6 Reasons Why You Need a Security Assessment

6 Reasons Why You Need a Security Assessment

By Paolo Del Nibletto

“You don’t know what you don’t know.” It sounds trite, but it’s true. You probably don’t realize that a dormant crypto-locker malware file is sitting quietly, undetected, on a computer or server. All it needs is the right moment or the right command.  Like Clint Eastwood’s Dirty Harry character said in the movie Magnum Force: “A man has got to know his limitations.” Organizations – no matter the size – need to determine their limitations from a security standpoint.

Organizations that have not checked their overall cybersecurity posture are effectively asking for trouble. Broader vulnerability assessments and more targeted penetration tests are effective starting points from which to shore up cyber defences. Besides ransomware, which hit new heights during the COVID-19 pandemic, a major problem facing organizations is data breaches. Data breaches often lead to irrecoverable financial losses, reputation hits, business losses, talent losses, and general stress and embarrassment. There are many more reasons, but this list focuses on six reasons an organization should assess its security (in no particular order).

 

1. Identifying Risk Within the Organization

This should be a common practice for your IT team. It easy to be lulled into a false sense of security just because nothing bad has happened yet. It is foolish at best, and negligent at worst to take immunity from cyber threats for granted.  Conducting yearly or semi-annual security risk assessments either internally or through a trusted partner will provide an extra layer of security insights, which can be used to protect against data breaches. Many of the threats affecting small and medium businesses aren’t even targeted. Like Covid-19, attacks move from one person or organization to another. No organization is immune to a talented hacker who is determined to infiltrate your systems for fun or profit, hackers look for security gaps, and you should do the same. By understanding and knowing what gaps you have, you can make most of the necessary fixes and take the low hanging fruit out of harm’s way.

To put it simply, there are two methods to assess security risk.  The first is called a Penetration Test – more commonly known as a Pen Test. Pen Tests are an active attempt to hack or access networks, websites, applications, conducted by an ethical hacker – one of the good guys. It is a real cyber-attack that targets a specific area, or it can be broad and open ended. From this test, IT managers or chief security officers will get a detailed look at how well the security systems, networks and applications in place are performing along with identifying vulnerabilities within the system. It also informs the organization of their strengths and whether they are adhering to current compliance and security policies, which is also quite valuable.

The second method is called a vulnerability scan, and these tests are meant to be fast, passive, high, and wide across the organization. This approach compares a current state to accepted minimum standards, leading to a grade of how good your security is. These assessments take into account the currency and completeness of patching, availability of easily exploitable ports, scanning for known malicious applications, and susceptibility to common attack methods like SQL injections.

 

2. Avoid Security Breaches

Data breaches are expensive. According to the annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, the average total cost of a data breach is just under $4 million US. For an SMB business, this would sound the death-knell. For mid to large enterprises, it can lead to a severe disruption in business that could have lasting effects. But depending on the type of organization, it could be worse. Ponemon found that for healthcare providers, a data breach averages $6.45 million. The average data record size for data breaches is an outstanding 25,575 records per incident, which would lead to a massive hit on any organization’s reputation and brand.

By conducting a security risk assessment and following through with the recommendations, you can better protect data and avoid the costs associated with a hack. A security assessment will focus on malware analysis, reverse engineering, cryptography, exploit development, offensive and defensive security. A well-crafted assessment will lead to a report laying out clear, actionable insights coupled with effective remediation steps to help organizations lower risk and identify areas requiring improvement.

 

3. Protecting Your Reputation

According to the Harvard Business Review, an extra star in a restaurant’s Yelp rating increases business between five and nine percent. On the flip side, negative reviews keep customers away in droves. A hit to an organization’s reputation because of a data breach or hack will have a similar, lasting impact, especially if it becomes public. In most cases, companies have to legally announce the breach based on PIPEDA and GDPR laws and regulations. Many organizations aren’t aware that they are subject to laws based on where their customers reside, not just where their corporation is physically or legally registered. The bottom line is that customers will avoid you, or worse, leave you.

Rebuilding a tarnished brand is expensive. By foregoing annual security risk assessments, organizations are gambling with their own future, and more broadly, risking their stakeholders – staff, suppliers, business partners, and company shareholders. It isn’t unheard of for direct and indirect victims to take legal action seeking compensation for their own damages. The fallout continues to staff and the ability to find and retain talent – nobody wants to work for an organization that shows itself to be somewhere between incompetent and ignorant. Share prices have been known to take a hit, which only serves to prolong and aggravate the pain of the original hack. One security breach can put an organization into permanent “Damage Control” that can take years to overcome.

 

4. Maintaining IT Budgets

Any good CFO should easily conclude that the cost associated with Pen Tests or Vulnerability Scans are a drop in the bucket compared to the wide-ranging losses stemming from a data breach. For example, Canadian businesses are now mandated to reveal if they have succumbed to a data breach if determined that the data under the control of the organization has the potential to fall into the wrong hands. A failure to report these breaches, even seemingly innocent violations, can lead to fines of up to $100,000 under the Personal Information Protection and Electronic Documents Act (PIPEDA). The majority of organizations do not budget for PIPEDA fines and the such. Potential lawsuits are also a factor and recovering data also eats into the budget. While some might be tempted to think that cyber security insurance will pick up the tab, think again. Merck & Co found out the hard way when their insurance company turned down their claim for $1.5 billion. By scheduling a security assessment, you can build that into your budget and avoid surprises. Your organization’s budget and cash flow are more at risk if you don’t invest in proactive systems and programs like; security monitoring, security identification and event management system (SIEM), or Layer 7 firewalls, and often most overlooked, user education.

 

5. Avoid Violating Privacy and Data Laws

As in the previous reason, six-figure fines can be avoided by an annual security risk assessment. The PIPEDA fine is a six-figure sum, and penalties from other compliance/privacy acts are not cheaper. Violators of the GDPR (General Data Protection Regulation for the European Union) can risk fines of up to 20 Million Euros. Then there’s SOX (Sarbanes-Oxley Act), HIPAA (the US Health Insurance Portability and Accountability Act), and there are even state-run laws such as CCPA (California Consumer Privacy Act). Then, there is the LGPD, a new act that comes into effect next month from Brazil. LGPD stands for Lei Geral de Protecao de Dados Pessoais) or Brazil’s General Data Protection Law. LGPD, like the EU’s GDP protects Brazilians’ data, no matter where that data is stored. Think about a Brazilian tourist shopping at a store using a credit card, then the store being hacked leading to credit card fraud against the tourist. In theory, the store is liable for those damages.  The efficacy and implementation of these laws remain to be seen, but there are other punitive measures countries can take against offenders such as blocking their websites at a country level.

 

6. Increase Productivity Levels

Finally, if your organization is infected with a virus or hit with ransomware your employees’ overall performance and productivity will suffer. Take a minute to think about how effective your business is during a power or internet outage. Now multiply that by the number of days and add some indirect costs and future losses for good measure.  By doing a security assessment and implementing up-to-date security protocols, you ensure productivity levels, while reducing risks. According to a Ponemon, the most significant impact of an attack may be in end-user productivity losses because the IT systems are not functioning. As organizations embrace digital transformation and cloud-based systems along with the rise of the remote worker because of the COVID-19 pandemic, this risk only increases. SaaS models mean businesses are now subject to multiple sources of failure in their operations and activities. Imagine if a cloud hosted accounting suite were taken offline by hackers – no invoices, no cash tracking and much more.

Jolera has a variety of assessment options available to help identify possible weaknesses and exploits and determine possible real-life outcomes of a successful attack. If you’re interested in learning more contact us for more information.

Threats of the Week – July 29, 2020

Dell iDRAC Vulnerability CVE-2020-5366

Researchers released new information of a vulnerability in the Integrated Dell Remote Access Controller. iDRAC is designed to allow IT administrators to remotely deploy, update, monitor and maintain Dell servers without installing new software. Path Traversal vulnerability CVE-2020-5366 has a 7.1 score which reflects a high degree of danger. Although the vulnerability was fixed earlier in July, by exploiting the flaw, remote attackers could take over control of server operations.

Source: Info Security

How do you protect yourself?

To monitor threats against company servers, it’s crucial to have a managed security program in place. With services like Secure IT – SIEM you can rely on a team of security experts who perform remediation, root cause analysis and provide security recommendations to help you defend against malicious threats.

 

Cisco Network Security Vulnerability CVE-2020-3452

A high-severity vulnerability in Cisco’s network security software could comprimise sensitive data. The flaw exists in the web services interface of Cisco’s Firepower Threat Defense (FTD) software, and its Adaptive Security Appliance (ASA) software. The vulnerability (CVE-2020-3452) allows attackers to conduct directory traversal attacks, which is an HTTP attack enabling bad actors to access restricted directories and execute commands outside of the web server’s root directory.

Source: Threat Post

How do you protect yourself?

The vulnerability affects products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software, with a vulnerable AnyConnect or WebVPN configuration. To eliminate the vulnerability, Cisco users are urged to update Cisco ASA to the most recent version.

 

VHD Ransomware

North Korean-backed hackers tracked as the Lazarus Group have developed and are actively using VHD ransomware against enterprise targets. VHD ransomware samples were found between March and May 2020 during two investigations, being deployed over the network with the help of an SMB brute-forcing spreading tool and the MATA malware framework (also known as Dacls). The ransomware tool creeps through the drives connected to a victim’s computer, encrypts files, and deletes all System Volume Information folders.

Source: Bleeping Computer

How do you protect yourself?

Organizations must have 24/7 monitoring and remediation solutions in place to defend against VHD Ransomware and similar threats. Secure IT – Endpoint Protection and SIEM help to avoid, or at least isolate these attacks from spreading.

Lenovo Canada Leader Attempts to Close the Gap on the Digital Divide

Lenovo Canada Leader Attempts to Close the Gap on the Digital Divide

By Paolo Del Nibletto

In this digital rich world, it’s hard to believe that the majority of Canadian households – with at least one child under 18 – only have one Internet-enabled device available to them. Compounding the problem further is that 13.5 percent of this group relies on a mobile device for their Internet, according to Statistics Canada.

This shortage is creating a digital divide in Canada. If the IT industry does not act soon, it could lead to many young Canadians falling behind other countries and negatively impact digital transformation.

Lenovo Canada’s Executive Director and GM, Colin McIsaac has been running the subsidiary for the past seven years and in that time has successfully introduced many innovative products from the Yoga, the Tiny, the Twist, the X1 Carbon, and state-of-the-art workstations for the oil and gas sector that are also used to design cars for Austin Martin.

But despite the business achievements, conquering the digital divide in Canada has turned into a passion project for McIsaac. During an interview for the Jolera Interview Series program, McIsaac said the digital divide, specifically in the education sector, worries him because a lack of access to current technology can severely impact the quality of education a student receives. “This is sobering, and you compound that with the COVID-19 pandemic, and there’s a byproduct with schools not getting back to classrooms or staggering that experience and asking people to engage from home without a device or broadband or they are not comfortable with the environment, and this creates a much bigger gap between those that have and have not,” he said.

In comparison, McIsaac has more than 100 devices connected to the Internet in his home, and certainly, the narrative believed by most is that Canada is a totally connected community. But McIsaac believes there is a much more significant gap in Canada, and one of the pitfalls of the digital divide is the loss of potential.

“If someone is not able to learn properly, you can create a much bigger gap among the classes. Secondarily, we may miss out on some of the best ideas this generation has to offer because they don’t have access to technology. This is something we have to address, and, in my mind, it can’t happen fast enough,” McIsaac said.

SMARTER TECHNOLOGY FOR ALL

Lenovo operates with a guiding philosophy of “Smarter Technology for All”, and this viewpoint works to ensure that everyone can take advantage of technology. Under McIsaac’s leadership, Lenovo Canada is trying to provide a standardized technology experience for classrooms across Canada and in the home. Lenovo has already contributed more than $5 million in donations for Quebec’s back-to-school initiative, a co-sponsored plan with Best Buy to support the Boys and Girls Club of Canada. Most recently, the company made a significant Chromebooks donation to the Government of Alberta’s school initiative.

More needs to be done, according to McIsaac, from the government and the business community to address the digital divide in low-income areas of Canada since they have the highest percentage of mobile-only device usage.

“Technology has an impact on business, and you can draw parallels on the impact it has on consumers in their daily lives. If they do not have the opportunity to embrace technology’s competitive advantage, they will fall behind, and the longer they are unable to leverage technology, the worse it becomes. There are two ends of the spectrum here with people at one end engaging technology to their great benefit and learning experience and the other end, where people are not,” he added.

Watch the Jolera Interview Series featuring Lenovo Canada’s Colin McIsaac to learn more about how Lenovo deals with the digital divide along with its innovation strategy and how the company is embracing the as-a-service market.

Threats of the Week – July 6, 2020

FakeSpy Malware

Android mobile device users are being infected with the FakeSpy infostealer. The attack is part of a ‘smishing’ campaign from the Roaming Mantis threat group. The malware is disguised as legitimate global postal-service apps, and ends up stealing SMS messages, financial data, and other sensitive information from the users’ devices. The attacker sends text messages with information about a package delivery, prompting the recipients to click on a malicious link.

Source: Threat Post

How do you protect yourself?

Users are recommended to ignore text messages from contacts they don’t recognize and be suspicious of any message about deliveries or other postal services. To avoid being scammed users should double-check the info received through trusted links to local delivery carriers.

 

WastedLocker Ransomware

Dozens of US newspaper websites, owned by the same company, were hacked by the Evil Corp gang. The goal was to infect employees of over 30 major US private firms, by using fake alerts regarding software updates. These alerts were displayed by the malicious SocGholish JavaScript-based framework.

Employees who browsed the news on one of these websites could have their computers compromised and then used as a stepping point into their companies’ enterprise networks.

Source: Bleeping Computer

How do you protect yourself?

Companies must have proper security measures in place to defend against WastedLocker Ransomware and similar threats. Secure IT – Endpoint protection provides an advanced, comprehensive threat detection and defence solution for an organization’s computer endpoints.

 

CVE-2020-1425 | CVE-2020-1457

Microsoft has released two emergency security updates to address remote code execution vulnerabilities affecting the Microsoft Windows Codecs Library on several Windows 10 and Windows Server versions. The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as ‘critical’ while the second received an ‘important severity’ rating. After successfully exploiting these vulnerabilities, attackers could obtain information to further compromise the user’s system, and lead to arbitrary code execution on vulnerable systems.

Source: We Live Security

How do you protect yourself?

According to Microsoft, the two security patches address the vulnerabilities “by correcting how Microsoft Windows Codecs Library handles objects in memory.” According to Microsoft it wasn’t identified any mitigating measures or workarounds for these two vulnerabilities.

Threats of the Week – June 18, 2020

Ripple20 Vulnerabilities

Millions of internet of things (IoT) devices are affected by dozens of vulnerabilities. Cyber-security experts exposed a total of 19 vulnerabilities (4 of them considered critical) in a small library widely used and integrated into innumerous products over the last 20 years. These vulnerabilities affect both enterprise and consumer-grade products, from printers to insulin pumps.

Source: ZD Net

How do you protect yourself?

Treck has issued a patch for use by OEMs in the latest Treck stack version (6.0.1.67 or higher).

Linkedin ‘Job Offers’ Malware

A recent malware campaign targeting aerospace and military firms has been discovered. Victims in Europe and the Midle East received Linkedin spear-phishing messages, supposedly from Collins Aerospace and General Dynamics, with a job offer. Besides the offer being fake, the message also included malicious documents that eliminate data from the device.

Source: Threat Post

How do you protect yourself?

Users should be cautious whenever opening files from an email. Services like Secure IT – Mail help scan the files within emails to detect if they are legitimate or not. If they are not legitimate, these tools will block users from even visiting the malicious website.

Qbot Malware

Customers of U.S. banks and financial institution are the target of an ongoing campaign using “Qbot malware”, a banking Trojan active since 2008. Trough Qbot payloads, attackers are able to steal financial data from these clients, and spread malware on compromised devices. According to specialists, “Qbot malware” is being used with updated worm features.

Source: CISOMAG

How do you protect yourself?

Cybersecurity awareness training is highly recommended to defend against evolving malware threats. Secure IT – User Defence is a suite of security services specifically tailored to empower employees to become the first line of defence against cyber attacks.

The Dangers of Working Remotely

The Dangers of Working Remotely

With remote workers reaching unprecedented levels during the COVID-19 pandemic, strengthening Wi-Fi access points and the devices that access them is becoming a necessity. Unfortunately, very little thought has been given to Wi-Fi in the security landscape leaving many people vulnerable to hackers. Before the onset of the COVID-19 pandemic, people were using public Wi-Fi for collaborating with co-workers, outside suppliers and customers, along with friends. What made public Wi-Fi so useful was that it was widely available and, more importantly, free. As of last year, there were a total of 362 million public Wi-Fi hotspots available around the globe.

Know the types of Wi-Fi attacks to watch out for.

Man-in-the-middle

The most often used attack for WIFI is called Man-in-the-middle. Hackers use Man-in-the-middle to intercept data packets as they travel from the person’s computer to the WIFI network. Think of this as cyber-eaves dropping. The hacker has access to your files and can view your messages. For a man-in-the-middle attack to work, the hacker needs to be in the range of an unencrypted WIFI access point. Or has set up a rogue WIFI access point that the unsuspecting person signs in on.

Evil Twin

Do you ever go into a Starbucks to work? You check for free WIFI, and you see two Starbucks access points available. You don’t give it a second thought and click on the wrong one. Well, that’s an Evil Twin situation, were the access point that looks legitimate, but isn’t.

One of the more famous Evil Twin attacks happened during the 2016 Republican National Convention, where 1,200 attendees connected to the IVOTETRUMP! Hotspot.

AirCrack, Passive Sniffing, Cowpathy and many more…

To prevent remote workers from these types of attack methods, what’s needed is to look at security more holistically. Many people, especially during this unique time, are unaware of the risks of using unsecured Wi-Fi. The organizations that these people work for also fail to take the proper precautions to protect remote workers wherever they are located and the data they access.

Ways to Protect Your Data

  • VPN
  • Secured Wi-Fi As-a-Service
  • Endpoint Protection
  • Firewalls (Virtual / Physical)
  • SIEM (Security Information & Event Management)

Organizations need to think of the whole picture instead of letting their deployed devices out in the wild. Data should be protected behind a Firewall, the devices accessing the data should be monitored and protected with endpoint protection. Instead of installing an access point and walking away, think of WIFI-as-a-Service, that includes a wireless access point but does much more such as advanced security information and event analysis, real live threat detection and remediation.

Each step taken builds upon your organization’s security posture and keeps both your users and your data safe and secure.