Cyber 321: 18th February 2022 - Cybersecurity Without Insanity

Plain English Cyber using 3 articles, 2 numbers and 1 action.

This week: What is SIM Swap Fraud? How to reduce account hacks by 50%? How is GDPR driving demand for EU data centres? And how could the need to report an attack result in better cybersecurity?

This week’s action: Confirm that Multi-Factor-Authentication is turned on, especially on accounts used by IT.

If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.buzzsprout.com/1914497/10085065 or wherever you get your podcasts.

THREE ARTICLES

1: US legislation will reinforce the need for organisations to take cybersecurity seriously

“A legislative package known as the Strengthening American Cybersecurity Act proposes new requirements for private owners and federal agencies to address cybersecurity”.

The proposed legislation seeks “to ensure critical infrastructure entities such as banks, [..] can recover swiftly and continue providing services after breaches. To guarantee that, they want to mandate [that] owners and operators report substantial cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.”

If they pay a ransomware demand, the time limit drops to 24 hours.

So, you may ask, how could the requirement to report substantial attacks to a government agency ensure an organisation can recover swiftly from an attack? What is the link between ‘reporting’ and ‘recovering’?

After all, imagine you are trying to respond to a serious attack, contain the infection, get the bad guys out, and then recover operations. Now, on top of that, you will also need to ensure you report the attack to a government agency within 3 days (or maybe within 1 day).

How would this ensure you can recover more swiftly?

Because when an organisation knows a government agency will be informed, they also know the agency may follow up with more detailed questions. They may also apply more intense scrutiny on the organisation, start digging around, and identify that their security measures were weak or their recovery plans were doomed to fail. This could then lead to financial sanctions, some pretty bad PR and long-term reputational damage.

Strangely enough, if things could become public, people try harder.

2: GDPR drives a trend towards EU-only data hosting

For those who don’t know, Intercom is a billion dollar Customer Communications Platform provider with 25,000 paying customers and has been regarded as one of “The Best, Brightest, Most Valuable Private Companies In The Cloud” for the last 5 years.

I noticed a recent announcement from the company that they “now offer European data hosting – allowing your most important data to remain entirely in Europe.”

As mentioned in their announcement, “over the last few years, hosting data locally to a region has become a preference for certain businesses with specific needs, or within certain industry verticals.”

Intercom is only the most recent vendor to make such an announcement.

There is a recurring uncertainty when information about people in the EU being stored or processed outside of the EU. The uncertainty arose when US-EU Safe Harbor was ruled to be invalid in 2015, and we had it again with EU-US Privacy Shield in 2020. Standard Contractual Clauses are also a problem now, with new SCCs published in June 2021. And as I mentioned a few weeks ago, recent rulings are currently causing a lot of uncertainty about the use of Google Analytics by websites that target people in the EU.

Businesses do not like uncertainty. And one way to remove uncertainty is to just keep the data in the EU. Cloud providers are responding to the growing market demand.

3: The challenges of moving from centralised control of IT to a decentralised model

An article on Protocol.com, and recently shared by Ron Immink , discusses the challenges when an organisation tries to move from a centralised control model for IT to a decentralised model that allows teams and users to pick their own technology and build their own solutions.

As the article says, “you can’t be the only technology [team] in the company. But you cannot be at the other end of the spectrum, where you democratize so anyone can do anything.”

One business describes their budget strategy as akin to a venture capital firm, where teams with an idea “must prove why the investment is worthwhile to receive preliminary funding”. And then they must show a return before getting further funding.

I spoke about ‘small bets’ a few years ago, comparing how we find IT partners to how we find our life partners. You can read more at ‘Someone who makes me laugh. Must love dogs.’

Back to this Protocol article – There doesn’t seem to be a magic bullet. “It’s complicated [..]. If you don’t do it the right way you may have an insecure platform, you may not be adhering to all the data regulations [or] we may not adequately backup and restore all the things that we need”.

TWO NUMBERS

1: USD $68 million

$68 million is the cost of “SIM Swap” frauds reported to the FBI in 2021. SIM Swap Fraud involves scammers calling mobile company call centres and posing as you or me to get a new SIM card. Once they get the SIM, our calls, texts, and other data are diverted to the criminal’s device. This then allows the criminals to send ‘Forgot Password’ or ‘Account Recovery’ requests to our online accounts. If any of these accounts have MFA set up and this MFA involves a security code being sent as a text message to our mobile phone number, the criminals will get the security code.

This is why the FBI and Microsoft both recommend that we use authenticator apps that generate the required security codes. The criminal would need to get their hands on our phone before they would gain access to these codes.

2: 50%

Google has reported that account hacks drop 50% for the 150 million users who were forced by Google to adopt MFA in the last quarter of 2021. This is not quite as stunning a figure quoted by Microsoft’s CISO last week (where he stated a belief that 99.9% of breaches are blocked by MFA), but 50% is still significant. And as Google states in this week’s article, “email accounts like Gmail are particularly important to protect: Resetting other passwords often goes through email, so a compromised email account can lead to other hacks.”

ONE ACTION

1: Confirm that Multi-Factor-Authentication is turned on, especially on accounts used by IT.

Multi-factor authentication. MFA. Yes, I am talking about it again.

MFA means your username and password is not sufficient to gain access to your account. The bad guys need more than just your username and password.

Username and password is single factor. To make it multi-factor, you need to add at least one more factor. For example:

A security code generated by an app on your phone.
A specific device that must be used to gain access.
A fingerprint or facial recognition scan.
A code sent to you as an email message or SMS message. [As mentioned earlier, this is not great, but better than nothing]

Ideally, it’s a combination of factors.

You need to check that all accounts are protected with Multi-Factor Authentication, especially important accounts like your email, as well as accounts that are accessible from the internet.

At work, don’t just look at your accounts and those of your business colleagues. Review the accounts used by IT support teams. After all, their accounts have the keys to the kingdom.

Where MFA is not available on a particular system, you need to consider the risk that this poses and find ways to mitigate this risk.