Use this tactic to block data breaches.
Welcome to Cyber Security Today. It’s Friday June 12th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Today’s podcast offers another example of how not following the basics of cybersecurity led to companies being hit by ransomware. So corporate managers and heads of IT need to pay attention.
The story starts with a report last week from security teams at BlackBerry and KPMG detailing the workings of a recently-discovered strain of ransomware they call Tycoon. Those behind the use of Tycoon often target small and medium sized organizations. The attack on the unnamed firm in the report started by going through a server that uses Microsoft’s remote desktop protocol, also called RDP. RDP is how people working outside the company — for example on trips or working from home — can log in so they can access the organization’s computer system.
After getting into the RDP server the attacker got hold of the IT administrators’ usernames and passwords, which allowed access to all systems. The attacker disabled the anti-virus on the initial server, deposited backdoor software so they could get in and out more easily, and then left the system. A few days later, the attacker came back and started exploring the organization’s computer network, finding and then compromising more servers with ransomware. The last step was to activate the ransomware.
The report is full of interesting information for IT cybersecurity professionals who need to watch out for clues from this particular attack so they can protect their systems. But two things struck me: First, how did the attacker initially get in through the supposedly protected RDP server. And second, how did the attacker get hold of the IT administrators usernames and passwords? I sent those questions to BlackBerry, and the answer was the administrators’ accounts were not protected with two-factor authentication. For those who don’t listen regularly, two-factor or multi-factor, authentication means more than a username and password are needed to log into a system. An extra code that can’t be guessed or intercepted send to a device an attacker doesn’t control like a smartphone is needed. A fingerprint or face scan could also be used. Two-factor authentication negates the chance a hacker can use stolen passwords or the use of an automated system to guess a password. BlackBerry told me that having two-factor authentication makes it much harder to hack a system.
In my opinion everyone in an organization — especially IT teams — should have to use two-factor authentication for logins to their systems.
You see, just compromising one server or desktop computer doesn’t necessarily get an attacker access to everything. Think about your organization: Staff in the sales department can’t access the system used by the legal department. The accounting department can’t access the system used by manufacturing, and so on. So attackers will try to get IT administrators’ passwords early in an attack. Block that from happening and you block a lot of attacks.
Remember the attack started with getting in through the RDP server. By the time the forensic analysts had been called in the RDP sever had been fixed so researchers don’t know exactly how it was abused. But BlackBerry told me the attacker somehow had someone’s username and password. If users and the server been protected with two-factor authentication the hacker would have been stopped. And even if they had got in, when they tried to compromise the administrators’ passwords they would have been stopped there, too.
The importance of protecting passwords was underlined by a separate report this week from a security vendor called Sophos. It looks into an automated attack on organizations using Microsoft’s SQL database. These databases and the servers they are on should be password-protected. This attack uses automation to guess username/password combinations. Again, it could be at least partly foiled through the use of two-factor authentication.
Many reports by security researchers emphasize that stolen or guessed passwords figure in some way in most data breaches.
I want to add that mandatory use of two-factor authentication won’t stop all attacks. And the way two-factor authentication is implemented has to make sure it can’t be undermined. Other basic cybersecurity tactics including making sure staff use strong passwords, quickly patching software and reminding staff how to identify suspicious email are also vital. But use of two-factor authentication has proven to be one of the biggest ways to improve an organization’s data security.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon