HALOCK Pandemic Breaches Bulletin: June 2020


During the pandemic HALOCK and the information security community have been responding to a significant spike in cyber security incidents. Threat actors have been using strikingly similar attack patterns to exploit vulnerabilities to remote work environments. These weekly bulletins alert you to these common vulnerabilities, and what you should do to address them.

Cyber Security Data Breaches Bulletin

WHEN RANSOMWARE HAS CAPTURED DATA … BUT WE DON’T KNOW WHAT THAT DATA IS

Incident Summary: Ransomware victims that have not categorized and inventoried sensitive data are paying high ransom fees just to begin the investigation phase of their breach response.

DESCRIPTIONVULNERABILITY

Cyber criminals are successfully carrying out data encryption and exfiltration attacks for financial gain. The absence of a documented inventory of systems and data stored on these systems has led multiple organizations to pay ransom without knowing whether the encrypted information is worth the cost.

Multiple recently attacked organizations lacked formal controls to identify what systems attackers accessed and the type of data files they encrypted and stole. Furthermore, back-up volumes were also encrypted limiting the ability for organizations to determine what files would have been encrypted and whether they posed a risk to themselves or others if lost or stolen.

The impact of the security breach was increased due to multiple weak security controls.

  • Internal servers with unnecessary access to the internet.
  • Web filtering services were not configured to restrict access to MEGASync, Dropbox, Box, Sync, and similar file transfer services.
  • Asset inventories were not complete and lacked correlation with data discovery tools.
  • Backups were not transferred and stored off network.
  • System and activity logs were not correlated into a centralized log management solution.
TESTING FOR THE VULNERABILITYMITIGATING THE VULNERABILITY

Determine whether the following are in place for all systems that may contain, process, or transmit sensitive information:

  • Identify data inventories to determine whether they are comprehensive, current, and can be reliably used to locate all sensitive data in the environment.
  • Review policies, access controls, and logging systems to determine whether data is classified by inherent risk, and if controls limit and track the use and location of that data.
  • Review audits, penetration tests, vulnerability tests, and risk assessments to determine whether they test for data inventory and data classification.
  • Scan your servers, email, and databases for the presence of sensitive data.

In addition to advanced malware protections, establish the following data inventory controls:

  • Classify data by its inherent risk: e.g. intellectual property, personal financial, personal health, corporate confidential.
  • Classify systems, applications, zones, and personnel that are appropriately secure for those data classifications.
  • Access controls that limit which personnel and systems may transmit or process data by classification.
  • Log or SIEM rules that detect, record, and alert on violations of access controls.
  • Configure backup resources and volumes so they are not directly accessible by vulnerable systems.

WHAT YOU MUST DO NOW

  • Initiate data inventory project
  • Deploy data access and activity monitoring tools
  • Restrict internet traffic
  • Perform ongoing data retention and classification audits

CONTACT YOUR PREFERRED HALOCK TEAM MEMBER FOR MORE COMPREHENSIVE ADVICE

If you are concerned that your recent configurations to support a remote work force have exposed you to correctable vulnerabilities, please directly contact your preferred HALOCK team member. We can walk you through a more comprehensive list of vulnerabilities that we are seeing in the field. If you do not have a preferred HALOCK team member, contact us here and select “Secure Home-to-Office Transition Discussion” as your Area of Interest. We will have a HALOCK team member reach out to you to schedule a call.

After having responded to so many breaches these past few weeks we cannot stress enough how important it is to adopt expected security practices as we proactively prepare for phase 2 of this pandemic, as well as the return to the office.

CYBER SECURITY SERVICES TO MITIGATE YOUR RISKS

HALOCK also provides the following services to help our clients prevent these types of attacks

HALOCK Threat Monitoring Partner Solutions

  • Sophos Endpoint Protection
  • Carbon Black Cloud-native Endpoint Protection
  • Sensitive Data Scanning

Keep safe and stay secure.

HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable information security strategies, third-party risk management, risk assessments, penetration testing, security management and architecture reviews, and HIPAA, Privacy, & PCI compliance, incident response and forensics throughout the US.