CYBER SECURITY AND REMOTE WORKING

Maritz Cloete, CISSP, M.CIIS

18 June 2020

HOW OUR WAYS OF WORKING HAVE CHANGED

• Social distancing means working from home is the norm

• Substantially more reliant on IT to engage internally and externally, and to keep the business going!

• Now ~100% reliant on the connectivity (and security!) the internet provides

• New technologies for many – Zoom, Skype, Teams, SharePoint, OneDrive, Hangouts, etc

• Employee’s focus shared between work and home life –home-schooling, looking after home-bound dependents, volunteering

• Blurring the lines between work and home – employees may no be as alert as usual

INCREASED EXPOSURE TO THE RISK OF CYBER ATTACKS

• Even before COVID-19, cyber crime was a growing issue.

• Working outside of the organisation’s ‘protective bubble’ increases exposure

• Just in the last month and a bit:• Dominic Raab warns of targeted cyber attack campaigns and COVID-19

related scams and phishing e-mails

• The UK National Cyber Security blocked nearly 1900 attacks on education organisations in May 2020

• A notable rise in cyber attacks on charities – cyber attackers don’t care who they hit

• Phishing e-mails remain at number 1 as the most common attack, and remains a cheap, effective and automated means for cyber criminals to exploit the unwary

• Compromised user account details a close second, often causing more harm

• Data theft, impersonation, fraud

CASE STUDY –PHISHING/MALWARE

CASE STUDY – CHARITY MALWARE ATTACK

• 10-person organisation

• Received complaints of phishing e-mails from trustees and beneficiaries

• Phishing e-mails were sent in two tranches – on Wednesday and Friday of the same week

• Each e-mail included content from prior e-mail correspondence!

• E-mail linked to a malicious download on a compromised web site

• Suspected that a key shared e-mail account was hacked –~3GB/1000s of e-mails in the mailbox

• Had to notify the ICO of a potential personal data breach, as mailbox contained benefit application forms

• Called us in to perform the investigation – what happened and is it over?

CASE STUDY – WHAT WE FOUND

• Based on attack characteristics, an Emotet or Qbot malware infection was suspected.

• However:

• Critical audit logs not turned on or only retained for a short period of time, so difficult to ascertain when the breach occurred, the extent of the breach or the methods used

• Office 365 – logs were turned off

• Windows Server – only 100MB of logs retained = < 1 day

• Exchange mailboxes – retained for 30 days only, limited activities audited

• Anti-malware software – no centralised server for alerts/reporting

• Staff were working from home – could not identify which staff member’s devices were the source of the breach, could not quarantine devices for inspection

• BYOD in use… secure, patched? How do they even check this?

• Lots of moving parts to investigate – complexity exacerbated by lockdown

• In the end, client lost confidence in IT infrastructure integrity and initiated rebuild from scratch.

EMOTET – THE WORST OF A BAD BUNCH

• If it manages to run, it contacts a command and control (C2) server

• It downloads >80 other pieces of malware to the machine –from banking trojans to password stealers to ransomware

• It scours the local network to find vulnerable service to enable self-perpetuation to other machines (similar to Wannacry)

• It copies data from the user’s browser ‘saved passwords’ and sends it to the C2 server

• It accesses e-mails stored locally, and sends this back to the C2 servers for use in phishing campaigns, etc.

• It copies any other useful data held in the victim’s machine

• It sends phishing e-mails pretending to be the user to every contact – includes link to malware so it can propagate.

WHAT WE LEARNED

• There was no indication of the initial compromise – complaints were only received after the malware tried to propagate via e-mail

• There were no indicators to tell how many users were compromised, or how many if the company’s systems or data have been infected, or how much data was accessed or stolen

• No consideration for forensic readiness, so limited in terms of evidence

• There was no real plan for what to do in the event of a major incident such as this – it’s the first time its ever happened to them

• 100s of access attempts to the company’s remote desktop server were coming in from all over the world, including the US, Russia and China – some of the information leaked must have been useful or enticing to cyber criminals

• Key assumption was that the IT Service Provider set up IT infrastructure to be as secure as possible – this was incorrect.

CASE STUDY –PHISHING/MALWARE

CASE STUDY – BUSINESS E-MAIL COMPROMISE

• UK Charity – ~70 users

• Legitimate e-mail request sent to a third party, authorising the transfer of a £150,000 grant to a new start-up business – with Docu-signed PDF attachment

• Follow-up e-mail received from the same person at the charity, 24 hours later

• E-mail contained altered copy of PDF attachment, reflecting a different business’s bank account details, but without the Docu-sign seal.

• The recipient became suspicious, and queried it with another worker at the charity who raised the alarm internally.

• No payment was made, but it was close.

• Got us involved to investigate, but 1 week after the event…

HOW DID THIS HAPPEN?

• The attackers logged into the person’s office 365 account with his credentials (!!) – no failed login attempts!

• The person was based in Madrid, the attackers appeared to be in London on a mobile network, and in the US on a rented server

• The attackers only logged in four times:

• the evening after the original e-mail was sent, to verify the credentials and possibly locating the original e-mail

• the morning of the attack, to set up rules to automatically delete the e-mails once it was send • Sent items, recycle bin and deleted items

• Just after noon time, to send the e-mail. The rules automatically destroyed the e-mails.

• Ten minutes later to check that no responses were received and that the rules worked.

• At this point, the alert was raised and the user’s password changed.

• The attackers tried to log in one more time and failed – they knew the game was up. No further attempted logins.

WHAT WE FOUND

• The user’s Windows username and password was stolen, possibly through a phishing e-mail

• The attackers were organised, and had a valid money-mule bank account ready

• They were experts in their craft – worked quickly and removed all the traces they could. But audit log files told the full story

• But we were lucky this time – log files were set up to roll over every 7 days. If they contacted us a day later, we would not have had any evidence

• There was no consideration for forensic readiness – logs were available through happenstance, rather than design

• The charity did not multi-factor authentication enabled on Office 365 – this could have prevented the user’s account from being abused

• Limited cyber security awareness amongst charity staff, which we suspect may have led to the compromised user account

• Cyber security is not just an IT problem!!!

CYBER SECURITY AND REMOTE WORKING

HOW TO SECURE YOUR (NOW) MOBILE WORKFORCE

• Foster continuous Cyber Security awareness, don’t become complacent

• Make sure you continue to do the basics to keep technology secure

• Use multi-factor authentication for remote or cloud service access

• Apply good practice security configuration baselines to your systems, both on premise and in the Cloud

• Make sure your IT team applies security patches to your systems in a timely manner

• Use enterprise-class anti-malware products, don’t skimp on protection

• Pay attention to the security of the services you publish on the internet, specifically remote access facilities

• Make sure an appropriate level of audit logging occurs on your key systems and that logs are retained for at least 90 days

• Audit logs are periodically checked or continuously monitored for suspicious activities

• If you have an IT Service Provider, make sure the contract includes applying security best practice to the systems they manage

• Be prepared for a security incident – set up a response team, define response plans and practice

KEY STRATEGIC ACTIONS TO CONSIDER

• Obtain Cyber Essentials certification, which includes free Cyber Insurance*, to demonstrate you maintain a basic level of cyber security hygiene within your organisation

• Review your organisation’s presence on the internet and determine your Digital Cyber Risk profile

• Commission professional network penetration testing to gain confidence in the effectiveness of your perimeter defences

• Perform a “Work at Home” assessment to highlight remote working cyber security risks

• Check your compliance with GDPR, especially is staff are processing personal data from their home offices

• Ask for help – schedule a session with our experts to talk through your cyber security concerns

https://calendly.com/sasha-lawrence/15min

*For UK-based SMEs with less than £20m turnover

QUESTIONS?

CS Risk Management

Unit 4 Brooklands Farm

Bottle Lane

Binfield

RG42 5QX

+44 (0)203 981 6555

enquiries@csriskmanagement.co.uk

www.csriskmanagement.co.uk