Be concerned about Cybersecurity…even if your data is in “The Cloud”

By Russ Hensley, CEO CISSP

”The Cloud” is  a  vague but sexy marketing term that has evolved as technology has moved from servers being located inside your business to somewhere on the internet.     First  used around 2006, the cloud was commonly referred to as “server co-location” or “hosting”.  Simply put, customers rent computer services using the outsourced companies computer hardware that is connected to the public internet.    Most of the time, that hardware is shared with other companies and depending on the company you’re renting it from could be dozens or thousands of other people.  An example of these companies include Microsoft, Google, Amazon and private-cloud providers.

The cloud environment should be properly separated because that is the business they’re in – renting and sometimes dedicating space to you.   But it’s not just the server that we need to be concerned about securing. 

For example,  you have to first log into a PC in your office and at least connect to the local network which is connected to the public internet and then into your “Cloud Service Provider” for anything from Microsoft Office to your practices billing system or credit card processing.

In this real-world scenario, we must protect the layers of use.  The PC itself ( Apple Mac or Microsoft Windows)  needs to constantly have a flow of supported security patches (software updates) applied on a regular basis as they are delivered from the manufacturer.  Even your iPhone (which can be connected to your network) has a flow of patches that are applied sometimes weekly.    These  updates (patches) are how that the manufacturer is protecting their product and in the process  you the end-user.

Most operating systems also need some kind of anti-virus and malware protection to protect the machine from inadvertent corruption    Here’s where “my data is in the cloud and I don’t need to worry” scenario leaves the rails.   If you were to only use your computer for one thing  and allow no other internet traffic to anything on the internet other than your cloud service provider and no other devices onto your network, then you would be in a somewhat better position.  However, that’s not typical reality .   At the very least, most businesses allow employee devices to come and go, for example notebooks.    Let’s talk about two scenarios where you as the user have a desktop computer never leaves the office and the other where you have a notebook computer you travel with for work.   In the first scenario while at work on your desktop – you’re browsing the internet looking for office supplies.    Now in the process of this, we hope that you have a firewall with the correct software installed on it to stop malicious software from being installed on your desktop while looking at search engines.    You see, the threat actors (new name for hackers) purchase malicious advertisements that perform some kind of “code injection” of bad code into your web-browser.    You don’t even need to click on it for it to try to do something.   If you don’t have the proper firewall software on your network device, then we hope that the anti-virus software stops it or the anti-malware software once the page actually loads on your computer web browser.    However, if none of those tools are in place and your operating system is not up to date to protect it from malware, then well you could have something like a keylogger installed on your desktop computer.  

And why is this bad you might ask?   Well, if you’re cloud service is not protected with a multi-factor authentication process and you enter your user name and credentials or bank account routing information while a keylogger is running on your computer, the threat actor now has access and your information from your own keyboard. 

Sidestep with me into an actual scenario.  A few years ago, we had a client who was very confident in their anti-virus software now commonly called end-point detection and response (EDR) application, but it was NOT monitored.    As a suggestion, we offered to cover that client for 5 agents of our SentinelOne agents for a month for free.   Within 5 hours of installing the tool, it detected 7 keyloggers installed on the 5 computers one of which was actively sending information back to a server in New York from the assistant CFO’s computer which was used to access all of that companies banking information holding millions of dollars in a handful of bank accounts.    This example could be your company if it’s not taking the proper steps for protection of the process of handling data from the device connecting to the cloud, where potentially you could expose financial or customer information. 

On to the laptop which has several scenarios where data can be compromised.   It’s as simple as having the device stolen from your car.    Some users when accessing their cloud service provider often download data to work on their notebook when not connected to the internet.   So, they pull down customer sales information or patient data for analysis for whatever calculation the business might need to understand.  So that cloud data is now stored on your laptop and unencrypted.    You go to the beach, get your laptop stolen from your rental car.  The bad guys pull your hard drive out into a $20 device from ebay and search the drive for anything looking important and sell it on-line in a DarkWeb group for $3 to $190 for the identities.  This type of theft accounts for about 4% of data theft. 

My last example involving your laptop in case you diligently encrypt all of your files involved your computer leaving your now well protected business network and you simply go home. At home we have networks in today’s age of smart televisions, AppleTV, Roku and Amazon Firesticks, Nest thermostats and others.  Then there are the other people at home, your spouse and perhaps children who all have devices which share your network.    The prudent scenario of network design is to separate your smart devices into their own network at home, your kids into their own network and your work device in its own protected little piece of the network, but that’s also not reality for the majority of homes.  We simply pile as many things as we can into the same network, give our friends kids the WiFi key when they come over and move on assuming the world is great.    

However, I can tell you from personal observations in our retail operations that those devices are often infected with malware that the kids and spouses have no idea that is installed.    Simply, a piece of malware Emotet somehow makes it onto your network.    This malware is able to move across the network from machine to machine and install itself onto unprotected devices sit and wait and listen for banking information.   Once it gets it’s payload it will be used by the threat actor for remote access and then for ransomware deployment. 

So, your work laptop, now infected with Emotet, goes back to work with you the next day and connects to your work network presenting it with an entire new network of targets or your spouses now infected notebook at their office.    The threat actors see this new treasure trove and start the scanning process.  If they are able to exploit a machine and gain access, they simply download your customer data quietly in the back ground using common tools like DropBox or OneDrive to not alert network monitors to their systems.   Once they have it, the send the command to explode the ransomware in your business network and any machine they have a foothold in is now encrypted.   

You get a nice “pay me to decrypt your data” message on any machine they control.    Now, even though your data is in the cloud, you have to reload any machine in the network and start a containment and cleaning process.  If you’re unlucky and the data you need is not in the cloud, you will have to recover from backups or pay the ransom.   Ransom’s could be from $5,000 into the millions, there is no real understanding yet on the rates applied based on my experience.   If your systems have customer information you have to hire a cyber forensics company to attest if your data was viewed or compromised.   Hopefully, you have Cyber insurance to pay for the average $100,000 that will be needed for all of these services.

In short, just because your data is in “The Cloud” it doesn’t relieve your responsibility to protect the computers and networks that access it there.    Proper policies and tools should be in place to understand and protect your systems. 

We’ve made a short checklist for your business to review for the MOST basic steps for your business to consider:

  • Does your business have Cyber insurance?
  • Do you have multi-factor authentication enabled on all of your cloud services providers where you need a password and a PIN from an authenticator app on your phone to log into the cloud service.
  • Does your internet firewall have content filtering and malware protection?
    • Is it on?
  • Do you have your critical files on your server, computers and cloud environment backed up? 
    • Have you tested that backup?
  • Do you have anti-virus software with an actively supported subscription?
  • Do you at least have automatic patching enabled on your computers and reboot them as needed for the patches to be installed?
  • Do you have a basic security training company for your users to educate them about hacking and phishing to prevent attacks?
  • Do you have a framework for your business to check that you have an understanding of your businesses data and policies like the NIST Cybersecurity Framework?
  • Does your IT person understand the things in this checklist above?
    • If you use an IT company do they have someone on staff who is certified like a Certified Information Systems Security Professional?

https://www.linkedin.com/pulse/concerned-cybersecurityeven-your-data-cloud-russ-hensley-

Patching computers is very important for modern cybersecurity.

By: Russ Hensley, CEO CISSP
Lexington, KY

Day in and day out we’re asked about operating system patching and it’s role in managed services or managed cybersecurity.

What is patching? What happens to cause patching? Do I need patching? Why is patching important to cybersecurity or normal operations? Why did the patch break my computer? Who’s fault is it when the patch break the machine?

How did it start?

Starting in 2003 Microsoft started to get structured about patching because honestly, it broke a lot of things and random sporadic chaotic patching was not efficient to say the least. Since then the patching process has evolved into a tier of patching from security, critical, emergency and application, workstation and server patching to name a common groups.

Cybersecurity firms and software developers produce a list of “holes” in software called vulnerabilities through intentional or unintentional discovery. The process of the vulnerability identification is a double edged sword. Once confirmed, it can alert the developer, Microsoft or Adobe for example, that there is in fact a confirmed hole, the nature of the hole and give it an entry in a database for identification. The downside, is well now not only does the developer know and the user, but also the threat actor who might look it over and choose to figure out how to exploit this vulnerability to use it for a hack.

Now a days with ransomware and the internet, these patches are often and plentiful and come very fast some times when there are really bad vulnerabilities. Just last week patch Tuesday alone (May 11 2021) contained 55 vulnerability patches, 4 were Critical and 50 Important and 1 Moderate just from Microsoft’s resources. The break down is here from the CompTIA ISAO weekly update video.

Surface devices get firmware updates for example now on the the Third Tuesday and non-security patches for Office are on the First Tuesday.

Patching in general is developed with the white box and tested as best as it can to not nuke your machine and create Crash Wednesday when the patch actually might get applied to your system and a reboot if you’re not on a managed patch plan. Sometimes, the patches are just not compatible or fail and if you’re in a patch management system then you might see a scenario where bad patches are Blacklisted and will not get applied to other machines once they fail in either testing or deployment. Microsoft delivers the best product they can but the customers environment can vary dramatically from a testing scenario.

How much is enough?

I personally believe in aggressive patching where they’re downloaded and workstations are rebooted frequently and servers as needed based on the patch level no less than once a week in some cases. When businesses have users with internet access and email access involved it patching is critical to address security issues and in fact in environments where consumer data is held should be taken very seriously but anywhere that production is based around technology working should be managed.   These environments are typically the best suited for managed services and managed cybersecurity services.

What drives cost?

Some customers opt to not patch or be on a patch management process for various reasons. Perhaps conflicts with software applications, or budgetary constraints. However, with the interconnected tissues of virtual machines, hardware firmware levels and so on it’s almost impossible to not have to catch up patching at some point for security reasons. All of this of course is not talking about software versions that have been end-of-support marked and not receiving any patches, but current production operating systems. Even the End-point-detection and response engines require the operating systems to be patched in order to provide the security levels necessary for them to operate successfully. Otherwise, it’s like sailing a leaking boat.

Our clients who aren’t in a patch management or managed services process opt to pay for exorbitant service fees for patching rather than our fixed managed services fees. Our NOC team tests, blacklists, deploys and remediates any server operating system patches and some applications in our fixed fees in the long run saving thousands of dollars through continuously patching and keeping the operating systems up to date.

It is a complex discussion and some times there are complex answers, but for the most part, managed services addresses the huge amount of patching that is going on for the best value.

Cybersecurity is broken because of the loose approach by business management

By: Russ Hensley, CEO CISSP
Lexington, KY

The current approach to cybersecurity is broken.   In general, the public has embraced the “it won’t happen to me” mentality.  In the end, the safety net is that the IT service provider or in-house IT admin is “taking care of that.”

If you are one of our clients, you have been presented with a set of quotes that we internally call our security stack.  Our stack is built around the National Institutes of Standards and Technology’s Cybersecurity Frameworks (CSF).    The NIST CSF is a derivative of computer security guidance that is woven into healthcare, banking and national security information security policies.    Quite simply, ALL businesses should understand what these frameworks are telling your business to have in place.   If your business is technology driven and if you think that there would be OUTRAGE if the business was off-line for 3 days then you should already have implemented it.

Our job is to work with our clients to provide the technical tools to help prevent intrusion.    With our assistance, our clients must also invest by implementing frameworks and structuring policies.   Security program recommendations for data backup policies, remote worker policies, password policy and security training program for employees are the foundation to protect your business.

Our banking and healthcare clients have lived in overload dealing with these requirements.  However, many businesses in the nation pay little to no attention to the threat.   Often cybersecurity services are viewed as unnecessary overhead UNTIL something happens.    At that point the “overhead” is exorbitant and they realize they do not have insurance that will be needed to pay for the $100,000 or more labor bill to cover recovery, the $30,000 legal bill for their attorney’s, the $80,000 cyber forensics investigators, not to mention the media/pr control and loss of revenue while they are down.     Insurance companies are not shy about letting it be known that they are reducing payouts and increasing premiums because of the lack of implementation and rise in the number of attacks.

Something needs to be done to better prevent and inspect actions that are being taken with incidents like the Colonial Pipeline ransomware attack.   A single attack CAN affect the average American.  “It can’t happen to me” is no longer adequate.

Fixing the approach begins with our legislators starting to understand these issues not from the nerdy intrusion and penetration hacker level, but policies being implemented and educational programs about what it is that is to be dealt with.