Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: Why a contract doesn’t matter until it’s the only thing that matters. Why the US Department of Defence wants you to do as they say, not do as they do. And why colleges may need to attend a Security 101 class.
This week’s action: Check up on those ‘Access All Areas’ account holders.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: A contract doesn’t matter until it’s the only thing that matters
Bleeping Computer reports about warnings from the cybersecurity agencies of the US, UK, Canada, Australia and New Zealand (also known as the Five Eyes) that “Managed service providers (MSPs) make attractive targets for [cyber attacks].”
It makes sense. After all, why would the bad guys waste effort attacking one business when they can attack an IT MSP that has a trusted relationship with dozens of businesses, and has all of the account access necessary to wreak havoc across all of these businesses.
If you are a ‘normal’ business, you probably don’t have IT or cybersecurity expertise in-house. You rely on external MSPs for this expertise. And you know that these external MSPs have a level of access to your data and systems that is the IT equivalent of an Access All Areas festival pass.
The bad guys know this too.
This alert from the Five Eyes recommends a number of steps you must take to make sure these Access All Areas passes are being handled appropriately, including regular reviews of accounts to ensure those no longer in use are removed, and enforcing Multi-Factor Authentication on all MSP accounts. They also recommend that the contract between you and your MSP has a very clear description of roles and responsibilities. You need to be clear on what security activities are needed and who is responsible for them.
After helping many clients through painful experiences with MSPs and security breaches, I can tell you that the contract doesn’t matter, until the contract is all that matters.
2: Do as I say, not as I do
FedScoop recently reported that the US Department of Defence will soon require all of their contractors to comply with a new set of security standards.
The CMMC (Cybersecurity Maturity Model Certification) will force DoD contractors to meet a minimum of 110 security practices to ensure they have better security in place to protect sensitive data.
However, the most interesting part of the article is that only 78% of DoD’s various organisational units actually comply with the CMMC requirements. Apparently, many parts of the DoD would not be approved to process or store its own data if it applied its own security standard to itself.
If you work for larger clients or regulated financial services firms, you will encounter similar situations. While they may expect you to prove your alignment to a framework like CIS’ Critical Security Controls, NIST Cybersecurity Framework, or ISO 27001, don’t be surprised if they don’t align to these standards themselves.
Do as I say, not as I do.
3: Security 101: Multi-Factor Authentication
As reported by The Record, “the FBI [has] said U.S. college and university credentials are being advertised widely across cybercrime forums. [T]he FBI says it found more than 36,000 email and password combinations for email accounts ending in .edu publicly available on [sites used
by cybercriminals to share and sell information]. [..] The FBI noted that the exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber attacks against individual users or affiliated organizations.”
While it’s disconcerting to think your password is known by the bad guys, it is not necessarily the end of the world. After all, if your account is protected with Multi-Factor Authentication, the bad guys will need more than just your password.
The number of critical vulnerabilities reported in Microsoft software during 2021, a 5% drop on the record numbers reported in 2020, according to the BeyondTrust Microsoft Vulnerabilities Report 2022 and reported by Tech Republic.
This is an average of 2 critical security gaps identified in Microsoft software per week.
The report authors repeat a recommendation that I’ve seen elsewhere (which is also included in my Cybersecurity Guide to the Basics and mentioned previously in Cyber 3-2-1): Removing administrator rights wherever possible will thwart many attacks that try to take advantage of these vulnerabilities.
2: €1.1 million
The amount of money stolen from a Dutch shipping company as part of an invoice redirection fraud in 2020. According to the Irish Independent, two people in Ireland have been arrested this week on suspicion of being involved, adding to the 700 suspects, 203 arrests, and 98 people charged by Gardai in Ireland in connection with similar types of frauds and connected to an international investigation into this particularly rampant cyber crime.
When we think about cyber attacks, we might think of sophisticated attacks launched by nation state cyber experts. But most cyber crimes against most businesses involve an email fooling a staff member into transferring money to the cyber criminal’s account. Nothing sophisticated about it. My Cybersecurity Guide to the Basics explains some simple steps you can take to defend your business.
1: Check up on your Access All Areas festival pass holders
Following up on the Five Eyes’ warning about an increasing number of attacks against IT managed service providers, you need to make sure your IT service providers are not an easy target for these cyber attackers. Because if they get breached, you could be next.
After all, your accounts let you see your own data and any files shared within the team or company. In comparison, their accounts let them see all of this and more. They also allow them to change settings on your computers and install whatever software they like. It is really an ‘Access All Areas’ scenario.
You need to ask your IT providers how they are securing these powerful accounts, and confirm they are not a weak link in your security defences.
Take a look at the guidance from the Five Eyes group.
I’m also currently writing up a checklist of things that a small or medium sized business should run through with their IT service providers, to make sure the basics are covered. I’ll publish it on my site when it’s ready but If you want a copy in the meantime, just let me know.