers. It would be like a criminal injecting apples with poison before they leave the farm. Your grocery store would not be affected, nor would they have had any control, but as the end customer, you get hurt.
Ransomware is a virus that, once installed and running, encrypts everything on your computer with a special key. This means your computer loses access to any document on it, as well as any documents on shared storage like One Drive, SharePoint, shared drives, servers, email, etc. It is also good at moving around on your network, finding anything it can, including servers, phones, other IoT, laptops, and more. Once everything is encrypted, you may see a message demanding a payment for the key to get your files back. The average ransom demand is $250,000. In the case of this hack, the demand varied between $50,000 and $5m, with a bulk demand of $70m.
If you don't take this seriously, now is the time.
Ransomware is not the worst part though. While not part of this hack, often times the criminals steal data before turning the ransomware on, and then blackmail you to increase their payout. They may also sell that data on the dark web, making it easier for you to get hacked in the future, and potentially costing you money in compliance fines and criminal trials. A HIPAA violation can cost you millions for a breach like this.
The only real way to recover from ransomware is to burn everything to the ground and restore from known good backups. But there are several ways to prevent this from happening.
A supply chain hack is a worst case scenario. Often, the software we use must be trusted as we need it to run cleanups, updates, change scrips, installs, and more. The software just does what we (or someone else) asks it to-it has no way to tell if the commands being sent are intended to be malicious or not. This presents a difficult situation that takes a complex system to solve.
What Will ECN Do?
Moving forward, ECN will be implementing the following changes for all it's current and future customers.
2FA on Everything
2FA will be mandatory on everything I.T. Zoom accounts, Office 365, WiFi, the ECN portal, everything. If the product you are using does not support 2FA, or we are not able to build 2FA around it, it can not be used.
No Shadow I.T.
Shadow I.T. is stuff you use that your I.T. department does not know about. For instance, that dropbox account you had to sign up for to download those files. If your I.T. department does not know about it, it's shadow I.T. another example is purchasing printers, webcams, and other hardware that is not approved.
No Admin Access
The vast majority of hacks can be prevented by not using admin access. By default, all users will have any admin access removed, and those that require it will need to work on a one time 2FA enabled account.
We will be implementing software that is whitelist only-as in, it will only let the computer do what we have already approved it to do. This specific configuration was responsible for keeping a number of customers safe during this most recent breach. Beyond the software, we will be re-engineering your networks to support the zero trust mindset.
EDR and NGAV
Endpoint Detection and Response (EDR) is a higher class of security product that watches what the computer is doing, and makes a judgement based on AI if the process is malicious. This can stop a number of attacks, even if the attack has never been performed before.
Next Gen AV (NGAV) is similar, but functions more like a traditional antivirus.
Full Image Backups
Any computer in use by the company will need full image backups. This ensures the most complete recovery after a security incident like this.
Backup for Cloud Services
Just because you have data in the cloud (google, microsoft, etc.) does not make it safe. Ransomware can easily encrypt all your cloud documents and you will be left with nothing. Backups for cloud ensure a more complete recovery after a security incident.
Spam/Phishing Email Filtering
Standard email filtering is not enough. 3rd party filtering uses advanced tools to identify a potential threat in your email and act to keep it from spreading. It can reduce the likelihood of a breach by never letting users click on malicious links or files.
Office 365 Hardening
By default, Office 365 is not terribly secure. Hardening involves creating rules about who can log in, when, from what geographic location, and from what devices. It can also look at behavior once logged in and make decisions to stop unauthorized changes to the accounts.
Changes to Remote Connections/VPN
Connecting to a VPN is great and works well, but it comes with security challenges. A VPN gives the connected device or person full access to the network, the same as bringing the device into your office. Any device connecting to a VPN bust be 100% verified as authorized and also must be managed in the same way all other devices are. Over time, we will be working to eliminate VPN if possible.
Incident Response Plan
An incident response plan is like a fire-drill. It explains the process for reporting, recovery, tasks lists, and more. We will be requiring one for each customers, and testing it on a regular basis.
Cyber Security Insurance
If you don't have a cyber security insurance policy yet, now is the time to get one. They are generally inexpensive and are a necessity in the current landscape.
I don't have the space to talk about everything, but I hope this was informative and gives you a clear understanding of what is going on. If you are interested in learning more, please reach out.