Government agencies and organizations have long been a top cybercriminal target. These same creeps are now using COVID-19, or Coronavirus, to sneak their way into YOUR network.
Hackers love government organizations because the information they hold is confidential, often classified, containing the kind of secrets hackers and state-sponsored groups lust after. The pandemic ups the ante, as hackers are launching new phishing and ransomware attacks exploiting Coronavirus fears.
On top of new threats, government groups are moving at lightning speed to remote work, something they are not used to. There are myriad training, adoption, and security issues that must be addressed for this government-related remote work to be safe and productive.
We are covering nine government security issues raised by COVID-19/Coronavirus, along with how CoreView addresses each.
Scams are exploding, with hackers posing as charities or other COVID-19-related organizations. “The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes,” the agency warned. “Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.”
Here are some key CISA email tips:
E-mail is the most common way hackers breach your systems, so insecure mailboxes, and poor e-mail user practices are perhaps your biggest security exposure. Mailboxes are made vulnerable through insecure, weak, and never expiring passwords, as well as a lack of multi-factor authentication (MFA).
Meanwhile, monitoring employee activities such as their mailbox practices can identify risky behavior and proactively secure business-critical data. Preventing risky activities such as auto-forwarding to external email addresses and limiting access rights to other users' mailboxes can prevent the spread of malware and the leakage of data through emails. In addition, being aware of unusual email activity prevents targeted spam or social engineering tactics common among today’s cybersecurity threats.
Key rules applied to mailbox security relate to access rights. CoreView flags user accounts with anomalous permissions such as access rights to more than five other user mailboxes, accessing mailboxes of other departments, disabled accounts able to access mailboxes, and more. These are not for Room, Shared, or Team mailboxes, but rather actual User Mailbox accounts. Users who have this type of advanced access rights to other users’ mailboxes should be investigated to ensure they are being used for acceptable business purposes.
Often, mailbox security can be compromised by spam and malicious malware. CoreView can discover instances of malware sent from your organization via e-mail – and track this spread in minute detail.
Government organizations are the number two ransomware target, according to Bitsighttech. In fact, ransomware attacks more than tripled in the government sector in the last year. “Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks, locking up private sector organizations and government agencies alike. And that’s only what we’re seeing – many more infections are going unreported, ransoms are being paid, and the vicious ransomware cycle continues on,” CISA explained. “We strongly urge you to consider ransomware infections as destructive attacks, not an event where you can simply pay off the bad guys and regain control of your network (do you really trust a cybercriminal?).”
Here is CISA’s ransomware advice:
To deal with ransomware, you must:
Malware often gets through anti-virus/anti-malware defenses, especially zero day attacks. CoreView provides auditing tools for cloud operations. CoreView shows you every single file accessed, and every single action taken by an administrator or a user since they had a security event on one of their devices. That is how we prevent malware like ransomware from going on, and on, and on, and on – spreading throughout the organization. We proactively see and report on what was touched and then do a deeper dive analysis on those actions.
By speeding up security audits and performing more efficient forensic analysis, IT quickly closes any security issues when they are identified. Finding the audit trail to identify these types of attacks is extremely difficult, and requires assistance from specialized tools that have powerful security auditing and analysis capabilities – like those offered by CoreView.
Most successful breaches are against unpatched or legacy computers. Keeping devices updated is critical to proper cybersecurity. “Adversaries operating in cyberspace can make quick work of unpatched Internet-accessible systems,” CISA warned. “Many organizations lack robust patch and configuration management policies and procedures to guide the coordination of vulnerability management-related activities at an operational level.”
Patches act as blueprints for hackers who reverse engineer the vulnerability identified by the patch, and launch attacks knowing many devices will not be updated – making them sitting ducks. It is taking less and less time for these attacks to appear. “Moreover, the time between an adversary’s discovery of a vulnerability and their exploitation of it (i.e., the ‘time to exploit’) is rapidly decreasing. Industry reports estimate that adversaries are now able to exploit a vulnerability within 15 days (on average) of discovery. After gaining entry into information systems and networks, these adversaries can cause significant harm.”
During this crisis, many government-related employees are working from home, still just miles from the office. In other cases, workers leave the area, going to vacation homes, living with friends or relatives, fleeing the hardest hit zone. There is no telling what devices they use for work, and to connect to the corporate network. While a productivity boost, all these devices are a security nightmare.
IT should know exactly what these devices are for several reasons. Systems are only secure if they are patched and using up-to-date modern software, including operating systems. Windows XP does not rate as a high security platform! What is the OS, what is the patch status? Is the device safe?
Mobile devices have the same concerns. What kind of OS is running? Is it up to date?
Keeping software patches and anti-virus tools up to date requires that IT knows, and can validate the configuration of workstations, laptops, and mobile devices, and what software is installed. More to the point, how do you know if the device is infected? And if it is, how do you know what that device did to potentially spread malware or other malicious software?
CISA sees network segmentation as making systems more vulnerable. If a hacker cannot break into one network segment, he can go after another not as well protected. “The decentralization of organizations and their governance processes makes it difficult to coordinate the remediation of vulnerabilities. Network owners should be aware of who is operating their respective networks, if not done in-house,” CISA said.
This same theory applies to end user access rights, which are too often overly broad and deep. Did you know that 80% of SaaS breaches involve privileged permissions? And that admins have the most privileges of all?
With CoreView, you can segregate your operator responsibility by implementing a granular RBAC – but first, ask yourself:
CoreView addresses these pain points with our Role-Based Access Control (RBAC) features that give you fine-grained control over what admins can, and cannot do.
Ponemon’s ‘Cost of a Data Breach’ Survey explains the damage of data breaches. What is the cost of losing a file? They say $141. The average cost to an enterprise of a breach — $3.62 million. It is about 191 days on average to figure out that you have had a data breach.
The best defense is stopping breaches before they happen. From a prevention standpoint, CoreView has a global suspicious sign-in attempt map showing not only what IP address hackers were attacking from and failed, but also what accounts they went after. It also shows if the configuration included multifactor authentication or not, and whether or not conditional access policies were effective for a specific attempt. Finally, it details the end-result of the sign-in attempt.
Data breaches sometimes bust through the best barriers. Moreover, most IT shops discover the incursion months or even over a year after it happened. How then do you figure out how and why it happened?
The answer is forensics that rely on long-term log retention so you can perform a proper security audit. Here you discover what happened so you can minimize ongoing damage, and by finding the source, stop it from happening again.
Once a data breach or malware infection occurs, you need to find out everything about it. CoreView, though, quickly gets to the heart of the matter. A CoreView-enabled administrator can choose ‘file access’ and see all the files, the names, and the paths to the files that were accessed after the breach or malware attack.
A common assumption many have is that IT, which controls the infrastructure, apps, and data, is inherently trustworthy.
Too often those in IT blindly trust others in IT, and give these workers higher level privileges than they need, and which can be used to abuse access to corporate and personal information. According to a survey by Cyber-Ark, a third (35%) of IT pros spy on other company employees.
A sizeable portion of insider breaches come from technical staff: 6% from developers and another 6% from admins, according to the Verizon Data Breach Investigations Report. Many insider incursions result from privilege abuse, though there are many other ways IT abuses its access.
The first defense is using RBAC to only grant privileges that are absolutely needed, and only for the time, these privileges are absolutely needed for. At the same time, have a system for tracking admin activities and let admins know tracking is in place. This alone can ward off many dangers.
The Verizon report finds that 14% of breaches come from insiders. Insiders are more dangerous than most outsiders are. Insiders are already on the network, and sometimes with high-level privileges.
To fight off the insider threat, you need a full approach to security, along with the ability to address Microsoft 365-specific vulnerabilities. A key issue is knowing what is going on in the network and controlling dangerous activity.
Verizon advises IT to implement strong access controls and provide access levels fitted to true needs, trust, and levels of responsibility. “Having identified the positions with access to sensitive data, implement a process to review account activity when those employees give notice or have been released,” Verizon suggested.
The answer is to identify internal and external threats to your environment — then step up your defenses. Here, CoreSuite alerts give you an early warning system for internal and external threats to your Microsoft 365 environment, so you can identify and defend yourself against security breaches before they occur.
As much as cybercriminals around the world attack government systems, insiders can be a more insidious threat. Often this is through social engineering where the employees are unwitting participants. Often insiders are angry and want revenge, or are even paid to steal data, or wreak havoc.
Insiders should be subject to Least Privilege Access Policies to minimize damage. And IT should be able to track inappropriate sharing of data, and all end user actions to detect and prove malfeasance.
Systems such as Microsoft 365 collect literally millions of bits of information – for larger shops it takes little time at all to reach this many data points.
CoreView provides 1-year audit data collection, which can be extended however long the customer wants. However, ask yourself:
CoreView can produce a log in seconds for every end user or administrative action taken in Microsoft 365 since the platform was initiated. Real-time monitoring and alerts for security compliance issues is the engine that drives much of the data that forms the logs. Smart IT shops now enable real-time monitoring and alerts for potential security compliance issues in their Microsoft Office 365 environment.