The IT Nerd

The UK Government has just updated their Network and Information Systems (NIS) regulations in order to bring providers of outsourced IT and managed service providers (MSPs) into scope. The regulations were introduced to improve the cyber security companies which provide services to energy, healthcare and transport sectors. Fines of up to £17m will could be issued for non-compliance.

Yaron Kassner, CTO and Cofounder, Silverfort had this commentary:

“The Government’s decision to update these regulations reflects how MSPs present a ripe target for attackers.

“As central points of cybersecurity management for lots of organizations – they provide a jumping-off point for lateral movement inside a large number of environments. As we saw with Operation Cloudhopper – attackers were able to access MSP customers using seemingly legitimate credentials, before moving through the network to exfiltrate data.

“While controls such as MFA on internal resources could technically help address attacks like this, the regulation provides a necessary impetus to ensure MSPs act according to best practice.”

Many clients that I work with use MSPs and they, along with anyone else who uses an MSP should heed this advice.

The Pentagon has put forward a Zero Trust strategy. The purpose of this is to guide the DoD how to direct their cybersecurity investments and efforts in the coming years to reach a “target” level of zero trust maturity over the next five years

The release of DoD’s zero trust strategy follows on the heels of the White House Office of Management and Budget’s federal zero trust strategy published earlier this year. DoD’s strategy lays out a detailed and ambitious plan for defense components to attain specific zero trust capabilities by 2027.

The aim is to counter a “rapid growth” in offensive cyber threats by shifting away from a perimeter defense model to a “never trust always verify” mindset, DoD Chief Information Officer John Sherman wrote in the foreword to the strategy.

Providing commentary on this strategy is Steve Judd, Solutions Architect at Venafi:

“The latest zero trust strategy from the Defense Department is an important step in ensuring investment is made to accelerate the adoption of zero trust. It’s encouraging to see that deadlines to submit execution plans and for completion have been set, as without these there is often a lack of urgency to act. The move towards a “never trust always verify” mindset is also very positive as an essential element of zero trust is identity. Every actor on the network – whether inside or outside the perimeter – must be authenticated and authorized with a valid identity. Yet what people often overlook is that there are two actors on the network: humans and machines. These machines include everything from cloud servers and Kubernetes clusters to servers and applications, with special levels of privileges to communicate with one another in a trusted and secure way. So, it’s important that any zero trust project takes machine identity into consideration alongside human identity management. The best way to enable this is through a control plane which automates the management of these machine identities.”

Groups outside the DoD should pay attention this as I am certain that this will be helpful to guide them as to how to make their environments much more secure.

The Ukrainian Computer Emergency Response Team (CERT) has issued a statement on a new attack campaign by suspected Russian threat actors which are compromised victims’ VPN accounts to access and encrypt networked resources. More details are available here:

Initial compromise is achieved by tricking victims into downloading “Advanced IP Scanner” software which actually contains Vidar malware. CERTU-UA believes this was achieved by initial access brokers (IABs) working for the Russians.

“It should be noted that the Vidar stealer, among other things, steals Telegram session data, which, in the absence of configured two-factor authentication and a passcode, allows unauthorized access to the victim’s account,” the statement continued.

“As it turned out, the victim’s Telegram was used to transfer VPN connection configuration files (including certificates and authentication data) to users. Given the lack of two-factor authentication when establishing a VPN connection, attackers were able to gain an unauthorized connection to the corporate network.”

Once inside, attackers conducted reconnaissance work using the Netscan tool and then launched Cobalt Strike Beacon, exfiltrating data using the Rclone program. There are also signs of the threat actors using Anydesk and Ngrok at this stage.

It’s unclear how widespread the campaign was, although “several” Ukrainian organizations are thought to have been impacted since spring 2022.

Most pointedly, CERT-UA confirmed that the end goal is not to generate profits from a ransom but to destroy victim environments.

Dr. Darren Williams, CEO and Founder, BlackFog had this comment:

“This is another great example of a clever phishing technique to disguise the attack vector inside another application. These are very difficult to detect with existing solutions because of the mechanism of action that steals VPN session information to ultimately exfiltrate data from the device. VPN’s have been routinely targeted in the past because they contain a treasure trove of valuable data for extortion and a centralized repository of data from the victim and the organization. Once the attacker has gained access it is very easy to spread laterally within the organization. This emphasizes why companies need to not only provide defense strategies but also proactive ones that protect an organization and its devices from unauthorized data exfiltration.”

This is clearly an attack meant to hurt Ukraine. Hopefully they are doing their best to make sure that attacks like this are not successful going forward. I say that because while they are winning on the the battlefield, the battlefield has changed to being cyberspace. And for the rest of us, I would say that 2FA for your VPN connections is a must to stop this sort of thing from happening to you.

There’s been a lot of activity this week on education cybersecurity. Starting with the federal student aid CISO begging the government to make cyber incident reporting for higher education institutions to be at the same standard as K-12 institutions, and a recent report from the GAO criticizing the U.S. Department of Education for not sufficiently coordinating communication between school districts and the feds on cybersecurity.

Stan Golubchik, Co-Founder and CEO, ContraForce, works directly with K-12 and higher education institutions to detect attacks and incidents. In response to Educause’s annual conference, specifically the education department and federal student aid office CISO on cyber incident reporting, Stan says: 

“While there are over 9,000 EdTech tools in the K12 space, it is unknown how many tools are actually used in Higher Education (HigherEd institutions are not held to the same standards of reporting as K12). This is precisely why the government is begging HigherEd to report on cyber attacks— because today, there is no reason for private colleges to report anything to anyone.”

“With the proliferation of remote education and SaaS applications, colleges struggle with knowing when incidents occur due to the distributed educational footprint. They lack visibility to security threats when they occur, and lack effective incident response plans and systems. With loose regulations on what should be reported in times of a breach, colleges will struggle to not only gather the information needed for reporting a breach but to understand what information is needed and how to communicate it.”

It’s pretty clear that cybersecurity within education needs to be a key focus as this is where threat actors will focus as the education sector tends not to have the same resources available for cybersecurity versus other organization. Effectively making them soft targets. Any sort of soft target needs to be eliminated so that everyone is safer as a result.

The White House who is very focused on cybersecurity has declared November to be Critical Infrastructure Security and Resilience Month:

This month, we recommit to improving the resilience of our Nation’s critical infrastructure so it can withstand all hazards — natural and manmade.  By building better roads, bridges, and ports; fortifying our information technology and cybersecurity across sectors, including election systems; safeguarding our food and water sources; moving to clean energy; and strengthening all other critical infrastructure sectors, we will lay the foundation for long-term security and prosperity.

The proclamation is an interesting read and I will give my thoughts in a second. First I’d like to share the thoughts of Craig Burland who is the CISO of Inversion6:

“This announcement continues a trend of active participation by the US government in cybersecurity.  Last week, CISA announced the Cross-Sector Cybersecurity Performance Goals.  The head of CISA has been working hard to build public-private partnerships to boost our collective defense.  CMMC is coming in 2023.  These are all positive steps that will help increase the mind-share cybersecurity occupies in corner offices and board rooms, especially for those that do business with the US government.  With the interdependency of the global supply chain and global economy, it’s in everyone’s best interest to do business securely.”

My thoughts go something like this. This administration is clearly focused on increasing America’s cybersecurity readiness. That’s a noble and required goal given the times that we live in. And initiatives like these will help to make sure that cybersecurity is at the forefront of every American company, and citizen.

The White House released a statement announcing that the government is extending its public-private cybersecurity partnership to the chemical industry:

The majority of chemical companies are privately owned, so we need a collaborative approach between the private sector and government. The nation’s leading chemical companies and the government’s lead agency for the chemical sector – the Cybersecurity and Infrastructure Agency (CISA) – have agreed on a plan to promote a higher standard of cybersecurity across the sector, including capabilities that enable visibility and threat detection for industrial control systems.

The Chemical Action Plan will serve as a roadmap to guide the sector’s assessment of their current cybersecurity practices over the next 100 days, building on the lessons learned and best practices of the previously launched action plans for the electric, pipeline, and water sectors to meet the needs for this sector. 

I secured a pair of comments on this statement from leading industry experts.

Jerry Caponera, General Manager, Cyber Risk at ThreatConnect:

There are a couple of things that worry me concerning the chemical sector. The first is that the chemical sector produces items that we may not necessarily think about but can’t survive without in modern society. Imagine a world without plastics to store our food or chemicals to make electronics.

The second is the real risk. We saw three ransomware attacks in 2019, including 2 in the US (a bigger one was Norsk Hydro). They mitigated the impact because the hit was on IT, not OT systems. But it could have been worse.

Third, there’s a massive risk with the materials in question. Chemicals produce much of what we need, but a chemical material in raw form can be dangerous. A cyber attack on a chemical system where the IT and OT systems are linked could cause a consequential loss of life. 

I’m glad the chemical industry is high on the list of sectors to watch. The ransomware attack on the colonial pipeline caused a minor blip in the supply of gas. Suppose a significant ransomware attack on chemical plants would destroy plastic packaging. That would be devastating. 

Padraic O’Reilly, Co-Founder and Chief Product Officer, CyberSaint Security: 

The biggest issue is that almost all infrastructure is privately held. Analogous to the pipeline: large cyber-to-physical systems with extensive OT. Complex segregation issues and legacy protocols and infrastructure. Malicious attacks and control of SCADA systems and PLCs are real vulnerabilities. Internet-connected devices and cloud migration are an issue, too. On the upside, the chemical sector has been under CFATS through DHS for over a decade. That will oil the gears. Likely that sophisticated monitoring and detection lag behind the most mature industries. Likely, too, that cyber risk management needs to be done at the executive level to ensure proper resourcing.

This can only be good for the security of the sector. Hopefully this idea spreads to other sectors as that will make us all safer.

UPDATE: I have a third comment from Wade Ellery, Field Chief Technology Officer, Radiant Logic:

     “These developments show the steady course our country is moving in to protect our most vulnerable assets, which have huge implications on the lives of our citizens. A comprehensive cybersecurity plan is the first step in tackling the immediate threat of cyber attacks. An identity-first security foundation–in which information sharing can cohesively exist throughout the different operations within the United States and our allies–must be a key component of that plan. In order for that to happen, identity security must be taken as the first line of defense for our most valued resources.”

A BlackByte ransomware affiliate is using a new custom data stealing tool called to steal data from compromised Windows devices so that they can do double extortion attacks reports Bleeping Computer. This news comes months after the FBI released an advisory on the strain, following its use to breach three companies in the US’ critical infrastructure.

Kevin Bocek, VP of Security Strategy & Threat Intelligence at Venafi has this to say:

“Following attacks on US critical infrastructure, the FBI released an advisory on BlackByte ransomware in February. But clearly this has done little to deter threat actors. They’ve built on BlackByte’s success with this latest update, which now includes next-generation double extortion capabilities, including a direct upload of exfiltrated data to Mega cloud with hardcoded credentials. This should set alarm bells ringing for organizations. Double extortion tactics make it much harder to say no to ransomware demands because the safety net of ‘restore from backup’ is no longer there to fall back on.

“Our research shows that 83% of ransomware attacks now make use of double extortion tactics. Threat actors – who are essentially just developers gone bad – have worked hard to improve their product, and the cybersecurity industry should be responding in kind. Ransomware often evades detection because it runs without a trusted machine identity. So, organizations must be managing machine identities via a control plane to reduce the use of unsigned scripts, increase code signing and restrict the execution of malicious macros. This is vital to a well-rounded ransomware defense.”

As these ransomware gangs evolve their attacks, companies need to evolve their defences accordingly. Otherwise they’ll just become victims of these ransomware gangs.

Singapore has today announced the formation of an inter-agency ransomware task force which will pool representatives from different sectors to better tackle ransomware attacks aimed at businesses. The task force, set up earlier this year, will develop and make recommendations on possible policies, operational plans and capabilities to improve Singapore’s counter-ransomware efforts.

Dr. Darren Williams, CEO and Founder of BlackFog had this to say:

     “Interconnectivity and alignment between government entities is paramount for any country, regardless of size, to establish a unified approach towards ransomware prevention. As noted by the Coordinating Minister for National Security, the attacks against Costa Rica served as a prime example of how quickly your entire nation can be undertaken from the swift actions of a skilled attacker. Moving forward, these targeted countries must not only focus on preventing ransomware as a whole, but on preventing sensitive data from being exfiltrated. We have seen time and time again how even when a ransomware attack is dealt with, once data has been stolen, the damage can perpetuate indefinitely.”

I think that this is a great move as one can respond better to these sorts of attacks if everybody is on the same page. I’ll be watching Singapore to see how well this works out.

Cybersecurity Awareness Month launched 19 years ago and celebrated in October each year, represents the importance of public/private partnerships in technology, data and communications security:

“Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative effort between government and industry to raise cybersecurity awareness nationally and internationally.” This year’s campaign theme, “‘See Yourself in Cyber’ — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people.”

Commenting on this topic are three executives in the cybersecurity space. The first comment is from Don Boxley, CEO and Co-Founder of DH2i :    

“Today, work-from-home (WFH) has evolved into work-from-anywhere (WFA), to the delight of employees and their employers alike. The benefits of this new work paradigm for employees include the flexibility to choose work hours, getting more work done in less time, and a decrease in work-related expenses, and of course a better work/life balance. For employers, the benefits include higher productivity, a larger talent pool from which to draw, increased job satisfaction, more engaged employees and a lower turnover rate, as well as significantly reduced overhead expense. (And by the way, happy employees lead to happy return customers.) 

This ties back to this year’s CyberSecurity Awareness Month theme which reminds us that it’s really all about the people. However, it’s also all about the technology that we invest in to support our people’s success. 

To take a step back, the evolution from an onsite work model, to the new paradigm of WFH or WFA, as well as hybrid, wasn’t without its challenges. Perhaps one of the biggest bumps along the way was figuring out how people could WFH not only productively, but securely. At the beginning of the transition, many organizations were forced to depend upon their virtual private networks (VPNs) for network access and security and then learned the hard way that VPNs were not up to the task. It became clear that VPNs were not designed nor intended for the way we work today. Both external and internal bad actors were and are still exploiting inherent vulnerabilities in VPNs. Instead, forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while slamming the door on potential cybercriminals.”

Steve Santamaria, CEO, Folio Photonics is next:

“Cybersecurity-urgency is gripping the private and public sectors, as data now represents a strategic asset to almost every organization. Yet, while from IT to the C-suite it is agreed that the possibility of a cyberattack poses a highly dangerous threat, many would admit that they are probably ill prepared to fully understand and address all of the threats, in all of their forms, today and in the years ahead. 

Today, a multi-pronged strategy is the most common approach to protect against cybercrime. This usually includes a mix of security software, malware detection, remediation and recovery solutions. Traditionally, storage cyber-resiliency is found in the form of backup to hard disk and/or tape. Both media have relatively short lifespans and can be overwritten at a material level. They also offer distinct advantages as well as disadvantages. For instance, tape is less expensive but it has very strict storage and operating conditions. And disk offers a potentially much faster restore time, but the cost can be exorbitant. For those that have the flexibility to do so, they may be forced into picking-and-choosing what they save, and for how long they save it. 

What’s required is development of a storage media that combines the cybersecurity advantages of disk and tape. A solution that can ensure an enterprise-scale, immutable active archive that also delivers write once read many (WORM) and air-gapping capabilities, as well as breakthrough cost, margin and sustainability benefits. Affordable optical storage is the answer, as it is uniquely capable of leveraging today’s game-changing advancements in materials science to create a multi-layer storage media that has already demonstrated the major milestone of dynamic write/read capabilities. In doing so, it can overcome historical optical constraints to reshape the trajectory of archive storage. Ideal for datacenter and hyperscale customers, such a next-generation storage media offers the promise of radically reducing upfront cost and TCO while making data archives active, cybersecure, and sustainable, not to mention impervious to harsh environmental conditions, raditiation, and electromagnetic pulses, which are now being commonly used in cyber-warfare.” 

Our third comment on CyberSecurity Awareness Month comes from Surya Varanasi, CTO, StorCentric:

“As an IT professional, CyberSecurity Awareness Month reminds us how critical it is to continuously educate yourself and your workforce about the malicious techniques used by cybercriminals, and how to practice proper cyber hygiene in order to decrease potential vulnerabilities. 

Today, the process of backing up has become highly automated. But now, as ransomware and other malware attacks continue to increase in severity and sophistication, we understand that proper cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted. 

An Unbreakable Backup does exactly that by creating an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. Other key capabilities users should look for include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention. In addition, the solution should deliver high availability with dual controllers and RAID-based protection that can provide data access in the event of component failure. Recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about their ability to recover — and redirect their time and attention to activities that more directly impact the organization’s bottom-line objectives.”

And our final comment is from Brian Dunagan, Vice President of Engineering, Retrospect, a StorCentric Company:

“CyberSecurity Awareness Month is a great reminder that we must remain vigilant and always be thinking about how to handle the next wave of cyberattacks. While external bad actors, ransomware and other malware, are the most common threats, malicious or even careless employee actions can also present cybersecurity risks. In other words, it is virtually a given that at some point most will suffer a failure, disaster or cyberattack. However, given the world’s economic and political climate, the customers I speak with are most concerned about their ability to detect and recover from a malicious ransomware attack.

My advice to these customers is that beyond protection, organizations must be able to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.

Of course, the next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (a.k.a., object locking) which makes certain that the data backup cannot be altered or changed in any way.”

My commentary goes something like this. The fact that this year’s Cybersecurity Awareness Month is all about people is the right message. People are the weakest link in cybersecurity. Thus anything that can be done to educate and to highlight this so that people can adjust their behaviour is valuable. Thus I would keep that in mind while implementing the tools that you need to keep you safe from threat actors.

UPDATE: I have additional commentary on Cybersecurity Awareness Month from HelpSystems:

Donnie MacColl, Senior Director of Technical Support

We can all make everything we do more secure by taking affirmative actions and working in partnership with vendors and suppliers. This can be done by considering ourselves as end-users and customers of everything we use, whether that’s a physical shop, an online store, an app on our phone or a computer. Ask questions, for example, “does this app have 2FA?”, and, if not, move on and use the one that has. When in a store and asked for your email address or date of birth, ask “why?”, “what is it used for?”, “why do you need it?” and don’t share if not needed. By thinking about security and asking “is what I am using secure?”, we may prompt a chain of ownership. Now go ahead, grab a coffee and take timeout to change all your passwords to be unique and difficult to guess, and make sure all your software is on the latest version to reduce the chance of attack. You’ve got this, and if you are not sure of the best way to be secure, just ask!

Chris Spargen, Sr. Manager, Solutions Engineering

Setting a strong example is a way to collectively raise the bar on cybersecurity for your organization. Championing updated policies by being an early adopter, praising early adoption when you see it, and spearheading the latest security updates for the software solutions in your realm of influence will lead to a more secure organizational posture. Look for opportunities to partner with your vendors, testing new versions and helping them find any weaknesses that may exist before they reach the mainstream market.

Tyler Reguly, Sr. Manager, Security R&D

It doesn’t matter if you accidentally download malware, have someone access one of your accounts, or click on a phishing link, eventually everyone makes a mistake. For some people, having one of those horrible incidents happen is the only way they realize, “Hey, it can happen to me.” For others, however, it is a source of embarrassment, and they shy away from publicly discussing it or thinking about it. When we treat these incidents like a source of shame, we deny others the opportunity to learn from our experiences. The easiest way to “See Yourself in Cyber” is to see how others are impacted. Whether it is your personal or professional life, seeing someone you know impacted will do more to reinforce the importance of vigilance than see dozens of corporate breaches in the news. It is time to remove the stigma around being a victim of cybercrime and open the door so that everyone of us can ‘See Yourself in Cyber.’

John Grancarich, EVP, Strategy

Remember that at the end of the day, the smarter you can make a system to detect and prevent a threat the safer you and your organization will be. While phishing attacks are always going to evolve like any threat vector, the more often we can spend that one brief moment clicking ‘Report Phish’ makes the entire system smarter not just for you but for everyone else as well. A smarter system is a safer system.