Protecting MSPs from Million Dollar Ransomware Attacks

The DarkSide Ransomware Attack on CompuCom

On March 3, the IT managed service provider (MSP) announced they had fallen victim to a Darkside ransomware attack. The cybercrime group installed CobaltStrike beacons on several systems throughout the MSP’s environment. These beacons helped the threat actor steal data, spread the virus, and deploy ransomware payloads. 

The MSP expects the incident to result in losses of $20 million and counting due to the disruption of customer services and internal operations. Since CompuCom is up for sale, the attack has come at an inopportune time for the company. 

Read more

5 Best Practices to Integrate Cybersecurity With Your Business Strategy

What Does an Effective Business Strategy Look Like?

For many businesses, it’s been a long time since the business strategy was initially developed. If it was created a few years ago, it’s likely missing cybersecurity as one of its strategic initiatives. The role of cybersecurity has dramatically changed for the C-suite and should be re-evaluated in terms of its impact on strategy.

Any successful business will have a solid definition of its mission, values, and goals. In today’s landscape, every organization is in the business of cybersecurity. It should have significant part to play in the overall strategy for the company’s success. How can you do this? By adopting the following five best practices to integrate cybersecurity with your business strategy.

5 Ways to Integrate Cybersecurity With Your Business Strategy

Integrating cybersecurity with your business strategy shouldn’t be as painstaking as it may initially seem. Whether you’re in the beginning phases of establishing a business strategy or your organization is re-evaluating your long-term goals, you can follow these five best practices as a starting point to integrate cybersecurity with your business strategy.

1. Identify your business’ key goals and aspirations

What is the overall purpose of your organization? Evaluate the specific milestones you have set to realize that purpose and now look at them in a new way. How does cybersecurity make or break the mission? This are important considerations to integrate into your strategic initiatives.

2. Pinpoint areas of weakness in your cybersecurity hygiene

When you evaluate risk throughout the organization, C-level executives are particularly strong at considering threats impacting financial risk, competitive changes, loss of key employees, market shifts, environmental events, and other disasters. Now, add cybersecurity risk to this same equation. Don’t make the mistake of assuming an IT department is covering this base. Executives must seek out the same details on potential impact from cybersecurity threats as they do in other areas. Conducting a risk analysis can help you identify weak areas in your cybersecurity hygiene and risk-rank vulnerabilities that need to be addressed first. You might need a third-party information security expert to provide an unbiased view of your risk. Specialists at KirkpatrickPrice can help pinpoint weak areas in your cybersecurity hygiene, give you advice on how to remediate those findings, and help fine tune your strategic initiatives.

3. Determine how your people, processes, and technology need to evolve

The cybersecurity landscape is constantly changing, and you need to make sure that your people, processes, and technology are able to swiftly adapt. Humans are generally the root cause of security incidents – whether it’s out of ignorance or deceit – and so it’s up to your organization to ensure that all personnel understand the cyber threats they’re faced with on a day-to-day basis. Requiring annual, thorough security awareness training is one way to do this. As for your processes and technology, how often do you update them to meet information security best practices? Do you conduct internal audits to validate the security of your processes and technology? Are you making investments in technology that will improve the cybersecurity of your organization?

4. Implement a strategy for cybersecurity best practices

Once you’ve identified your key goals and aspirations, identified areas of weakness in your cybersecurity hygiene, and found ways that your people, processes, and technology need to evolve, you need to decide how exactly you’ll be implementing these five best practices. Will you use a framework like NIST to guide your efforts? Will it require you to partner with an MSP or hire more IT personnel? Do you need to hire an independent, third-party firm to validate your cybersecurity efforts?

5. Leverage cybersecurity and compliance for success

Strategic planning is what guides all that you do in your organization. Cybersecurity and compliance are strategic initiatives that serve as benchmarks for your business. Do we have a cybersecurity mission? Have we identified our cybersecurity goals? What are the plans to get there? Have we defined the resources we need? Are we monitoring our progress to quantify success? Ultimately, these will become strengths that are important to your clients and other stakeholders. You might train your sales and marketing teams on how to communicate your strategic differentiation in the market because of your cybersecurity and compliance strengths. Leading firms have a dedicated cybersecurity landing page on their website that explains the “why” behind cybersecurity and how it serves as a strategic goal in their business.

All in all, cybersecurity can no longer be an afterthought or kept at arms-length from the boardroom. It must be a proactive effort – one that is ingrained in the company culture and strategic purpose. If your business is struggling to adopt these five best practices to integrate cybersecurity with your business strategy, let’s find some time to talk to see how we can help you.

More Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

How to Lead a Cybersecurity Initiative

Key Takeaways from the SEC’s Cybersecurity Guidance

How Much Is Your Data Worth to Hackers?

How much do you think a buyer on the dark web would pay for stolen data?

How much would you estimate a hacker can profit off of personal data?

The truth is, the price of stolen data is worth the risk for hackers but always costly for organizations that store, process, transmit, or destroy personal data.

How Do Hackers Make Money?

When a system is breached and personal data is stolen, the hacker involved in the malicious activity will typically sell or advertise that data on the dark web. Even if your company is small, a hacker will cast a wide net to obtain stolen information from multiple sources.

If they steal personal data from your organization, it will cost you money – that’s the end of it. It’s up to you to decide if the cost of stolen data is worth it, or if proper information security testing is a better investment.

How Much is Hacked Data Sold For

Symantec released an in-depth Internet Security Threat Report in 2019 that lays out a cost sheet for the most commonly sold personal data.

Here’s how much hackers earn after stealing the personal data you are responsible for:

  • Online banking account – 0.5%-10% of value
  • Cloud service account – $5-$10
  • Hacked email accounts (groups of 2,500+) – $1-$15
  • Hotel loyalty from reward program accounts with 100,000 points – $10-20
  • Stolen identity – $0.10-$1.50
  • Medical notes or prescriptions – $15-20
  • Stolen medical records – $0.10-$35
  • ID or passport – $1-35
  • Full ID – $30-100

While these numbers may seem small in terms of individual pieces of data, the total sum of how much is data worth starts to add up.

If you store passport data, how much could a hacker earn by breaching your database? If you process online payments, how much could a hacker earn by skimming your site? The cost of the individual may be minor, but when you view it in terms of entire databases of personal information, the costs can make a huge impact.

The Real Cost of a Personal Data Breach

Let’s take a look at a recent breach that made headlines – DoorDash. The food delivery service was breached in September 2019 when a hacker stole private information of 4.9 million customers and delivery workers which included full names, delivery addresses, phone numbers, digits of credit cards and bank accounts, and hashed passwords.

If we use the data from Symantec’s report that claims, at the cheapest price, full ID packages can be sold for $30, we can estimate that the personal data stolen from DoorDash was worth $147 million. The hacker that breached DoorDash’s system is probably sitting on a good profit right now. Do you want your organization to be the next target for a hacker looking to make a good buck off stolen personal data?

How to Stop the Hacking Money Machine

So, what can you do to protect your organization from fueling the money machine of hackers selling personal data on the dark web?

You can start by annually testing your processes and controls to make sure your system can withstand common hacking tactics, whether that’s through your internal audit team or the external penetration testers who are skilled enough to spot suspicious activity. Staying updated on current hacking tactics provides greater assurance that your employees will recognize an attack early on.

Organizations have a great responsibility to protect individuals’ personal data because they store, transmit, process, and destroy so much of it. Whether it be employee data or client data, you need to have practices in place that secure information and work against a hacker’s tactics.

If you’re interested in learning more about third party penetration testing to mitigate the risks you face, contact KirkpatrickPrice today!

More Data Security Resources

Executive Insight into the Importance of Penetration Testing

What are the Stages of Penetration Testing?

Breach Report 2019 – September

Dangers of XSS Attacks at Healthcare Organizations

In October 2019, Citizen Times reported that Mission Health, North Carolina’s sixth-largest health system and HCA Healthcare’s North Carolina Division, had disclosed a data breach caused by a cross-site scripting (XSS) attack.

Cross-site scripting (XSS) vulnerabilities rank among OWASP’s top 10 web application security risks. XXS occurs when a web application doesn’t properly sanitize user input and their input (such as malicious code) is either reflected or stored on the returned page. The best way to combat the dangers of XSS vulnerabilities is to perform code review before the application goes into production.

This attack, which injected malicious scripts into Mission Health’s e-commerce web application, wasn’t found for three years. Fortunately, the e-commerce site didn’t impact any PHI, but three years’ worth of names, addresses, payment card numbers, expiration dates, and CVV codes were sent to unauthorized individuals.

Can you imagine if this XSS attack targeted a web application that touched PHI? Could code review have found this XSS flaw? Would penetration testing have helped? This data breach is just one more example of the added precautions healthcare organizations must take to identify all areas of risk and implement cybersecurity best practices, even if they have to go beyond HIPAA requirements.

Cybersecurity in Healthcare

The amount of data breaches that occur within healthcare prove it to be an industry that isn’t keeping up with the cybersecurity threat landscape. According to IBM’s 2019 Cost of a Data Breach Report, the healthcare industry has the most expensive data breaches – the average totaling $6.45 million.

What makes data breaches even more expensive? Time. The time it takes to find the breach and the time it takes to contain and respond to it. IBM reports that, on average, it takes organizations 206 days to identify a data breach and 73 days to contain that breach.

That means when a data breach occurs, it will take the organization about nine months just to find and stop it. Unfortunately for Mission Health, the time it took them to find the injected malicious scripts was about three years – much higher than average.

Perform Code Review to Find Cross-Site Scripting Flaws

Cross-site scripting occurs when a web application doesn’t properly sanitize user input and their input (such as malicious code) is either reflected or stored on the returned page. In Mission Health’s case, it was stored – which can have a severe impact. Web applications are one of the most common attack surfaces for data breaches, and OWASP has determined the XSS flaws are among the 10 most critical security risks to web applications.

It’s extremely difficult to find and remove XSS flaws from a web application, but OWASP says:

“The best way to find flaws is to perform a security review of the code and search for all places where input from an HTTP request could possibly make its way into the HTML output.”

Code review is a tedious job, but someone needs to do it so that XSS flaws or injected malicious scripts don’t go unnoticed for three years.

Part of thorough code review is testing against OWASP’s XSS prevention rules:

  • Never Insert Untrusted Data Except in Allowed Locations
  • HTML Escape Before Inserting Untrusted Data into HTML Element Content
  • Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  • JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
  • HTML escape JSON values in an HTML context and read the data with JSON.parse
  • CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style Property Values
  • URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
  • Sanitize HTML Markup with a Library Designed for the Job
  • Avoid JavaScript URLs
  • Prevent DOM-based XSS
  • Use HTTPOnly cookie flag
  • Implement Content Security Policy
  • Use an Auto-Escaping Template System
  • Use the X-XSS-Protection Response Header
  • Properly use modern JS frameworks like Angular (2+) or ReactJS

Web Application Penetration Testing

Once code review is performed, a web application penetration test should also take place. The goal of the penetration test is for no additional web application vulnerabilities to be discovered. If there are, that means the code review wasn’t thorough enough – but penetration testing is valuable for validating this.

Web applications can be problematic for many security analysts who don’t have the experience to be testing them – especially if it’s done in conjunction with code review. We often see other firms blindly assign an analyst to a web application project, but without the proper knowledge and expertise, a penetration tester can miss important findings within the web application. That’s why web application penetration testing methods at KirkpatrickPrice include the following, plus more:

  • Forced Browsing
  • Session Management
  • Cookie Manipulation
  • Source Code Disclosure
  • Response Splitting
  • File Upload/Download Attacks
  • URL Manipulation
  • Injection Attacks for HTML, SQL, XML, SOAP, XPATH, LDAP, Command
  • XSS

At KirkpatrickPrice, we also take a hybrid approach to code review that includes both automation and manual assessment in order to find any vulnerability that, if discovered, could be abused. Our team of highly skilled penetration testers have the expertise to understand the complexities of your code.

If you want to avoid a data breach due to unnoticed, cross-site scripting flaws like the one at Mission Health, contact us today.

More Penetration Testing Resources

Guide to 7 Types of Penetration Tests

Think Like a Hacker: Common Vulnerabilities Found in Web Applications

7 Reasons Why You Need a Manual Penetration Test

4 Ways to Minimize Risk in IoT Devices

Internet of Things (IoT) technology makes daily tasks easier. From smart home devices to entire smart cities, these interconnected devices are changing the way we interact, do business, and live our lives. But with any new technology implementation, there are risks involved, and this especially rings true for IoT. Because the demand for IoT devices is projected to rapidly increase — Gartner predicts that the number of IoT devices in use will reach 20.4 billion by 2020 — organizations must be proactive in mitigating the threats to IoT technology. So, how can they do that? Here are four ways to minimize risk in IoT devices.

4 Ways to Minimize Risk in IoT Devices

1. Take Inventory

The first step in reducing the risks associated with using IoT devices is taking inventory. What IoT devices are currently connected to your network? How are they being managed? How are you updated when a new IoT device is added to your environment? What BYOD policies do you have in place? To limit the attack surface, knowing what you have is crucial. This means knowing what devices, both hardware and software, your organization has deployed as well as the IoT devices your employees bring into your environment.

2. Design for Security

Organizations are quickly developing and adopting their own IoT technologies, and with that, vulnerabilities are bound to slip through the cracks. But rushed development and/or implementation can have detrimental results. When adopting or deploying IoT technology, organizations must be sure to carefully design for security. Developers must be proactive and lay a foundation for security before the device falls victim to potential attacks like malware, ransomware, or DDoS. For example, during the development stage, developers need to consider what type of data must be collected and how it will be secured. For IoT devices that transmit sensitive data like protected health information or payment card data, organizations should consider using various encryption methods, like firewalls or SSL. In recent cases, healthcare devices are amongst the most vulnerable IoT devices for malicious attacks, like the Medtronic CareLink 2090 — a device designed to monitor pacemaker settings — and the Medtronic MiniMed 508 — a device used to monitor insulin. Because these devices had poor authentication and encryption features, the software became vulnerable to malware infections and malicious use, putting patient lives at risk.

3. Perform Risk Assessments

Whether your organization offers IoT technology as a product or service or uses it to conduct business, performing a risk assessment is essential for mitigating any and all potential vulnerabilities. Even if the IoT device has been developed with security in mind, there could still be unidentified vulnerabilities that could be exploited by a malicious hacker. Not to mention, there are likely IoT devices in use by your organization that you might not consider a traditional attack vector, and those devices are equally as important to assess. For example, an American casino experienced a data breach via their aquarium because a malicious hacker compromised their IoT temperature sensor, gained access to their network, and stole data about high-paying customers. By performing a risk assessment, organizations will be able to identify and mitigate potential weaknesses, no matter where or how seemingly non-threatening they may be, in their IoT technology and will be more prepared to avoid possible security incidents.

4. Undergo Penetration Testing

Before deploying any IoT technology, organizations would be wise to undergo IoT penetration testing. Why? Because even with the most experienced development and internal audit teams, some vulnerabilities may remain undiscovered. By receiving third-party assurance via penetration testing of the IoT devices your organization is using, you can ensure that your organization’s data and reputation remains secure.

Securing Your IoT Devices: Invest Now or Pay the Price Later

According to Symantec, “IoT devices experience an average of 5,200 attacks per month” and were an emerging attack vector throughout 2018. Considering this, as threats against IoT devices continue to rise and organizations continue to quickly adopt IoT technology, mitigating the risks associated with using such devices needs to be taken more seriously. By using these four steps to minimize risk in IoT devices, your organization can help secure your data, protect your reputation, and gain peace of mind that the IoT devices in use are as secure as possible. It’s not worth rushing the development or implementation of an IoT device that could lead to a breach later. Invest in security from the start, so you can prevent potential costly data breaches in the future.

Want to learn more about how you can minimize risk in IoT devices? Contact us today to find out how KirkpatrickPrice can help you ensure the security, availability, and confidentiality of the IoT devices your organization uses through penetration testing.

More Resources

What is IoT Penetration Testing?

Risk Assessment Checklist: 5 Things You Need to Know

How to Lead a Cybersecurity Initiative