“Good riddance, 2020. I’m so glad to get that year behind us so we can get back to normal!” is a phrase you may have uttered more than once. The last year has been hard; that’s undeniable, but from a cybersecurity perspective at least, few things have changed. The cyber threat landscape, the threat actors, the state-sponsored hacker groups, and the malware they produce do not care what year it is, or even that it’s not the same year anymore.
Quickly on the heels of several other state-sponsored attacks such as Solarwinds, we got the zero-day Exchange hack. Krebs-On-Security estimates that there were nearly 30,000 on-premises Microsoft Exchange systems targeted and installed with persistent malware to exfiltrate data. Once identified, Microsoft immediately released a patch, followed by a workaround for organizations that were simply not able to patch quickly enough. Not only has this attack highlighted for many organizations that patching is still the cornerstone of a comprehensive cybersecurity policy, many also were surprised to find out they still had Exchange within their company while being on Office 365 for years. The severity of this vulnerability also became a point of reference for the GSEs and multiple-state regulatory agencies to ask about what mortgage companies are doing around cybersecurity to protect themselves and the consumer.
Remote Workforce Shifts
2020 brought significant change to everyone’s strategy for securing the enterprise, the very sudden shift to a most or all remote workforces. With the lockdown of public gathering areas, organizations found a need to quickly expand their remote work infrastructure or implement one if it did not already exist. This often resulted in the expansion of the discoverable attack surface of the enterprise by exposing insecure services, systems, and protocols to the Internet to enable the workforce to continue business as usual in a remote fashion.
Another unanticipated challenge was a lack of laptops to issue to staff. The squeeze on tech vendors being able to source new equipment, resulted in the use of personally owned devices in half implemented Bring Your Own Device (BYOD) programs.
The weakest part of the majority of networks is the human element. Attackers know that tricking a human into compromising a system for you is still one of the most successful attack methods. The numbers simply don’t lie:
- 88% of organizations worldwide experienced spear phishing attempts. (Proofpoint)
- 48% of malicious email attachments are office files. (Symantec)
- 65% of groups in 2020 used spear-phishing as the primary infection vector. (Symantec)
- 1 in 13 web requests lead to malware. (Symantec)
- Phishing attacks account for more than 80% of reported security incidents. (CSO Online)
2019 Ransomware was the main stage concern for mortgage companies. Going into 2020 while it wasn’t he number one issue, this attack vector is showing no signs of slowing down. In fact, December of 2020 saw a 7x increase over July 2020, as well as consistent growth in Ransomware as a Service (RaaS) (Fortinet Global Threat Landscape Report 2/21). RaaS provides attackers with “one-click” solutions for automating and managing an attack. Even if you have the discovery and containment process as streamlined as it can be, the frequency of backups and the time to restore that critical data determines your overall productivity loss to the business.
- The average cost of a ransomware attack on businesses is $133,000. (SafeAtLast)
- The average ransomware payment rose 33 % in 2020 over 2019, to $111,605. (Fintech News)
- Most malicious domains, about 60%, are associated with spam campaigns. (Cisco)
Below is a list of what we consider the most effective controls to put in place to mitigate the most prevalent threats facing the enterprise today.
- User awareness training. As one of the most common attack vector because of its high likelihood of success. You should focus on education of everyone in the organization to be able to recognize and respond properly to malicious email and other forms of social engineering. This can be done through false phishing campaigns, newsletters, and a wide range of other training materials.
- Frequent external and internal vulnerability scans. With more services and systems exposed to the internet than before, the first step in plugging the dam is finding the holes.
- Penetration testing. If you have public facing web apps, VPN concentrators, or WiFi access points, you should test the effectiveness of your perimeter controls against unauthorized access by someone with the same kinds of tools and abilities as a malicious actor. Let them help you find the holes and show you how to close them.
- Patch management. With the expansion of public facing systems and services, and the possible introduction of home networks logically converged with the organization’s internal network, this has become exponentially important.
- Reduction of the attack surface. Limit hosts and services exposed to the internet. Take the flagged data from your external scans and penetration tests and restrict access to the bare minimum possible that still enables the business. Also consider limiting the amount of information you make available publicly on forms such as domain registrations, and social media.
- Threat intelligence. Subscribe to threat feeds, news bulletins, and other real-time information to stay aware of current threats and attack vectors.
- Frequent backups. Nothing is worse than an organizations paying to stop a ransomware attack. Their ability to recognize and contain a ransomware infection, along with an efficient backup and restore strategy directly affects the cost of such an incident.
- Tool optimization. It is not enough to buy some cool new technology or service. It must be deployed to as many systems as possible across the enterprise, configured correctly, and managed properly. Again, many cyber-attacks succeed simply because an existing tool was not configured properly or had too loose a policy in place.
- Endpoint controls. Block scripting execution (PowerShell, WMI, PsExec) at the endpoint. These tools are commonly leveraged by fileless attacks for persistence, lateral movement, and data exfiltration.
Executive Director, Cybersecurity Measures
John-Thomas Gaietto has more than 22 years of experience providing enterprise information security and risk management services to a variety of organizations, with a particular emphasis on the financial services industry. He has a proven track record of collaborating with senior leadership and Boards of Directors to improve productivity and business alignment while maintaining security and regulatory compliance. JT’s vast expertise includes the development of security strategies based on organizational risk, oversight of security operations, incident response, third-party risk management, disaster recovery, building and leading high-performing Information Security teams, and customer and government due diligence oversight. His experience includes numerous compliance verticals, such as PCI-DSS, Sarbanes-Oxley, HIPAA, GLBA, FISMA, TPN, ISO, SOC, New York State Department of Financial Services Data Security and GDPR.
John-Thomas Gaietto currently lives in Lakewood, Colorado with his wife and son. In his free time, he enjoys all things outdoors, including skiing, mountain biking, hiking, and working towards completing his goal of climbing all of Colorado’s 14,000 foot peaks. He also dedicates his time to youth organizations, such as the Boy Scouts of America, and as a Volunteer Board Member at Westerra Credit Union and sits on the Content Delivery & Security Association (CDSA) Technology Committee.