Home Posts tagged Cyberattacks
Cover Story

Beyond the Firewall

The recent spate of high-profile cyberattacks, many involving paid ransoms featuring six or seven zeroes, has brought an ongoing, and escalating, problem even more to the forefront. Businesses are being advised that the problem needs to be managed — before the worst happens. That means having a detailed plan involving many layers to keep things safe.

 

As he talks about cybersecurity, Charlie Christianson, owner of CMD Technology Group, equates that art and science (mostly science) to an onion.

By that, he means it has layers — many of them — with each one being important to the desired end in this matter: keeping one’s data, business, financial information, and perhaps life and livelihood safe.

“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things,” he explained. “It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.

“Most people understand the firewall discussion,” he went on. “But what they’re starting to understand is that it’s not just the stuff that protects you — it’s your staff, it’s your people, it’s the training, it’s the education, it’s the policies, and having all that in place.”

Christenson, like everyone else in this business, has been making this onion analogy — or whatever phraseology they use to get their points across — quite often these days. That’s because cybersecurity — mostly in the form of high-profile, as in very high-profile, attacks — has been in the news lately. Again. Or still, to be more accurate.

These attacks have come one after another: the Colonial Pipeline, the steamship service to the islands in Massachusetts, the meat company JBS, and many others.

Collectively, what these hacks have shown that businesses across all sectors are vulnerable, and this isn’t a problem for other people to worry about.

That has always been the case, said those we spoke with, but the recent spate of cyberattacks and the relentless coverage of them have served as a needed wakeup call for business owners of all sizes, most of which — the number varies depending on who you talk to, but it’s at least 50% — are simply not ready to handle or respond to the kind of attacks seen lately.

Charlie Christianson

Charlie Christianson likens cybersecurity to an onion; both have, or should have, many layers.

Which brings Christianson back to his onion, and Phil Bianco to diabetes, or type 2 diabetes, to be exact.

“It’s always easier to prevent diabetes than to treat it after the fact,” said Bianco, chief technical officer with Melillo Consulting, which has three offices in the Northeast, including one in Springfield. “It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”

Elaborating, he said there are many elements to the process of managing before something bad happens, everything from having your system assessed so that vulnerabilities can be identified to acting on the recommendations listed in that assessment; from training employees on how spot suspicious e-mails to knowing what to do and whom to call when your system is attacked.

And while Melillo and all other firms in this business sector will do remediation — coming in after the hack and putting things back as they were, to the extent possible — and “stop the bleeding,” as Bianco put it, businesses would find it much better, and cheaper, if they hired the same company to handle preparation and prevention and work to eliminate the cuts that cause the bleeding.

“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things. It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.”

The high-profile cyberattacks of the past few weeks are an indication of how widespread the problem is, but they are also misleading to some extent, said those we spoke with, because they have involved mostly larger businesses and entities with very deep pockets, as evidenced by the size of the ransoms they paid. The sobering reality is that small businesses are a more attractive target because they are likely to be less prepared for such an attack.

“Cyberattacks are really a numbers game, and small businesses are less likely to invest in the cybersecurity practices, so they’re seen as low-hanging fruit,” said Lauren Ostberg, an attorney with the Springfield-based firm Bulkley Richardson (and a member of BusinessWest’s 40 Under Forty class of 2021), who helped spearhead the launch of the firm’s cybersecurity practice.

Lauren Ostberg

Lauren Ostberg says small businesses, many without IT teams or sophisticated cybersecurity systems, are low-hanging fruit for hackers.

“And these attackers also sell each other pre-made malware, so less sophisticated attackers can just send out 100 different phishing e-mails, see what sticks, and then attack there,” she explained. “So nonprofits are at risk, small- to medium-sized businesses are at risk, and, in most cases, they don’t have the insurance to back them up to minimize that risk, and they don’t realize how vulnerable they are.”

Everyone should now understand just how vulnerable they are, said those we spoke with, adding quickly that some remain slow to take action and adjust to what is a troubling new world order. Those who don’t adjust do so at their peril, said these experts, adding that recent events show just how easy it is to be attacked, and how painful, costly, and time-consuming it is to repair the damage that’s been done.

 

What the Hack?

As they talked about those behind all the cyberattacks going on in the world right now, those we spoke with used a wide array of descriptive adjectives to let people know just whom they’re dealing with.

Words like sophisticated, diabolical, persistent, and relentless were used early and quite often, as was another that should get the hair up on every business owner: automated.

“It is only a matter of time before any organization falls victim to one of these attacks,” said Joel Mollison, president of Westfield-based Northeast IT, who said this inevitability shouldn’t prompt paralysis, but instead well-thought-out action to prevent (to the extent possible) such an attack, and then recover as quickly and painlessly as possible if an attack does occur.

“It’s always easier to prevent diabetes than to treat it after the fact. It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”

Mollison puts it in clear perspective, if anyone wasn’t already sure.

“Typically, we find that most organizations have basic security measures in place, but rarely understand their level of potential exposure or impact on operations during such an event,” he said. “The ability to recover from one of these events varies widely based on size of the organization, data volume, and locations of data and services. Even in the best-case scenarios, this process can take many days or weeks.

“Business operations are almost always crippled to a marginal capacity while systems are recovered,” he went on. “The financial impact, even without having to pay a ransom, is often devastating, and most cyber liability policies are underfunded, which compounds the problem. There are also compliance, reporting, and legal factors that are part of the recovery process that are often overlooked.”

Stan Bates, director of Business Development for Melillo, agreed. Relating some recent and current cases his firm is handling, he said they effectively communicate how widespread the problem is, what issues and problems are confronting business owners, the costs involved (and there are many of them), and the direction this matter is taking.

Joel Mollison

Given the sophistication and persistence of today’s cybercriminals, Joel Mollison says it’s only a matter of time before any organization falls victim to an attack.

One involves a large nonprofit in the healthcare sector, he said, adding that this client found out the hard way all that can be involved with returning things to the way they were before the attack.

“It got hit really hard, and they called us to help fix the situation,” Bates recalled. “They were hacked, they put their system down, they were out of e-mail, they were out of just about everything you can think of. The sad part was they weren’t prepared to know what to do, and to top it off, their insurance company forced them to use their security group, which had a limited knowledge of their network, and pay for those services, while also paying us to come in and help those guys understand what they had and fix it.

“They’re up and running,” he went on. “But it took about two weeks.”

Another case involves a small machine shop in the Hartford area, he said, adding that this small business has been informed that, if it wants to keep getting contracts from the federal government, it must meet a series of guidelines regarding cyberattacks and being fully prepared for them. “It’s going to run about $4,000 to $5,000 a month for us to monitor and secure his system and hit the score the federal government is telling him to hit.”

 

Something’s Phishy

These anecdotes are just some of many that help tell the story of how cybersecurity is becoming a huge issue for business owners and managers, one they can no longer ignore — not that they could really ignore it before.

Indeed, such sobering messages have been delivered with increasing frequency over the past several weeks as the high-profile attacks — and the ransom payments that include six and sometimes seven zeroes — come with increasing regularity. And they have certainly stimulated some interest within the business community, and also government offices and nonprofits, to be ready, or at least more ready.

“The conversations have changed. In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”

“The conversations have changed,” Christianson said. “In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”

Ostberg agreed. “People are taking the matter more seriously, and they’re taking me more seriously when I tell them they have to plan for cybersecurity incidents,” she said. “I’ve noticed an increase in concern, especially about ransomware, which can really cripple a business.

“The Massachusetts regulations and the advice I give my clients provide a lot of good ideas about ways to prevent or mitigate some of the risk that would be caused by some of the hacks we’re seeing,” she went on. “And it’s focused on building layers of prevention.”

At or near the top of any list of prevention measures is training, specifically involving the detection of phishing e-mails, which comprise the entry point for most of the hacks that occur today, according to those we spoke with.

Melillo Consulting

Members of the team at Melillo Consulting, from left, Phil Bianco, Doug Morrison, and Stan Bates.

As they talked about these e-mails, they summoned some of those same adjectives as they tried to convey just how sophisticated they have become.

“The phishing is getting more elaborate, and the social engineering that goes behind it is far more advanced than what we’ve seen in the past,” said Doug Morrison, practice director for the Development Operations team at Melillo. “It used to be that the e-mails were intentionally easy to sleuth out, because that way they could weed out the people they didn’t want; they wanted the people who were easily fooled to click on the link. But now, it’s getting very elaborate and very difficult to tell real e-mails from the fake e-mails.”

With this level of sophistication, Bianco said, it really is only a matter of time before someone makes a mistake and opens the door for a cyberattacker. But training and knowing to be on alert and skeptical of everything remotely suspicious are still critical to help minimize such incidents.

“Know who you’re doing business with,” he said. “Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that; if you’re in question, send it over to your IT team, and let them take a look at it. If they see a bad e-mail, they can tell you immediately, ‘hey, we’ve seen this before, this is not something you should work with — please delete this or quarantine this,’ or, if they haven’t seen it, they can send it on to an anti-spam or anti-virus protection service that they’ve engaged with, and that individual or group can look at it across multiple things that they’ve seen.”

In dealing with suspicious e-mails, Bates cited his own firm as an example of the kind of rigorous training that can and should go on.

“We do quarterly training — each employee has to take a test and pass it,” he explained. “It’s terribly difficult, but it instills in your mind some of the things that are going on out there. Just the other day, we got hit, but everyone in the organization was smart enough, because of their training, to delete before they opened.”

 

Backup Plan

Because of the seeming inevitability that these sophisticated phishing attacks will succeed, businesses of all sizes need to have all the other layers of that onion to fully protect themselves from attacks — the training and the policies, in addition to the hardware and software.

“You have to have all the other layers in place because you simply cannot rely on humans not to click on e-mails at the pace that they’re required to do,” said Morrison, noting, as others did, that subsequent layers include a firewall, backing up all information, and encryption of information.

As noted, there are layers to backing up information, said the experts we spoke with, noting that the best solution is to isolate the backups as much as possible from the main network.

“Most companies do back up, but these malwares that do ransomware are pretty sophisticated,” Bianco explained. “The average time that that individual has compromised your network is typically a month or more. And in that month or more, they can go through and encrypt your backups as well as your production-installed system, your code bases, and things like that.

“Know who you’re doing business with. Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that.”

“And they have a pretty sophisticated map of what your environment looks like, so we’ve been working with customers to do what’s called air-gabbing backups,” he went on. “Once that infrastructure is backed up, it’s completely separated from your network, so it can’t be encrypted.”

Christianson agreed, and noted that such independent, often off-site backup systems need to not only be in place, but be monitored as well.

“We’ve all heard the stories … people think they’re backing up for a long period of time, only to find out that, when they need it, the backups are not working,” he said. “That’s why people are starting to realize that it’s really important to have these systems monitored in some fashion, and that there are multiple layers.”

As for whether to pay that ransom … most consultants, and lawyers like Ostberg, certainly recommend against that practice, although that hasn’t stopped many of those who have been attacked from paying out millions in Bitcoin.

“One of the things that’s just awful is seeing people pay the ransom,” Christianson said, “because that’s not the answer. You’re just encouraging them to come back — and they will come back, not to mention the fact that they give you the key and you get your data, but you have no idea what they dropped in there and left for a back door.

“Honestly, in some cases, the only way to know is to reformat it, reinstall it all, scan the heck out of the data, and bring it back from the ground up,” he went on. “Or, manage a good disaster-recovery backup plan.”

Which brings him all the way back to that onion he referenced at the top. It should have many, many layers, he said, with more added as they become available and necessary, because what worked and what was enough a few years ago probably isn’t enough now, and certainly won’t be enough a few years and maybe even a few months from now.

That’s how quickly and profoundly the scene is changing when it comes to cybersecurity and protecting a business, nonprofit, school system, government agency, or household from those who would do it harm.

Managing the problem is all-important, said those who spoke with, but what’s most important is managing it before the worst happens — because doing so can often prevent the worst from happening.

 

George O’Brien can be reached at [email protected]

Technology

Attack the Problem

By Sean Hogan

Over the course of my time as a business owner, I’ve been asked many times, ‘what keeps you up at night?’

In the early days, I would have said ‘payroll, employees, and sales,’ and maybe not necessarily in that order. Today my answer would be ‘cybersecurity.’

As things have advanced in technology, the web, connectivity, and social media, we have created an easy avenue to our data. Our exposure to hacking is one port away on your firewall, and in some cases, someone may have already breached that firewall.

Security practices in the past do not hold up to complex hacking attacks that are constantly barraging the internet. It used to be adequate to have complex passwords and updated computers with all the patches and security updates. The hackers have concentrated on the lowest-cost and easiest way to infect your computers.

Sean Hogan

Sean Hogan

In most cases, it’s a phishing attack. Phishing attacks are e-mails disguised as a reputable company with a clickable link or some embedded malware. The cyberthieves send out thousands of these attacks and lie in wait until some innocent victim opens the e-mail and clicks on the link or attachment. The malicious robot servers automatically churn out these e-mails, and before they know it, their device and network are infected.

Many of these attacks are designed to install ransomware or access all your critical data. The ransomware will lock down the machine and encrypt your data. They will contact you and request bitcoin to then release your data. Some hackers will pull your data, including contacts and personal information, and post or sell your data to the dark web.

Hacking has evolved greatly within the past few years. In the early days, we would receive a letter from the Nigerian prince, looking to transfer $7 million to you just for good measure. Modern-day hacks and phishing e-mails are very complex; they quite often mimic FedEx, UPS, and customer e-mails so you are more prone to click on the bait.

“As things have advanced in technology, the web, connectivity, and social media we have created an easy avenue to our data. Our exposure to hacking is one port away on your firewall and in some cases, they may have already breached that firewall.”

The most successful program to prevent phishing attacks is training. There are several services that offer security-awareness training (SAT). When you sign up for this type of training, you will be taught what to look for in phishing e-mails and how to respond. The SAT will also include a ‘fake attack’ so you can measure the results at your business and use it as a teaching aid to prevent against future attacks.

Businesses need to embrace a cybersecurity strategy. There are three categories to cybersecurity: Protect, detect, and respond.

Protect

Ask yourself, do you lock your car? Do you lock your front door? Think of your connection (router) as your front door to the web.

Securing this device is the first step in preventing hackers from getting in. Not only should you have the best-in-class router, you also need to maintain the patches and security updates, so the unit does not fall to the constant attacks from the internet.

Beyond the firewall, you need to secure your ethernet switches and your wireless access points. Access points are an easy target for rogue hackers; they often log into a weakly secured access point, and once they have entered, they can navigate your entire network.

Most often, malicious attacks are delivered via e-mail. Logically, it is critical to have very updated anti-spam software, as well as antivirus and malware protection.

It is also critical to have current backups; best practices recommend a full on-site backup with a virtual cloud backup. It is crucial to know that your backups are tested; if you are backing up corrupted data, then your backups are useless.

Detect

Early detection can save lots of time and potential loss of data. Most breaches are not detected for more than 100 days after the breach. Once you detect a breach, you can contain and react to that breach. This begs the obvious question: how can you detect a breach?

There are several ways to go about detecting a breach within your system. First is to engage in a dark-web monitoring service. These services have ‘crawlers’ that are constantly scanning the dark web. They will scan your company and your personal information. When they find your data on the dark web, the service will alert you and let you know what that information is and where it came from, but don’t get your hopes up; you cannot remove your information once it is on the dark web. For instance, LinkedIn was breached more than 10 years ago, and if you had a LinkedIn account in that time frame, your username and password are available on the dark web.

Respond

It’s not a matter of if, but when you are a victim of a cyberattack. Rapid response to a breach or infection is critical, and the faster you respond, the faster it will reduce your exposure. In some cases, you will need a support team to assist in cleansing machines, loading backups, and scanning your network.

The proactive approach is to engage a security operations center. This is a team of security professionals that will monitor your network and device. In the case of an infection or breach, the team will jump into recovery mode and secure your data.

Bottom Line

Above all, it’s important to stress that cybersecurity is more of a culture than a service. Cyberattacks cannot be prevented, but they can be avoided by having the proper procedures and training. Cybersecurity requires awareness and the ability to eliminate your personal and company exposure. All the tools in the world won’t prevent someone from clicking on malware in an e-mail. It is important for a company to have a stable cybersecurity policy and program in place.

Don’t wait until you are hacked to implement a cybersecurity prevention and awareness program.

Sean Hogan is president of Hogan Technology, a full-service managed IT, structured cabling, and cloud-services provider; (413) 779-0079.

buy ivermectin for humans buy ivermectin online buy generic cialis buy cialis