The Holiday call from a buddy you do not want to get – much less make.
Friday the week before Thanksgiving, driving home for the weekend – watching the late stages of the gorgeous sunset over the mountains of western Maryland. Phone rings – make sure it is on Bluetooth to safely take it in my truck (and adhere to Maryland’s hands-free phone law). I think, “Cool, it is my buddy we’ll call Greg; maybe we can grab a beer at the local brewery over the weekend.”
Greg: “James – can you talk”
me: “Sure for you anytime.”
Greg: “you got time to help a friend of mine out?”
me – “tell me more.”
Greg: “Barry – runs a money management firm that has some very recognizable clients from sports to industry and politics – well, he thinks someone hacked his emails.”
Me: “Only his emails? Nothing else?”
So as you can see – late before a holiday week, a friend of a friend found out the hard way that cyber hygiene is not just important, but it can be life or death to a business. You see, he failed to maintain a semblance of cyber hygiene. Ten months prior, he got a notification that his personal information was a part of a breach at a significant retailer. Like many of us, he uses the same email and password on multiple websites – in this case, the one he used with the retailer was the same one he used for his email and many other places. Barry got the notice and did not change his passwords on the breached site, much less any other website he used. He left himself open to breaches in virtually every part of his cyber life.
Like most of us, Barry is a conscientious, hardworking small business owner who did not understand the implication of not taking care of his cyber hygiene. The only thing hackers did not compromise for him was his bank and trading accounts. Why? Because the banks required multi-factor authentication. Yes, he used the same password there too. After a couple of days of hard scrubbing by two extremely seasoned engineers, it seems that four months after the breach, an entity that was working for or related in some way to one of his competitors bought his info off the “DarkWeb.” Then that entity started a cyber-recon on Barry’s company.
To Sum up: A data breach at a major retailer exposed Barry’s email and password, and an unknown entity used that information to reconnoiter his company. During the six months, he was under surveillance, he lost two long-term clients for no apparent reason. We believe that the entity was a competitive company that used or accessed Barry’s data, which undercut entirely the client’s trust that Barry had spent years building. According to the latest data breach report by IBM and the Ponemon Institute, the cost of a data breach in 2021 is US$ 4.24 million; this is a 10% rise from the average cost in 2019, which was $3.86 million.
Barry has lost customers, face, time, and privacy because he did not follow simple Cyber Hygiene practices.
1) Don’t trust
2) Use Multi-factor Authentication everywhere possible.
3) Have a plan
4) Have a schedule
5) Practice your plan
6) Update your systems
7) Use end-point Protection
8) Gather Data on your Systems
9) Continuous improvement
10) Get a coach
1) Don’t trust anyone or anything. Barry trusted using a complex password – combining numbers and letters and symbols – would keep him safe. He thought he could trust a named brand retailer to ensure his user info was safe. He trusted that he could have convenience over security by using the same email/password combination on multiple websites. Trust is a precious gift, don’t give it out to just anyone online – in fact, give it to no one. Computers are not trustworthy, and they will provide you with the desired output shown the right inputs WHETHER IT IS YOU OR AN IMPOSTER! Your online “Aunt Jane” may be Aexiov in Belarus running a scam on you, and you don’t know. Trust no one. Barry did, and he paid the price. Don’t be Barry.
2) Use Multi-factor Authentication. The accounts that were not accessible to the entity surveilling Barry mandated MFA. MFA requires a second or third variable – usually on a smartphone – to assure you are who you say you are. In this case, it probably saved Barry from having his accounts cleaned out, costing him his whole business, not just two customers. What makes me mad; is that on every major system he used, Email, Client Relationship Management, Website, etc. MFA was either available or straightforward to add on. It took us less than half a day to get MFA available on all his systems. Four hours of work would have saved him millions. Make MFA like “Pete’s Hot Sauce” put that… stuff … on everything. Barry did not, and he paid the price. Don’t be Barry.
3) Have a plan. When Barry had started to think something was wrong – he did not know what to do or where to start. He was panicked, but he was lucky he had a friend who had a friend. Once the calvary arrived, we could pull out the stops and get it solved, but Barry would have known the first, second, and third steps had Barry had a plan. In addition, had he had a plan – once he got the notification of the breach, that plan would be to change that and every other password that used the same email. Barry did not, and he paid the price. Don’t be Barry.
4) Have a schedule. It will not happen if you are like me if it is not on the calendar. Changing passwords, updating your operating systems, patching your firewall/router needs to be scheduled – on a calendar. Just like your kid’s sports team, you have practices and games on the calendar. Come up with a schedule, write it down – or put it in your scheduling software, so you and your employees stay on top of the basic blocking and tackling of Cyber Hygiene. Barry did not, and he paid the price. Don’t be Barry.
5) Practice your plan. If you or your kids ever played sports, you know that having a game plan full of plays is worthless – unless you practice! As a part of your schedule, you need to include time each quarter to practice what you do when you get a breach notification. What do you do first? What are the steps? Who makes the calls? Is there a call tree set up? Who are the alternates? Identifying issues like these (and much more) get resolved when you run through each case. Practice makes perfect – well, better at least. Barry did not, and he paid the price. Don’t be Barry.
6) Update your systems. One of my pet peeves is the number of daily breaches from known exploits. Looking at the front of the cyber Mandiant’s Advantage, the top 10 exploited vulnerabilities reported are CVE’s that dated as old as 2012 and NONE since 2019. If you have not updated your systems since 2019, do you think the hackers will give you a chance to catch up before you get exploited? Stay on top of your systems. While this did not play into Barry’s issue, as you can guess, there was no plan or schedule that Barry followed to update his systems. Barry was lucky; he was vulnerable and did not pay the price – this time. Don’t be Barry.
7) Use end-point Protection. What you may remember as anti-virus or anti-malware is more critical today than ever. Ransomware, root bots, etc., are more prevalent today than at any time I can remember – and I’ve been doing this since 1987. End-point protection – securing your system with a suite of anti-virus, anti-malware, endpoint firewall, and other tools to ensure the safety of your system is a must. Barry had an unmanaged anti-virus installed that offered some protection but not enough to combat today’s threats. Barry had some protections but needed more. Don’t be Barry.
8) Gather Data on your Systems. Once you have an end-point protection system in place, it will allow you to track and monitor your systems. You may want to get a larger view into your computer systems by implementing a SEIM or bringing in a Managed Security Service Provider (MSSP) to do that for you. Without information, you cannot improve. Monitoring the data your systems are telling you will allow you to derive information out of the data. Barry had no idea what his systems were doing. Barry paid the price. Don’t be Barry.
9) Continuous improvement. When gathering data, practicing, updating, and planning your Cyber Hygiene, you must start to take what you learn and fold it back into your plan. If you are not improving your Cyber Posture, you are falling behind. Again, our goal is to make you hard2hack. The bad actors are improving every day. Barry was stagnant; he paid the price. Don’t be Barry.
10) Get a coach. “Come on, James, this is a lot of stuff! I need to run my business, division, family, etc. I have no idea how all this works!” Great, I can help you. Join with me and others just like you who are too busy to figure this out by themselves. Barry now has a coach, be like Barry.
This was published at: https://www.cyberdefensemagazine.com/stayhackfree-2/
One response
The #1 thing to do, by far, is don’t reuse passwords, ever. It is inevitable that individual sites you use will get hacked and/or will have made poor decisions about how to store and share credentials. Use a unique password for each site – they can be based on a algorithm or you can just store them somewhere secure (I like PassVault myself). Also do not use passwords that other people would be likely to use, since people storing sha1 or md5 hashes sometimes forget to salt them and there are numerous available rainbow tables and services on the web that will crack them before you can say ‘irreversible hash’
#2, make sure you sign up for a service like https://haveibeenpwned.com/. Then, when passwords leak, you’ll know who’s bad at IT. 😉
Patching is a complex topic – sometimes patching increases your risk. Generally it’s best to just not have a attack surface if at all possible, and to know enough to know which patches need to be loaded immediately and which shouldn’t – as James alludes to above, if you yourself are not a programmer familiar with secops, have a friend or employee or consultant who is. Make sure someone you know has their ear to the ground for the heartbleeds and log4j vulnerabilities (to mention one big and one recent) of the world. Also, if you are running a business, have a IDS or WAF that gets updated signatures automatically.
Anyway, good article.