Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: The White House advises us all to act now to protect against cyberattacks. A HubSpot breach may have exposed the customer information of crypto firms. And why you should be using a password manager.
This week’s action: When your staff are suspicious, make sure they can get a second opinion.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: White House FACT SHEET: Act Now to Protect Against Potential Cyberattacks
The White House “has warned repeatedly about the potential for Russia to engage in malicious cyber activity [..] in response to the unprecedented economic sanctions we have imposed. There is now evolving intelligence that Russia may be exploring options for potential cyberattacks”.
While the US government agencies are investing heavily to improve their defences, the White House recognises that “much of the Nation’s critical infrastructure is owned and operated by the private sector and the private sector must act to protect the critical services on which all Americans rely”.
What’s good enough for the Americans is good enough for the rest of us.
So what’s good enough?
The fact sheet urges companies to execute specific steps with urgency, including:
- The use of MFA on all systems
- An immediate review of all devices to ensure they are not running old version of software that contain known security holes
- Backups of data, including offline backups that are beyond the reach of malicious actors operating over the internet
- Staff awareness training so they know the common tactics used by attackers to fool them, and so they know who to ask if they notice anything suspicious
- Exercises and drills to work out how you can respond quickly if a real attack were to happen
2: HubSpot breached; the customer data of crypto firms targeted
“HubSpot suffered a cyberattack that saw data belonging to a number of high-profile cryptocurrency businesses taken, the company confirmed. In a blog post, HubSpot said that a bad actor compromised an account of one of its employees, and used it to target its customers in the cryptocurrency industry. [..] No one has yet claimed responsibility for the attack, and we don’t know what they’ll do with the data, or how exactly HubSpot’s endpoints got compromised. Chances are, they’ll try to sell it on the black market, where other threat actors might use it for stage-two attacks.”
HubSpot is a popular cloud-based CRM platform, and it sounds like it is used by a number of high-profile cryptocurrency firms to store information about their customers.
If this customer information was exposed in this attack, these customers may find themselves targeted in future attacks – For example, they may receive very targeted phishing emails that are designed to look like those sent by a cryptocurrency firm that they trust. As a result, these customers will be more likely to believe the malicious emails, increasing the likelihood that they will suffer a loss as a result of the HubSpot breach.
This is a clear example of why regulators and organisations are worried about supply chain / third-party / outsourcing risk. Customers are put at risk, not because of a breach at a firm that they use, but because of a breach at a third-party that the firm uses.
You are only as strong as your weakest link.
3: Not using a password manager? Here’s why you should be.
The Guardian recently published a detailed discussion about password managers, as well as alternative ways to keep your passwords safe. Here’s a taster:
“Passwords are one of the worst things about the internet. Long and complex passwords are more secure but difficult to remember, leaving many people using weak and easy-to-guess credentials. [..] Cybercriminals can crack weak passwords in seconds using automated tools. “A hacker needs roughly two seconds to crack an 11-character password made up of numbers. [..] If the password is more complex, containing numbers, symbols and uppercase and lowercase letters, the time needed to break it jumps to 400 years. [..] While password complexity does help, the length matters far more. [..] The typical internet user has about 100 sets of login details – memorising this number of complex passwords is well beyond most people’s powers of recall. Password manager apps can resolve this problem by creating long and complex credentials for you, and remembering them the next time you log in. [..] It might seem daunting at first, but a password manager will make your life a lot easier. [..] Since password managers take care of the remembering part, every password can be a long, totally random selection of characters”.
Another benefit mentioned in the article is that if you are fooled by a phishing email and end up on a malicious website that is designed to look like a genuine service (e.g. your online bank or email service provider), your password manager will not be fooled. It will spot that the URL of this site does not match the URL of the genuine site, and so it won’t auto-enter your password details. This will give you one more opportunity to spot a scam before it’s too late.
There’s plenty of valuable information in this article so it’s worth a read. I also discussed my own attitude to password managers in a December 2021 issue of Cyber 3-2-1.
ESET researchers have discovered 3 different types of data wiping malware campaigns targeting Ukrainian organisations since the Russian invasion commenced on February 23rd.
“All these campaigns are only the latest in a long string of attacks to have hit high-profile targets in the country over the past eight years. [..] Ukraine has been on the receiving end of a number of highly disruptive cyberattacks since 2014, including the NotPetya attack that tore through the networks of a number of Ukrainian businesses in June 2017 before spreading beyond the country’s borders.”
Data wiper malware destroys files and system configuration information on an infected device’s hard drive. It also destroys data on any storage devices attached to the infected device. And finally, it may also be designed to spread to other devices within the organisation. Unless your backups are protected (e.g. stored off line), they may also get destroyed.
2: 10.8 million
The Central Bank of Ireland has fined BNY Mellon Fund Services (Ireland) almost €10.8m for regulatory breaches relating to outsourcing.
The CBI noted numerous failings, including the organisation “repeatedly failing to notify the Central Bank and obtain its approval prior to the commencement of new outsourcing arrangements” and failing “to ensure that its Internal Audit and Compliance functions examined all new outsourcing arrangements”.
The HubSpot breach that I mentioned earlier is a clear example of why the Central Bank of Ireland is so focused on outsourcing risk.
If your organisation is regulated by the Central Bank of Ireland, you may need to keep it informed of critical or important outsourcing arrangements. This includes outsourced IT services, unless you can find a way to show that IT services are not critical or important. And if your IT services are not critical or important to your organisation, I’d love to read your IT strategy.
1: Suspicious? Get a second opinion.
The most common way that a cyber attacker gains entry into an organisation is by fooling a staff member into clicking a link or opening an attachment on an email.
You know you must train staff so they are aware of why and how they are targeted, so they’re less likely to be fooled by a phishing email. I deliver staff training that does not bore the life out of people.
You also need to ensure that when they have suspicions, they know there is an easy and quick way to ask an expert for a second opinion.
This could be your cybersecurity team, your IT support provider, or a staff member who is more experienced and knowledgeable about the current scams.
And if you can’t think of anyone, take a look at my Second Opinion service at https://codeinmotion.ie/second-opinion. For less than 50c per staff member per day, you’ll be covered.