Quarterly security report

2020 Q4

Asset 2@2x
Robinett Consulting
Asset 3@2x

Robinett Consulting knows having a proper defense against cyber security threats is critical to preventing potential loss to your business. To keep your company safe, we take a layered approach by first assessing your risks and then providing the proper protections best suited for your situation. Whether you are a small business or an enterprise company, we customize the solution to your specific security needs. This report outlines just three security layers and some of the solutions we offer that you should know about for properly protecting your business: Edge Protection, Multi-Factor Authentication, and Dark Web monitoring.

Edge Protection

Proactive Protection

The perimeter of an organization is a common vector for attacks. Attackers must get through the edge to get to valuable assets: proactive security here mitigates risks and reduces your exposure.

Perimeter Security

Edge Protection acts like a guard post and patrols along the perimeter of a secured area. This security deters attackers and is a major proactive defense for protecting your environment.

Asset 17@2x
Asset 18@2x

Solutions:

The following Edge Protection solutions are Cisco firewalls backed by Talos. Talos backs all Cisco products and is comprised of world-class researchers, analysts, and engineers; they are one of the largest threat intelligence teams and an industry-leader in threat intelligence.

Meraki Firewall

  • KEY METRICS

    • Simplified management within a seamless single pane on a web browser.

    • Tailored for SoHo and Branch sites.

    • Next Generation Firewall and IPS.

    • Can be managed by web browser in the cloud.

Adaptive Security Appliance

  • KEY METRICS:

    • Traditional/Stateful Firewall.

    • Multi-context Firewall

    • Remote Access VPN Headend.

    • Upgradable to Next Generation capabilities.

    • Can be managed by CDO or ASDM.

Firepower
Threat Defense

  • KEY METRICS

    • Next Generation IPS.

    • Next Generation Firewall.

    • Advanced Network Visibility and Threat Analytics.

    • Incident response and threat investigation.

    • Can be managed by CDO, FMC, or FDM.

What Edge Protection Keeps Out

Cybercriminals Feign Authenticity With CAPTCHAs:

Cybercriminals are using multiple visual CAPTCHAs to avoid detection methods and trick potential victims into believing their phishing site is real. This form of detection avoidance is new in that it uses multiple CAPTCHAs, which helps hide the spoofed site. Adding to this, people have been trained to expect CAPTCHAs on credible sites, making them less suspicious of the spoofed site. Endpoint protection utilizing intelligence provided by Next-Generation Firewalls helps prevent users from accessing these malicious sites.

*https://threatpost.com/microsoft-office-365-captchas/159747/

ATTACK TYPE

Phishing

ATTACK TYPE

Data Breach

Universal Health Services Fall Victim to Ransomware Attack:

Fortune 500 company Universal Health Services (UHS) has reportedly had a cyber-attack bring operations to a halt. It is believed that this attack was caused by ransomware, specifically Ryuk. Ransomware has been known to sometimes steal the data it encrypts in an effort for double extortion or to sell on the dark web. UHS has claimed that no patient or employee data was accessed, copied, or compromised. Endpoint protection utilizing intelligence provided by Next-Generation Firewalls helps prevent users from accessing sites meant to phish credentials.

*https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/

Potential Flash Player Exploit Leaves Users Vulnerable:

Adobe warns of a critical vulnerability in Flash Player that stems from a NULL pointer-deference error. There are currently no known exploits of this vulnerability; however, Flash is notoriously a target for malicious actors. Adobe has released a patch for this vulnerability. Endpoint protection utilizing intelligence provided by Next-Generation Firewalls helps vulnerabilities from being exploited on resources behind the firewall.

*https://threatpost.com/flash-player-flaw-adobe-rce/160034/

ATTACK TYPE

Vulnerability

ATTACK TYPE

Exploit

MERCURY Exploits Microsoft Zerologon:

Iranian state actors are actively exploiting the Zerologon vulnerability, warns Microsoft. For two weeks, state actor MERCURY has been observed actively exploiting the Zerologon vulnerability. Microsoft has released a patch to mitigate this vulnerability. Endpoint protection utilizing intelligence provided by Next-Generation Firewalls helps vulnerabilities from being exploited on unpatched resources behind the firewall.

*https://threatpost.com/microsoft-zerologon-attack-iranian-actors/159874/

Multi Factor Authentication

Strengthened Security

Having a reliable Multi-Factor Authenticator (MFA) is important because even if you have strong passwords, your credentials are still at risk.

Your passwords for third party sites might be encrypted, but they must be stored somewhere, and the security of that storage can be compromised without you being immediately aware.

Asset 19@2x
Asset 8@2x

To add a layer of security that allows your company to easily meet compliance for access and user authentication controls, Robinett Consulting offers Duo, Cisco’s Multi-Factor Authenticator.

Easy Implementation

  • KEY METRICS

    Duo protects many programs your business implements and provides secure access to your applications.

    Once you have gotten started with Duo, your users will have a variety of authentication options that allow for security without interrupting their individual workflow.

Scalability

  • KEY METRICS:

    Duo’s self-enrollment feature for company members makes deploying and implementing Duo easy and worry free.

    This also means that as your company grows, Duo enrollment will easily scale with your growth.

Control and Monitoring

  • KEY METRICS

    Duo allows you to differentiate personal and business devices, assess the security of all devices, and identify then monitor potentially risky devices.

    In addition to this, you can implement role-based access to control which devices can access applications based on hygiene or ownership.

What Multi-Factor Authentication Helps Mitigate

“Missed Chat” Phishing Attack on Microsoft Teams:

Malicious actors have crafted a phishing email that notifies users of a “missed chat” in Microsoft Teams. The aim of this is, as always, to steal recipients’ login credentials. The nature of an instant messenger application like Teams makes the user want to respond to the message with haste, thus lowering their guard. Having MFA enabled on accounts that have had credentials successfully phished will help mitigate the risk of the account being used to compromise the network.

*https://threatpost.com/microsoft-teams-phishing-office-365/160458/

ATTACK TYPE

Phishing

ATTACK TYPE

Phishing

Athlete Social Media Accounts Targeted for Phishing:

Two malicious actors targeted NFL and NBA athletes’ social-media accounts with phishing tactics. One such tactic included direct messages with embedded links to spoofed phishing websites and attempts to use successfully phished credentials against other sites, hoping for credential stuffing. One malicious actor went as far as attempting to extort their victim for returning access to the account. Both malicious actors are facing charges. Having MFA enabled on accounts that have had credentials successfully phished will help mitigate the risk of the account being hijacked.

*https://threatpost.com/nfl-nba-players-hacked/159742/

Cyberattacks within Office 365:

Malicious actors are utilizing Office 365 applications to launch cyberattacks on stay-at-home workers. Cyberattacks launched from Office 365 can range from phishing to C2 servers due to the power behind these applications. Actors will phish user credentials and move laterally throughout the Office 365 environment. This lateral movement is expedited by applications like Power Automate and eDiscovery. MFA helps prevent cases like this from happening, as having another layer of security could prevent attackers from gaining access to begin their campaign.

*https://threatpost.com/office-365-persistent-cyberattacks/160010/

ATTACK TYPE

Exploit

Asset 10@2x

Dark Web Monitoring (DWID)

Credentials for accounts can be found on the Dark Web for less than a small coffee. Once bought, access to these credentials can cause a business to close their doors.

What is the Dark Web?

The area of the internet that you access every day is just the surface of the internet. Underneath is the deep web and the Dark Web; it is in the Dark Web that a wealth of stolen data circulates for sale.

How would your credentials end up on the Dark Web?

• Your credentials can be keylogged or phished when entered on a fake website or stolen by malicious software.
• 3rd Party Data Breaches will leak a large amount of information when an outside website or data base that holds information related to your credentials is hacked.
• Accidental and Malicious Exposure are also risks as your data may inadvertently or intentionally be shared on the internet.

Asset 11-new
Asset 12-new

You can’t control a data breach, but you can control if that data is still valid. To monitor and mitigate the threat of stolen credentials, Robinett Consulting offers 24/7 monitoring with Dark Web ID.

What does DWID do?

DWID alerts you when your information is found on the Dark Web. The earlier you know what information is out there, the sooner you can secure your credentials.

You may not be aware that your credentials are on the Dark Web, but, if they are, we will let you know and inform you of any personal information that has been leaked along with those credentials.

Dark Web ID scours the Dark Web to find your information on:

  • Dark Web Chatrooms
  • Hacking Sites
  • Hidden Theft Forums
  • Peer-to-Peer file sharing networks
  • Other Black Market Sites

What Monitoring the Dark Web Helps Mitigate

Network Access Sales on the Dark Web:

Cybercriminals are selling Ransomware groups access to internal networks. Access to these networks is advertised in underground forums and contain industry information, type of access, size of network, country, and more. The most common attack vector sold appears to be compromised RDP connections. Access to these internal networks can be sold for as little as $300. Monitoring the Dark Web for credentials to access your company can be a proactive step in finding out if you’ve been compromised.

*https://threatpost.com/ransomware-network-access-cyberattack/159998/

ATTACK TYPE

Malware

(Ransomware)

ATTACK TYPE

Malware

(Ransomware)

Valuable PII Stolen from Cruise Lines:

Three cruise line brands had guest’s, employee’s, and crew’s personal information accessed via Ransomware by malicious actors. The company believes there’s a low likelihood of the data being misused. Cybersecurity consultants have been called in to recover files and notify those impacted. Monitoring the Dark Web for Personally Identifiable Information (PII) helps in knowing what could be used in a future phishing campaign against your employees.

*https://threatpost.com/carnival-corp-ransomware-attack-cruise/160134/

PII Stolen in Pfizer Inc. Data Breach:

Pfizer Inc. had a Google Cloud storage bucket that was misconfigured and led to exposed patient information. The data included Personally Identifiable Information (PII) that could lead to further targeted attacks on those patients. This goes to show that storing information in the cloud leads to more availability and accessibility of that data, but it also leads to more risk and effort to secure that data. Monitoring the Dark Web for Personally Identifiable Information (PII) helps in knowing what could be used in a future phishing campaign against your employees.

*https://pharmafield.co.uk/pharma_news/pfizer-suffers-huge-data-breach-on-unsecured-cloud-storage/

ATTACK TYPE

Data Breach

Conclusion

Proactively protecting your business can be challenging and complicated, but it is a necessity in today’s world of tenacious and creative attackers. Do not be another statistic, do not be low hanging fruit, and do not be a victim to cyber-attacks. Please contact Robinett Consulting for more information.

Asset 13@2x
Robinett Consulting
Asset 3@2x