The post 9 Basic Steps to help check an email isn’t Phishing appeared first on Logically Secure Ltd.
]]>Phishing emails are on the increase and basic warnings indicating they are a scam can be missed. Follow the 9 basic steps below to help determine whether the email you’ve received could be a Phishing email.
Want to perform a controlled Phishing test in your company to see how susceptible your colleagues or employees are to opening Phishing emails, or clicking on unknown links?
We can help you identify vulnerabilities by arranging a controlled Phishing Campaign. Contact us to find out more.
Smishing
Smishing is the term now used in reference to scam messages being sent via SMS texts.
Similar to Phishing, an attacker sends a message that will generally have a sense of urgency for the receiver to quickly act upon. The attacker is trying to create panic and directs to a link for the receiver to ‘urgently’ click on to resolve the ‘problem’.
As with basic email checks, it’s important to double-check the validity of any messages that claim urgent action regarding payments or financial accounts appearing to be from official bodies.
The NCSC provides useful information regarding Phishing, Smishing and suspicious phone calls, giving a place to report the spam messages.
Contact us today to see how we can help you check for vulnerabilities in your business from Phishing attacks by arranging a controlled Phishing Campaign with us.
The post 9 Basic Steps to help check an email isn’t Phishing appeared first on Logically Secure Ltd.
]]>The post 5 key security factors to working from home more safely appeared first on Logically Secure Ltd.
]]>As working from home is becoming the norm, this opens up a world of vulnerabilities and opportunities for hackers to take advantage of. Check out these 5 key security factors to working from home more safely.
And if you’re a business owner, director, IT manager with concerns on the security of your business or employees whilst working remotely, contact us to see how we can help.
Password protection
Passwords protect your account, create strong ones and never replicate them for multiple account use. Consider 2-factor authentication (2FA), this requires an extra step of security, which could be physical (a phone) or biological (a fingerprint).
Accessing an account is all the more harder for the cyber-criminal if using 2FA.
You can find out more about 2-factor authentication in our quick read blog here.
Email security
Be wary of links and attachments in emails, especially from unknown senders. Phishing emails have become the most common form of scam and are increasingly convincing that they’re from a genuine source.
Report any emails that may appear suspicious and do not respond or give any information until you’ve confirmed its legitimacy.
Click on the image to enlarge the 9-step email check.
Physical Security
Lock your laptop when you are not using it, and avoid sharing your work devices for ‘family-use’. If using your phone for work or have a work phone ensure the device is locked when not in use.
Be wary of eavesdropping or ‘shoulder surfing’ if working in a public area. Someone sat behind you could see everything on your screen. Avoid using public Wi-Fi, use a personal hotspot. And be mindful of the risk of device theft when working remotely.
Online Security
Do not use your home router’s default credentials, change them.
Use an internet connection that is separate from personal devices and keep your VPN (virtual private network) on.
The VPN protects data you send & receive, and provides a secure link between you and your company by encrypting data and scanning devices for malicious software.
Device Use
Only used company-approved software and hardware and do not use un-authorised USB devices.
Follow company policies and procedures for working from home and ensure your IT department are installing any updates, running the necessary antivirus scans and implementing cyber security procedures.
The NCSC offer sound advice for device use and for working from home.
To find out how we can help test vulnerabilities from employees working from home or remotely,
check out our Testing Services.
The post 5 key security factors to working from home more safely appeared first on Logically Secure Ltd.
]]>The post 11 Common Cyber-attack Methods appeared first on Logically Secure Ltd.
]]>Although every cyber-attack is individual, the strategies and tactics overall are often very similar and fall into a number of methods. Cyber criminals draw upon common types of hacking techniques that are proven to be highly effective. Here we look at 11 of the most common cyber-attack methods.
An attack vector is a pathway or means by which a hacker gains access to breach or infiltrate your network in order to conduct an attack. Attack vectors enable hackers to exploit system vulnerabilities, and this includes the human element (social engineering).
By understanding the basic types of attack a malicious actor might try to use the knowledge can help you to better defend yourself. Here’s an overview of 11 of the most common cyber-attacks seen today.
1. Compromised Credentials / Weak and Stolen Credentials
The constant top attack vector relates to credentials; compromised credentials account for more than 80% of breaches globally.
Today, users have so many log-ins and passwords to remember that it’s often tempting to re-use them to make life easier. Despite security best-practice recommending unique password use for all applications and website log-ins, people still re-use passwords and cyber-attackers rely on this.
Passwords are re-used an average of 2.7 times, and just one breached credential then provides attackers access to multiple accounts by the user.
Attackers can easily acquire lists of usernames and passwords from breached websites or services that are then available on the black-market / dark web. They’ll then try using these credentials on other websites with the chance the credentials have been re-used.
Multi-factor authentication and password managers are both suggested good practices to help against this common attack vector, but no prevention method is 100% guaranteed.
2. Malicious Insiders / Insider attacks
Not every network attack is performed by an unknown person from outside an organisation.
Insider threats are attacks carried out by an internal employee / colleague who is actually authorised to access the system and then abuses this. Insiders who perform these attacks have the advantage of already having access to the company information systems they attack in comparison to unknown attackers.
Not all insider attacks are necessarily malicious. There are occasions when naïve employees can inadvertently expose sensitive data or accidently provide access.
There is less security against insider attacks in most businesses as the focus and thoughts tend to be aimed at defending against external attacks. Since the ‘attacking’ user is considered legitimate, it can be more difficult to detect this type of attack.
Insider threats can affect all elements of computer security and range from inserting viruses and crashing systems to stealing sensitive data.
3. Misconfiguration
Many breaches have been as a result of misconfiguration. In December 2019 Microsoft disclosed a data breach due to a change made to the database’s network security group which contained misconfigured security rules that enabled exposure of the data.
In 2020, the French sporting retail giant Decathlon suffered exposed user data via a misconfigured database, leaking over 123 million records including customer and employee information.
Gaming hardware giant Razer exposed customer data via misconfigured database. Virgin Media confirmed ‘misconfigured database’ had left personal data of 900,000 people exposed, and we learned that Pfizer suffered a huge data breach because of unsecured cloud storage. The exposed data, including email addresses, home addresses, full names, and other HIPAA related information, was found on a misconfigured cloud storage bucket.
There have been dozens of breaches related to misconfiguration. The oversights are often the result of well-intentioned developers rushing to get the product to market, or they are unfamiliar with secure configuration of the services that they are using. Avoiding misconfigurations isn’t easier, but procedures to audit and automate a secure configuration are a good start.
4. Phishing
Phishing is a type of ‘social engineering’ by which a cyber-criminal creates an email to fool a recipient into taking some action resulting in harmful consequences. For example, they could be tricked into downloading malware that’s disguised as an important attachment or urged to click on a link to a fake website where they’ll be asked for sensitive information.
Many phishing emails tend to be quite basic with key indicators of being fake (eg spelling errors, misspelt email address) but can be automated to send to thousands of potential recipients in the hope to ‘catch’ one or a few naïve users and gain their data, such as credit card numbers and login credentials.
Some are, however, specifically created and aimed at individuals to try to get them to part with useful information, this is known a spear phishing. An employee is observed and then targeted. This forms part of what is known as the rising threat of Business Email Compromise (BEC).
The attacker impersonates a trusted individual or legitimate business and tricks the victim to open a text message, email, or instant message. The recipient is then deceived to either click on an attachment which in turn installs malware onto the device or network, or open a malicious link that can also cause malware installation, system-freezing (as part of a ransomware attack), reveal sensitive information, or request sensitive data input.
Phishing attacks are a common weapon of choice as they rely on human impulse and curiosity, and the human action is the most difficult part of cyber security to manage.
To combat phishing attempts it’s important to look out for some key indicators of being fake. Take a look at the Phishing infographic for basic indicators to look out for.
5. Trust Relationships / Third Party / Supply Chain
There are many interconnected systems, both within and across organisations and this complex set of connections can be exploited by attackers. Third-party organizations can be major vectors of attack in cybersecurity, these attacks occur when someone infiltrates a system through an outside partner or provider with access to the systems and data.
This happened in the Target breach where the initial infiltration was via a third-party vendor.
This is the reason why organisations large and small together with their business partners must foster a culture where cyber security best practices are shared and mutual transparency is demonstrated.
According to a survey conducted in 2017 by the Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors.
Minimizing privileges, leveraging zero-trust and privileged access management are also key in helping to prevent such attacks.
6. Zero-Day Vulnerabilities
Zero-days are unknown security vulnerabilities or software flaws that have yet to be fixed and are targeted by attackers with malicious code.
The name ‘zero-day’ is used in reference to the number of days that a software vendor has known about the exploit. Once a patch is released, each day represents fewer and fewer computers open to attack, as users download their security updates. But attackers may have already written malware that slips through the security hole and can then compromise a device or network. Once the vulnerability becomes publicly known, the vendor has to work quickly to fix the issue to protect its users.
Techniques for exploiting such vulnerabilities are often bought and sold on the dark web.
A zero-day exploit hits after a network vulnerability is announced but before a patch or solution is implemented. Attackers target the disclosed vulnerability during this window of time. Zero-day vulnerability threat detection requires constant awareness.
7. Brute-Force Attack (and Dictionary Network Attacks)
The term-brute force means overpowering the system through trial and error repetition. Brute-force and Dictionary Network attacks are attacks where the attacker tries to log into a user’s account simply by systematically checking and trying all possible passwords until finding the correct one. Brute-force dictionary are simple and reliable – attacks can make 100 to 1,000 attempts per minute as attackers let a computer do the work – trying different combinations of usernames and passwords until they find one that works.
When hacking passwords, brute force requires dictionary software that combines dictionary words with thousands of different variations.
After several hours or days, brute-force attacks can eventually crack any password. Brute force attacks reiterate the importance of password best practices, especially on critical resources such as network switches, routers and servers.
The length of time required to crack a short password (such as a four-digit PIN) could take under a minute. Extending it to six characters might take more like an hour. Further extension to eight characters, using both letters and symbols, could in turn, take days. By increasing the number and mixing the characters increases the amount of time necessary for a brute-force attack to discover the password. Therefore a strong, lengthy password, could take weeks or months. But, with enough time, computing power and dedication an attacker will ultimately solve the password.
8. Denial of Service and Distributed Denial of Service
A denial of service (DoS) aims at shutting down a network or service making it inaccessible to its users by flooding the resources of the system and rendering it useless. Attackers overwhelm the target with, for example, web traffic or so many requests that its systems can’t function and crashes, making it unavailable to anyone. The DoS attack denies legitimate users such as employees or account holders the resource or service they expected.
A distributed denial of service (DDoS) attack uses an army of computers, usually compromised by malware and under the control of cyber criminals, to funnel the traffic towards the targets. This type of attack can be difficult to overcome ss the it can appear to be coming from many different IP addresses at the same time, making it incredibly difficult to determine the source of the attack.
High-profile organisations such as banks, media companies, commerce and government are often targeted. These attacks don’t involve loss or theft of sensitive information, but they can cost a victim lots of money and time to mitigate. DDoS is also often used as a distraction from other network attacks taking place.
9 Malware
Short for malicious software, malware is a blanket term that can refer to any kind of software that is intentionally designed to cause damage to a computer, server, client or network and then breaches the network through a vulnerability. I.e., software is identified as malware based on its intended use, rather than a particular technique or technology used to build it. In contrast, software that causes unintentional harm, due to a deficiency of some kind, is typically described as a software bug.
Malware is about making money from the victim illicitly. Code is stealthily inserted and affects the compromised computer system without the knowledge or consent of the user. Once inside a system, malware can perform a number of assaults and wreak havoc. Malware appears in forms such as; spyware, ransomware, viruses, trojans and worms (the latter are distinguished from one another by the means in which they reproduce and spread).
Malware can spread across a network using a variety of physical and virtual means. Malicious software can be delivered into a system via a USB drive or can be spread via the internet with ‘drive-by’ downloads that automatically download the malicious programs to the system without the user’s knowledge.
Best practices to help prevent malware is to ensure all systems have the latest anti-virus software installed and limit user privileges.
10 Man-in-the-middle
Man-in-the-middle (MITM) attacks are a type of cybersecurity by which attackers manage to insert themselves inconspicuously between the user and a web service they’re transacting with. This then allows the attacker to intercept and eavesdrop on communication between two legitimate communicating parties – hence the name ‘man-in-the-middle’.
Sessions between a device and web server have a unique session ID. The MITM attacker hijacks the session by capturing the session ID. They impersonate the device making a request which in turn allows them to log in and gain access.
The two legitimate parties communicate as normal, as they don’t know that the message sender is an unknown perpetrator trying to access or alter the message before it is transmitted to the receiver. The attacker therefore has control of the whole communication.
Two common points of entry for MitM attacks are; via an unsecure public WiFi and by installing software to a breached device so the attacker can access all of the victim’s data.
11 SQL injection
SQL (pronounced ‘sequel’) stands for structured query language – is a programming language used to communicate with databases. SQL injection is a means by which an attacker can exploit a vulnerability to then take control of a user’s database.
Many servers storing critical data use SQL to manage the data in their databases. The databases are designed to obey commands written in SQL, and many websites that take information from users send the data given to SQL databases.
An SQL injection attack specifically targets this type of server. A hacker will write and insert malicious code to get the server to then share information and allow the attacker control of the database. SQL injections are among the most frequent threats to data security.
The ultimate goal of attackers is to control devices and access high value data. Your business will be left highly vulnerable if steps aren’t taken to address any or all of these attack methods.
This is just an overview of a short selection of common attack types. It is not an exhaustive list and it is important to be mindful that attackers are ever developing and evolving their attack methods. By checking your security posture for vulnerabilities and against attacks types regularly is key.
Check for vulnerabilities and the strength of your cyber defences with our testing services.
The post 11 Common Cyber-attack Methods appeared first on Logically Secure Ltd.
]]>The post 10 fundamental steps of cyber security appeared first on Logically Secure Ltd.
]]>The original ‘10 steps to cyber security’ were published in 2012 and are now used by a majority of the FTSE350.
How do you protect your sensitive data and personal information? Implementing these fundamental precautions in your daily digital life are key.
1. Network Security
Put up-to-date security software in place to protect your networks against external and internal attack and unauthorised access to systems.
Security software should manage the network perimeter and filter out any unauthorised access and malicious content, but regularly monitor and test these security controls as well as managing internal security.
Social engineering / Phishing is an ever-popular form of entry via involved or unsuspecting staff.
2. User Education
Produce user security policies covering acceptable and secure use of the organisation’s systems.
Establish and include a staff training programme to maintain user awareness of cyber risks.
Ensure users understand the importance of basic cyber hygiene such as complex password creation, use of 2-factor authentication, working from home safety etc.
3. Malware prevention
Produce relevant policies and establish anti-malware defences that are applicable and relevant to all business areas of your organisation.
Scan for malware across the organisation. This is actually both a technical and a human control, there are technical cyber security controls such as, Firewalls, Web Filtering and endpoint protection but this needs to be supported by user security policies covering the acceptable and secure use of organisation’s systems.
4. Removable media controls
Produce a policy to control all access to removable media. The uncontrolled use of removable media can increase the risk of malware being transferred to critical business systems. Limit media types and use.
Scan all media for malware before importing on to a corporate system.
5. Secure configuration
Apply security patches and ensure that the secure configuration of all ICT (Information & Communications Technology) systems is maintained. Create a system inventory and define a baseline build for all ICT devices.
Security patches should be introduced quickly and effectively, and monitor the performance of external equipment suppliers.
6. Incident management
Establish an incident response and disaster recover capability. Produce and test incident management plans. Provide specialist training to the incident management team.
Report criminal incidents to law enforcement. Consider using an incident response and case management platform such as CyberCPR.
With CyberCPR you can effectively collate data and evidence, allocate tasks on a ‘need to know’ basis and securely communicate independently of your network.
7. Monitoring
Establish a monitoring strategy and produce supporting policies. Continuously monitor all ICT systems and networks. Analyse logs for unusual activity that could indicate an attack.
Collaborate with any suppliers on security arrangements and agree on a monitoring strategy together, Communicate and update regularly to ensure alignment.
8. Home / mobile working
Develop a mobile working policy and train staff to adhere to it.
Apply the secure baseline and build to all devices. Protect data both in transit and at rest. This is especially pertinent with the dramatic work from home (WFH) advice and move given the situation with Covid-19.
A WFH policy should be a priority if not in place already. Factors such as VPN use, video calling, device use etc. needs attention.
9. Information Risk Management Regime
It is important to assess the risks to your organisation and identify any obvious vulnerabilities to protect your network against internal and external data breach attempts.
Establish an effective governance structure by assessing the risks to your organisation’s information and systems at the same level you would for legal, regulatory, financial or operational risks. To do this, introduce and implement a Risk Management Regime across your organisation, that is fully supported by senior managers.
Ideally have a colleague in place as a Security Risk Lead who can take responsibility to assess and record mitigating actions against any security risks.
10. Manage user privileges
Establish effective account management processes and limit the number of privileged accounts. Limit user privileges to that which they need for their general work and monitor user activity.
Control access to activity and audit logs. The CyberCPR case management system is built on a ‘need to know’ basis, where users only have access to the specific area they are working on.
This is crucial during a security breach where access to remedial data and process needs to be protected.
No technology is completely resistant to cyber criminals, but you can improve your organisation’s cyber security by working to these 10 fundamental steps.
Find out more about our testing services that can help you with your security.
The post 10 fundamental steps of cyber security appeared first on Logically Secure Ltd.
]]>The post The Importance of Two-Factor Authentication (2FA) appeared first on Logically Secure Ltd.
]]>With security breaches, digital crime and internet fraud continuously on the rise, the importance of safeguarding your information has never been greater.
Many breaches are password related, and it’s not just major-brand companies or celebrities that are targeted. Hackers don’t discriminate.
81% of security breaches are due to weak or stolen passwords. (LastPass)
What is two-factor authentication?
In a 2019 survey by Cygenta of 1,000 people in the UK, 62% didn’t know what two-factor authentication was.
Two-factor authentication (2FA) is an extra layer of security added to your log-in process; such as a code sent to your phone or a fingerprint scan, that then verifies your identity and helps to prevent cyber-criminals from accessing your private information so easily. 2FA offers an extra level of security that increases the difficulty for cyber thieves, because they need more than just your username and password credentials.
2FA is a subsection of multi-factor authentication (MFA), an electronic authentication method that requires you to prove your identity in multiple ways before you are given access to an account.
Two-factor authentication is so named because it requires a combination of two factors, whereas multi-factor authentication can require more.
Two-factor authentication requires that extra step — without 2FA, usually you simply enter your username and password to access an account, but two-factor authentication requires both something you know (your log-in details) and something you have (Eg. your phone). For example, if using a phone as your 2FA, once you enter your password, you’ll get a second code that is sent to your phone, and only after you’ve entered the code from your phone will you get access into your account.
This code is known as an authenticator, a passcode or verification code. Without the code you can’t log on, even if you know the correct password.
2FA – You’re using it already
Using a bank card at an ATM requires 2FA – something you know (your passcode) and something you have (your bank card).
Why do you need 2FA?
With the advanced techniques of hackers and slack originality of users with password creation, passwords alone are generally quite weak.
Cyber criminals have turned to automated processes that can go through thousands of password combinations in minutes, so they don’t even have to monotonously go through a guessing process, they can even sleep easily whilst the procedure is done for them.
So whilst the criminals are finding easier ways to hack, you need to use harder methods to prevent a successful attack. 2FA may seem like an added hassle, but without it you could be leaving yourself vulnerable.
If you add something you have to allow access to your bank account, a cyber-criminal who knows your password won’t get any further without having your phone, for example, when it receives the verification code.
By adding the extra security step means cyber criminals will struggle to access your account and move on to the next easier target.
How 2FA works
The factors of two-factor authentication are generally separated into three categories:
- Knowledge: These factors require you to know something, like security a question, a PIN or a specific keystroke.
- Possession: Something you physically possess, like a bank card that you need to insert into a device to gain entry.
- Biology: Part of you to prove your identity, like a fingerprint or voice recognition.
What are the different types of 2FA?
There are indeed several types of 2FA available, all of them sitting within the categories listed above. Eg:
- Hardware tokens: You need to have a physical type of token, eg a USB, to insert in your device before logging on. There are some hardware tokens that display a digital code (that changes – eg. RSA) and you must enter this code.
- Software tokens: Apps that you download. A site that features this type of 2FA, sends a code to the app for you to enter to log in.
- SMS: Here you receive a text message to your phone with a code to enter for access.
- Push notifications: Another type of app authentication you download to your phone. When you enter your login details, a push notification is sent. A message appears on your phone asking you to confirm your login attempt.
- Biometrics: This is verification by using something physical about yourself. The most common method is by using a fingerprint scanner.
- Location: A method used by Facebook, this is where if an attempt to login to an account is made in an unknown / non-regular location it triggers an alert notifying an attempt was made on a new device / new location and you will normally receive a code to verify your identity if it is you.
Does everyone offer 2FA?
Not all sites use two-factor authentication, but some give you the option to activate it for your account. Some popular websites that offer 2FA include: Amazon, Facebook, Lastpass, LinkedIn, PayPal and Yahoo. But there are many more.
Is 2FA 100% secure?
Sadly no, no security measure is 100% guaranteed. It is a hacker’s ambition to beat the security measures in place to prevent them getting in, and they rise to the challenge until they win.
There are also the concerns that users of 2FA can be complacent, thinking that by using 2FA means their password doesn’t need to be as complex. This is not the case, the more difficult to crack the password, the stronger the security.
The other concern is that the most common 2FA method, using SMS authentication, is that SMS is less secure than using an authentication app.
But it is still important remember that 2FA is still an added step of inconvenience for the hacker.
Is 2FA a pain to use?
Although many may regard 2FA as an added hassle, as technology improves, so 2FA becomes quicker and easier to implement. Verification codes generally take seconds to generate and deliver.
Protect Yourself – 2FA is important
90% of passwords can be cracked in less than six hours.
Despite no 100% guarantee, 2FA still makes it harder for identity theft and phishing via email to happen to you; cyber criminals need to gain more information than just your username and password. Use 2FA and let the hackers pass you over for the more convenient, lower-hanging fruit with the ‘123456’ / ‘password’ passwords!
Offering several types of security test, we can help you check how secure your web, network, IT infrastructure is and even run a campaign to check on employee / colleague cyber security awareness with a bespoke phishing test.
Find out more
The post The Importance of Two-Factor Authentication (2FA) appeared first on Logically Secure Ltd.
]]>The post Logically Secure Special Offer: £1000 off our bespoke Phishing Campaign appeared first on Logically Secure Ltd.
]]>
Do your staff know what they are clicking on?
Book a phishing test with us this for just £3,500 and discover how vulnerable your business is to a phishing attack.
Do you know how security-aware your employees are?
Your employees are your greatest asset, but also your greatest threat when it comes to your cyber security. Phishing emails are a preferred weapon of choice for hackers and these attacks are rapidly increasing!
Phishing attacks were responsible for $12 billion of fraud in the US alone last year, our campaigns will help ensure you are not the next victim.
What is a phishing attack?
We are currently offering our bespoke phishing campaign with a fantastic
£1,000 off our normal price!
Normal price £4,500
What’s involved?
Our campaign includes 2 attacks that would require considerable technical understanding to realise a potential attack/scam is taking place. This replicates a real-world attack scenario by a sophisticated attacker who is trying to access your company’s resources by tricking staff through a number of known methods.
- a notification from an internal system
- a new employee
- a known third-party provider company
- internal IT support
Reporting
Following the campaign we provide you with an in-depth report that includes:
- a key Findings Summary
- a results Dashboard
- the phishing Techniques Used
- technical recommendations
- procedural recommendations
This will give you sound insight to determine areas for remediation and improvement to your company’s security posture.
Contact us today to assess your staff security awareness
Offer available for a limited time, so enquire today!
The post Logically Secure Special Offer: £1000 off our bespoke Phishing Campaign appeared first on Logically Secure Ltd.
]]>The post Convergent Risks acquisition of Logically Secure appeared first on Logically Secure Ltd.
]]>Convergent is pleased to announce that it has acquired Logically Secure Limited, the Cheltenham headquartered, technical testing, incident response and cyber security consultancy business.
Logically Secure’s market leading CyberCPR
incident response and case management platform enables teams to work together on sensitive information and files regardless of where they are in the world and is a natural fit to Convergent’s existing services. In addition to its incident response platform, Logically Secure’s security and compliance testing experience which includes its Cyber Essentials and other cyber security related services, brings a host of complementary skills to Convergent’s offering, further strengthening its reputation as a global leader in the Media & Entertainment content security space.
Chris Johnson, CEO at Convergent, said: “I have long been an admirer of the Logically Secure business, having closely monitored their development and bringing to market of the CyberCPR platform, which is both highly innovative and increasingly relevant in the current environment. There is already a requirement from our existing client base for this type of technology and I believe there are synergies between us that will be mutually beneficial to the two businesses across a broader range of sectors. I am delighted to be working with the existing team at Logically Secure to further develop the product, which will allow them to leverage our own experience of incident response needs in the content security, infosec and privacy market places.”
Founder of Logically Secure and creator of the CyberCPR platform, Steve Armstrong, commented: “The global reach of the Convergent business will open up a host of new markets for the incident response platform and the team are keen to get to work in ensuring CyberCPR realises its potential as well as maintaining and developing the service to our existing clients. Logically Secure have worked with Chris and Convergent for many years in the technical assurance testing field and given that relationship, I am sure that this acquisition is a good fit.”
This announcement follows the acquisition by Convergent earlier this year, of its joint venture partner, QPQ Innovations Limited, a software development business involved in the creation and testing of its own bespoke case management platform.
Convergent’s Senior Vice President of Corporate Affairs, Phil Herbert, said: “We are constantly on the lookout for opportunities to grow the Convergent business and address the increasing demand from our clients for world class security and assurance services. The addition of a company with the reputation and calibre of Logically Secure certainly ticks that box. In addition, being able to access a top-class group of coders will provide an internal solution to our own development needs across a number of projects and we are excited at the enhanced possibilities for both businesses.”
Convergent Risks – For more information about Convergent Risks – www.convergentrisks.com
CyberCPR – For more information about CyberCPR – www.cybercpr.com
Convergent is a principal provider of risk assessment and compliance services with offices in the US, UK and India and representation across EMEA and Asia Pacific. Our global team of qualified assessors undertake TPN and general security assessments efficiently and based on a competitive fixed pricing model. Our standalone consulting entity provides cloud and application security reviews, penetration testing, pre-assessments, cloud configuration and infrastructure vulnerability scanning, SOC2 readiness, compliance platforms, security strategy, privacy compliance, policy development, remediation and security training.
Convergent Risks Press Contact: Mathew Gilliat-Smith, EVP Convergent Risks
Email: [email protected] or [email protected]
The post Convergent Risks acquisition of Logically Secure appeared first on Logically Secure Ltd.
]]>The post 13 scary cyber facts for Halloween appeared first on Logically Secure Ltd.
]]>
As it fast approaches, we thought we'd give you 13 scary cyber facts for Halloween. Don't have sleepless nights, check your cyber security!
Check out these 13 scary cyber facts for Halloween and think about the cyber security of your business. What can you do to improve your cyber hygiene? Logically Secure provides a number of services, consultation, incident response and a bespoke case management tool to help businesses in the battle against cyber crime.
13 Scary Cyber Facts for Halloween
1) There is a hacker attack every 39 seconds, on average 2,244 times a day (University of Maryland)
A study at the University of Maryland quantified the near-constant rate of hacker attacks of computers with Internet access. Hackers now have password cracking tools and other automated capabilities easily to hand that require a fraction of time and minimal effort.
2) 75 records go missing every second worldwide due to cyber attacks. (Web Arx Security)
And in 2018, over half a billion records were stolen from victims around the world.
With more information being stored digitally than ever before, hackers have a huge library of information that they can try to get their hands on.
Cyber Essentials certification is an effective method to assess your cyber posture. Find out more about Cyber Essentials here.
3) The average time to identify a breach in 2019 was 206 days. (IBM)
Many companies do not even realize they have been breached until it is too late. Most companies take around 6 months to detect a data breach, even major ones Equifax, Capital One, and Facebook just to name a few. The average lifecycle from the breach to containment in 2019 was 314 days.
Regular penetration testing is key for any business to be able to identify vulnerabilities before the hackers do.
4) 43% of Cyber Attacks Target Small Businesses. (Verizon)
Most small businesses think they’re not big enough to be a target for malicious hackers. However the opposite is true. SMEs / SMBs typically don’t have the cybersecurity infrastructure, know-how or budget, making them an easier target.
These smaller businesses include the likes of; a Doctor’s surgery, a lawyers firm, and financial institutions who all possess large amounts of personal identifiable information (social security numbers, bank account information) that could be valuable to any hacker.
5) More than 93% of healthcare organizations have experienced a data breach over the past three years. (Cybint)
The medical industry is the number one targeted industry for malware. With more medical devices connected to a hospital’s network, devices have now become vulnerable to attacks. So it’s not only the handling of patients’ personal identifiable information, but the large number of attacks could also be attributed to the rise of the Internet of Things.
The estimated losses in 2019 for the healthcare industry are $25 billion. (SafeAtLast)
6) Just 31% of UK organizations have done a cyber risk assessment in the last 12 months, according to the UK Government.
And furthermore only 27% of businesses report that staff have attended internal or external training, including seminars or conferences on cyber security in the previous 12 months.
The UK Government offers advice on cyber security through the NCSC (National Cyber Security Centre).
7) More than 77% of organizations don’t have a cybersecurity incident response (IR) plan in place. (Ponemon Institute)
An alarming figure as individuals and businesses entrust most of their sensitive data to the internet. The lack of a cybersecurity strategy can lead to severe privacy concerns.
8) Share prices fall 7.27% on average after a breach (Comparitech)
The lowest point generally hits around 3 weeks after the breach. Finance and payment companies see the largest drop in share performance post-breach due to the nature of the sensitive information that is potentially leaked.
9) The average cost of a ransomware attack on businesses is $133,000. (Sophos)
There are many different ways in which a data breach or cyber-attack can cost an organisation, including; lost revenue, due to downtime and to loss of consumer trust, damage to IT systems/infrastructure, legal fees associated with lawsuits, stolen Intellectual Property etc.
10) Since COVID-19, the US FBI reported a 300% increase in reported cybercrimes.
Malicious actors pose as the Center for Disease Control and Prevention (CDC) or World Health Organization (WHO) representatives. The emails are designed to trick recipients into clicking a malicious link, or opening an attachment with a virus.
11) Connected IoT devices will reach 75 billion by 2025 (Statista)
The IoT market is due to reach 31 billion connected devices this year in 2020. Accenture also estimates the Industrial Internet of Things (IIoT) could add $14.2 trillion to the global economy by 2030.
12) The average cost in time of a malware attack is 50 days. (Accenture)
The average recovery time for a business or individual from a malware attack can be close to two months. As malicious attacks take longer and longer to resolve, the higher the cost. Time is of the essence. By having an incident response plan and tool in place the time it takes to resolve the consequences of the attack can be reduced.
13) Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)
According to the 2020 Official Annual Cybercrime Report by Cybersecurity Ventures, sponsored by Herjavec Group, ‘cybercrime is the greatest threat to every company in the world, and one of the biggest problems with mankind.’
…And don’t think that all that money comes from hackers targeting just large corporations, banks or wealthy celebrities, remember individuals and small businesses are targets too. As long as you’re connected to the Internet, you can become a victim of cyber-attacks.
Some frightening figures there that demonstrate how organizations and indviduals need to make a fundamental change in their approach to cybersecurity and the reality of our modern tech-driven society.
Logically Secure provides experienced and expert security testing, incident response consultancy and management tool for businesses of all sizes.
The post 13 scary cyber facts for Halloween appeared first on Logically Secure Ltd.
]]>The post A guide to Ransomware – what it is, how it works, and how to defend against it appeared first on Logically Secure Ltd.
]]>‘In the first half of 2020, the total number of global ransomware reports increased by 715% year-over-year.’ (Threat Landscape Report 2020 by Bitdefender)
In this guide to Ransomware – we take a look at what it is, how it works, and how to defend against it as best as possible.
Since ransomware has become by far the fastest growing type of cyber threat faced by businesses in recent years, we thought we’d take a closer look at this type of malware.
As an ever-evolving attack tool, the simplest form of ransomware can cost an organisation significant time and money, but more severe attacks can cripple or even destroy a company completely.
This is especially dangerous in these days of economic uncertainty, and since both individuals’ and businesses’ online-activity such as; cloud usage, online payments, online entertainment, working from home, has increased considerably.
The already significant threat of ransomware grew more sharply this year with the onset of the current coronavirus pandemic and transition by many organisations to remote working arrangements.
As a result, cybercriminals have sought to exploit the security vulnerabilities that coincide with working from home and are now capitalizing on the opportunity.
Ransomware cyber-attacks are a big business, to the point that research anticipates a business is attacked by a cyber-criminal every 11 seconds, and damage costs from these attacks will hit around $20 billion by 2021.
There is no easy win in the battle on cyber extortion, and the best way to deal with this threat is to firstly understand what ransomware is, how it works, and who it targets, and then look to the best lines of prevention and ultimately the best methods of mitigation should a breach occur.
What is Ransomware?
‘A type of malicious software designed to block access to a computer system until a sum of money is paid.’
A ransomware cyber-attack occurs when malicious software (malware) is used to deny a user or business access to a computer system or data. The malware attack takes over computer networks as the malware locks up the victim’s computer and renders it unusable by the victim until they pay the attacker the ransom (frequently in bitcoin).
The first known ransomware attack occurred in 1989 and targeted the healthcare industry, but it’s has been constantly evolving, with more sophisticated strains on the increase. Over the last year, the number of new variants increased by 46%. Unprepared network users and businesses can quickly lose valuable data and money from these attacks.
Types of Ransomware
STOP/Djvu, is the most reported ransomware family in Q1 2020. The prolific strain typically spreads through cracked software, key generators, and activators.
This year there have been a number of changes in the most commonly reported ransomware strains. Rapid, Rapid 2.0, Ryuk and Zeppelin fell out of the top 10 and have been replaced by Makop, Paymen45, LockBit, and GoGoogle.
How does Ransomware happen?
URLs embedded in emails remains the number one way for computers to become infected, and despite it being well known that emails are the main infection method for all types of cyber-attacks, people still fall victim to malicious social engineering, and subsequently, infect whole systems.
In general, a lack of proper cybersecurity procedure (or a poorly implemented one) and lack of training in basic cybersecurity practices eg; re-using weak passwords, lack of proper access management and poor user awareness, commonly are the causes of ransomware infection.
For example, many managed service providers (MSPs) report that Windows OS is targeted the most by ransomware attacks as Windows-based computers are typically more affordable, meaning more people use them. This along with the knowledge that there is a large number of users who use them but don’t install necessary updates for their operating systems, (leaving them without patches that protect against these viruses) opens up the doorways and makes them sitting targets for cyber-attackers.
This doesn’t mean that macOS, Android, and iOS are immune however, poor user activity can make any device vulnerably and potentially compromise a whole company and its systems.
Encrypting ransomware (or cryptoware) is the most common recent variety, however there are other types; non-encrypting ransomware or lock screens which restrict access to files and data, but does not encrypt them, leakware or extortionware that steals compromising or damaging data that the attackers then threaten to release if ransom is not paid, and mobile device ransomware which infects mobile phones through drive-by downloads or fake apps.
This guide to ransomware firstly gives the phases of an attack and then the steps to remediate impact.
5 Phases of a Ransomware Attack
There are 5 distinct phases of a ransomware attack, which can generally be executed in as little as 15 minutes:
1. Exploitation and infection
The pathway for the malicious Ransomware file to execute on a computer is often through a phishing email or an exploit kit (a specific kind of toolkit that takes advantage of security holes in software applications to be able to spread malware). Users running insecure or outdated software applications on their computers often fall foul of these kits.
2. Delivery and execution
Ransomware is then delivered to the system and persistence mechanisms are put in place. This process can take just a few seconds, depending on the network. Executables are most often delivered via an encrypted channel.
3. Backup defilement
The ransomware targets the backup files and folders on a system and removes them to stop any restoring from backup, this is intended to prevent any means that the victim has to recover from the attack without paying the ransom.
4. File Encryption
Once backups are completely removed, the malware performs an exchange to establish encryption keys that will be used on the local system. Depending on the network speed, number of documents, and amount of devices connected, the encryption process can take anywhere from a few minutes to a couple of hours.
5. User notification and removal
Following encryption, the demand instructions for payment are sent to the victim. The victim is usually given only a few days to pay before the ransom demand increases.
Finally, the malware removes itself from the system so as not to leave behind considerable forensic evidence that might help build better defences against the malware.
Who’s targeted with Ransomware?
Ransomware attacks have experienced a resurgence, and whereas individuals and small businesses were key targets in the early days, in more recent years the likes of; large corporate businesses, governments, councils, public health departments, educational facilities and other various organisations have not been exempt as targets.
Recently, Microsoft announced it took down a major hacking network that had been used to spread ransomware, and the company said it could have been used to interfere with the US election indirectly by freezing access to voter rolls or websites displaying election results.
The US Elections are indeed a notable target at the moment. A ransomware attack could suddenly lock down important parts of the voting infrastructure all around the country. This could happen at county and state level to disable voting registers.
Concerns around ransomware’s disruptive potential spiked after Tyler Technologies, a major software vendor to many state and local governments, disclosed a ransomware attack affecting its systems recently. The company sells software that is used by some clients to display voting information on websites, it said in a statement, ‘but that software is hosted on Amazon servers, not its own, and it was not affected’. The attack targeted Tyler Technologies’ internal corporate network.
In general, however, the healthcare industry has by far been the main target for ransomware attacks.
‘The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020’. (CSO Online)
The arrival of COVID-19 has become an influential force in the threat landscape for not only the health care industry but businesses as a whole due to the increase in remote working – this sudden surge in working from home has helped cement remote desktop protocol (RDP) as the attack vector of choice for ransomware operators.
Many organizations have evidently failed to securely implement RDP in their rush to roll out work from home arrangements, which has left RDP connections vulnerable to compromise.
Consequences of a Ransomware attack
‘By 2021, experts predict the total damage from ransomware to reach $20 billion USD.’ (CyberSecurity Ventures)
There is now a greater than 1 in 10 chance of data being stolen in a ransomware attack and the average ransom payment has nearly doubled over the years, with this trend showing no signs of slowing down. Hackers also tend to duplicate successful attacks and hit victims over and over again.
Some hackers even corrupt and delete a company’s files while they await the ransom payment, just to show that they’re serious.
While a few thousand dollars may seem insignificant for larger businesses, it can be crippling for smaller businesses that cannot afford to lose their data.
Regardless of the cyber criminal’s ultimate actions, the actual cost of ransomware goes beyond just the pay-out. Not only the potential legal costs, data-loss and down-time financial consequences but there is the reputational cost to a business which can lose consumer trust and subsequently custom as a result of a breach.
To pay or not to pay
Non-paying victims run the risk and generally fall foul of their data being published on leak sites or sold off to the highest bidder.
Paying a ransomware demand is however generally discouraged, in the event an entity considers paying a ransom demand, it must take the risk that the attacker may not return access to the data, or may even have released it already onto the dark web. And as stated, there is no reason why a hacker may not simply try again as the business is then seen as an easy, paying target.
Another concern especially for businesses when considering paying the hacker, is that on 1st October 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued guidance cautioning companies of the potential risk of US sanctions for certain ransomware payments paid to parties designated as malicious cyber actors under OFAC’s cyber-related sanctions program.
The OFAC advisory clearly states that engaging in or facilitating ransomware payments may result in enforcement actions and civil penalties in the event the payee is a sanctioned party – even if the entity is unaware that the cyber-criminal is subject to US sanctions.
Cyber Insurance
The cost of a ransomware attack can be extremely high—not just the cost of the ransom itself, but also with the costs associated to loss of business whilst the files and documents are unavailable.
James Carder, LogRhythm CISO and Vice President of LogRhythm Labs, advises organizations to prepare by getting a good cyber insurance policy that explicitly covers losses due to ransomware.
“If you have a loss of revenue due to a ransomware infection, you may be able to use your cyber insurance to make a claim to recover that revenue,” says Carder “From a pure risk management perspective, getting a really good cyber insurance policy is probably worth its weight in gold in situations like this.”
How can you protect yourself from a Ransomware attack?
The best defence against ransomware is for users not to just learn about ransomware; what it is and what happens, but to know the organisation’s cyber security status, the controls and processes that are in place and understand how to mitigate impact as best as possible should an attack happen. Individuals need to know their devices, what the risks are and where to go for advice and support. In the UK the NCSC provides excellent support, advice and information to individuals, small businesses and large organisations alike.
For businesses in the UK that aren’t sure where to start with cyber security, the National Cyber Security Centre (NCSC) provides cyber security guidance and support to individuals, families, businesses large or small. Working with the Information Assurance for Small and Medium Enterprises Consortium (IASME) they also provide the Cyber Essentials, the government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks. Working towards this certification is an easy introduction and start for a business to build its cyber defences. Find out more about Cyber Essentials here.
Steps of defence you can take to keep an attack from shutting down your business
‘On average it takes around 23 days to resolve a ransomware attack.’ (Accenture)
Ransomware attacks are increasing in frequency and seriousness, so you need to prepare your organisation for the very real possibility of an attack.
Following is a brief overview of the incident response advice from both the SANS Institute and National Institute of Standards and Technology (NIST), for a more in depth look into the phases cleck here. The key phases and actions for defence are:
1 Preparation
Preparation can be as simple as making sure you have a trained incident response team; inhouse, contracted or at least a business card to know who to call. But keys steps within preparation include:
- Pen-test and Patch (Find out more about pen-testing here)
- Create and Protect Your Backups
- Prepare a Response Plan
- Assign Least Privileges
- Connect with Industry and Threat Intelligence Sources
- Protect Your Endpoints
- Educate Employees and Users
- Consider Cyber Security Insurance
2 Detection and Identification
Should your business get hit with an attack, you can minimize the damage if you can detect the malware early, by including the following steps:
- Prime Your Defence Devices
- Screen Email for Malicious Links and Payloads
- Look for Signs of Encryption and Notification
- Scope the incident
3 Containment
Damaged systems need to be removed, devices isolated and compromised accounts locked down. A key step at this stage is to isolate the afflicted endpoint as quickly as possible.
4 Eradication
Once the ransomware incident is identified and contained, it needs to be removed from the network, and any damage discovered in the identification phase remediated.
Replace, rebuild or clean
It’s generally recommended where possible that machines are replaced rather than cleaned as a tool an attacker has put in place may not be detected in a clean-up. However, it can be more pertinent to clean some certain locations. If so, it is imperative to continually monitor to prevent the attack from re-emerging.
5 Recovery
Having and following your disaster recovery plan is vital to get all affected systems up and running again and quickly get back to business as usual.
A full investigation into the ransomware attack as to what specific infection vector was used against the system is also needed. Knowing how the ransomware came onto the system in the first place helps to prepare and improve defence systems for the future.
6 Lessons Learnt
The last phase, but arguably the most important is to learn from the incident to help prevent future incidents. Businesses can be too quick to delete, restore, and re-image at the first sign of an incident before they’ve fully learned how the attacker got in, or how much damage was really done. Without this stage, a business can easily find itself repeating the same steps again and again, against the same attack, with no improvement.
Conclusion
Ransomware isn’t going away any time soon, in fact it continues to grow. Quite simply, as long as it keeps working for attackers, so individual users and businesses will continue to be targeted. Cybercriminals will continue to take advantage of security weaknesses to deploy destructive ransomware attacks, as long as individuals and businesses fail to make cyber security a priority.
Both prevention (regular security audits, application testing and penetration testing etc.) and cure (incident plan and response management tool in place) are both as important as each other. Considering and implementing both, not just one are vital for an organisation’s cyber hygiene in the fight against cybercrime. Following a guide to ransomware or indeed advice on improving cyber posture and cyber protection as a whole should become a habit rather than a chore.
Logically Secure provides experienced and expert security testing, incident response consultancy and management tool for businesses of all sizes.
The post A guide to Ransomware – what it is, how it works, and how to defend against it appeared first on Logically Secure Ltd.
]]>The post What’s wrong with having an internet facing login page? – SQL injection in Aptean appeared first on Logically Secure Ltd.
]]>Exposing administrative interfaces can be dangerous – SQL injection in Aptean
TLDR; We have found a time-based SQL injection in Aptean Product Configurator v4.0 SP6 – 4.61.0000 which allowed for database access.
Have you ever wondered what are the risks of leaving a login interface exposed to the internet?
You have probably already thought of weak passwords being used, an insecure Wi-Fi during the initial connection, or the headache of giving access only to the right people. You also keep the platform up to date and patched, however this is not enough. Those are the most commonly discussed risks and they are generally well known.
When deciding to open a new page to the whole world (internet), it is important to identify the risks that are not currently known.
Conducting a penetration test is a good example for this.
During penetration testing engagement we actively try to break through current defences of the application, its platform and other internal network devices on the route.
An external penetration test starts with us discovering available attack surface and then attempting to break the systems defences with the least possible privileges.
In our test we started by examining the login page, with no further access. Our goal was to determine what could be done without authentication to the application at all.
We examined all parameters in the login page of Aptean Product Configurator v4.0 SP6 – 4.61.0000.
A GET request to /pc40/cse?cmd=LOGIN&config_details=null&product_id=null&passTxt=LQM2PdpY&lang=null&login_type=standard&nameTxt= was found to be vulnerable.
After numerous attempts, we found that nameTxt parameter was vulnerable to time-based SQL injection. This allowed for the extraction of all data stored in the application database and for further system enumeration.
This vulnerability can be exploited remotely, with no authentication.
From this we uncovered previously unknown risk and helped the client with making better decisions for their business.
To conclude, it is important to do due diligence cost-effectively and attempt to uncover risks.
If you would like more information about our methods and testing, visit our testing services page or please contact us and we can arrange a scoping call or demo of our technical services.
Discovered by Alexander Drabek
CVE number: CVE-2020-26944
Discovery 1st October 2020
Aptean informed – Acknowledgement on 19th October
Vendor is working on a patch and performing further security tasks to ensure security of their products.
Any current and past customers affected by this vulnerability are invited to reach out to Aptean Customer Support to obtain the patch and assistance applying it.
The post What’s wrong with having an internet facing login page? – SQL injection in Aptean appeared first on Logically Secure Ltd.
]]>