Former Employees Pose Serious Risk To Security

The Department of Health and Human Services’ Office for Civil Rights (OCR) has reminded those who deal with PHI and PII of the dangers that terminated employees can pose to system security in their monthly cybersecurity newsletter. Their advice is as timely as it is excellent, and includes the following:

“Making sure that user accounts are terminated so that former workforce members don’t have access to data is one important way Identity and Access Management can help reduce risks posed by insider threats.

IAM can include many processes, but most commonly would include the processes by which appropriate access to data is granted, and eventually terminated, by creating and managing user accounts.”

Kate Borten, President of The Marblehead Group, agrees, citing Verizon’s 2017 Data Breach Investigations Report, which was released earlier this year and named health care as the industry with the highest number of insider breaches.

OCR has published an extensive list of recommendations, which include:

• The creation and maintenance of user access logs used to determine when a user’s access levels are increased, or new equipment is assigned. These logs can also be used to track and trace precisely who is accessing what data, when, and using what locations, creating an audit trail.
• Establishing processes designed to terminate an employee’s access as soon as employment ends. These processes should also refer back to the aforementioned access logs to ensure that all equipment has been returned.
• Changing all administrative passwords on termination of an employee with access to those accounts, so that they will be unable to access them post-employment.
• The creation of alerts that call attention to accounts that have not been utilized in some predefined number of days in order to identify accounts that may be ripe for purging from the system.
• And developing a robust auditing procedure designed to ensure that all IAM-related policies are being followed, and that the system is working as intended.

It’s an excellent piece, and if your firm is in any way involved with the handling of protected health information, you owe it to yourself to head to OCR’s website and read it in its entirety.

Top Subject People Fall Victim To Is – Data Breach Notification

For hackers around the world, success breeds more success, it seems.

A company called KnowBe4 has released a report entitled “Top Ten Global Phishing Email Subject Lines For Q3 2017.” To prepare it, they analyzed email subject lines from simulated phishing tests to determine what the most effective approach was.

Their findings were that “Official Data Breach Notification” was the hands-down winner, generating far more click-throughs than any other.

Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer had this to say about the report:

“Phishing attacks are responsible for more than 90% of successful cyber-attacks and the level of sophistication hackers are now using makes it nearly impossible for a piece of technology to keep an organization protected against social engineering threats.

We see urgency and fear of a breach as the drivers. We have over 1400 templates and a concentration of themes so we know what is highly effective. Phishing attacks are smart, personalized and timed to match topical news cycles. Businesses have a responsibility to their employees, their shareholders, and their clients to prevent phishing schemes.”

Wise words, and the first step on the path to prevention is knowing what triggers are the most effective, which makes the KnowBe4 report especially valuable to data security teams, regardless of what business your company is in.

The irony, however, is inescapable.

The reason that “Official Data Breach Notification” is such a devastatingly effective phishing headline is simply that the hackers have been devastatingly effective. Barely a day goes by that we are not greeted by some grim headline and a news story recounting the woes of yet another company suffering from yet another massive breach resulting in hundreds of thousands, millions, or more consumer data files stolen.

They are, in a very real sense, leveraging the power of their own success to become even more successful, and that’s sadly not likely to change anytime soon.

New “MailSploit” Allows Email Spoofing

Phishing attacks just got a whole lot easier.

A German security researcher named Sabri Haddouche has recently discovered a set of email vulnerabilities that have been collectively dubbed “Mailsploit.”  At the root, these vulnerabilities stem from the way most email systems interpret addresses encoded with a 1992 standard called RFC-1342.

The standard is that all information in an email header must be an ASCII character. If a non-ASCII character is encountered, it gets converted. Unfortunately, a shockingly large number of email clients (33 and counting) make no effort to check the header afterward for malicious code.

Also, if the RFC-1342 decoded header encountered a null-byte, or two or more email addresses, the only address that would be read would be the one that preceded the null-byte, or the first valid email address encountered.

The email clients vulnerable to this type of attack include:

  • Apple Mail
  • Mail for Windows 10
  • Microsoft Outlook 2016
  • Mozilla Thunderbird
  • Yahoo! Mail
  • AOL Mail

And many others, but Haddouche notes that Gmail is unaffected by the exploit.

There are two ways a hacker can use Mailsploit. First and most obvious to the eye is the fact that it can be used to spoof an email address, making it appear to be from someone you know, which, of course, has the impact of making it much more likely that you’ll click on any links embedded in the body of the message.

Secondly, and potentially even more troubling, is the fact that the exploit can be used to inject malicious code directly onto the recipient’s machine, which can easily give the hacker sending the email full control of the target’s system.

Worst of all, though, is the fact that while Haddouche contacted all of the companies found to offer vulnerable email clients, only eight of them have released a patch to correct the issue. Twelve vendors opted to triage the bug, but gave no information on if or when the issue might be patched, and twelve others made no reply at all.

Mozilla and Opera (both vulnerable) flatly refused to address the problem, which they see as a server-side issue.

Your IT staff’s job just got a whole lot harder.

Report Shows Small Percentage Of Employees Know About Ransomware

The statistics are alarming. Ransomware is fast becoming the favored hobby horse of hackers worldwide. Barely a week goes by that a new strain isn’t introduced into the wild, with expensive, and often tragic consequences. Right now, the average amount paid by office workers impacted by a ransomware attack is $1400, a figure that continues to creep higher.

What’s perhaps even more alarming, however, is the fact that although companies the world over have made a concerted effort to sound the alarm on the danger this type of software represents, no more than 30 percent of knowledge workers have any real understanding of the dangers that ransomware poses, according to Intermedia’s 2017 Data Vulnerability Report.

One of the most curious findings of the report was the fact that employees more often shoulder the costs of ransomware payments than employers do, with fully 59 percent of impacted employees paying the ransom out of their own pockets.

Unfortunately, small and medium-sized businesses are particularly vulnerable to this large and growing threat. Jonathan Levine, Intermedia’s CTO, had this to say on the topic:

“As ransomware continues to evolve and become more advanced, organizations of all sizes and types must acknowledge it as a very real threat. This is especially true for SMBs that may not have the resources, tools or training that larger organizations use to recognize, prevent and protect themselves from such attacks. Ransomware can infiltrate and shut down an entire business through just one infected computer. More often than not, SMBs feel they are forced to pay a ransom they can’t, but must afford, and hackers realize this.”

Perhaps worst and most distressing of all is the fact that 19 percent of the time, even when a ransom is paid, the files are never unlocked, making it a bad gamble. If you run a company of any size, make sure your employees from top to bottom fully appreciate the threat this attack vector poses.

USB Drives Could Be Huge Factor In Data Loss, Theft

Most people agree that the use of USB drives increases efficiency and boosts productivity, which goes a long way toward explaining their popularity, but these handy little drives can also be problematic.

According to a recently published survey by Apricorn, 87 percent of employees surveyed report that they have lost or had a USB drive stolen and failed to notify their employer. Worse, 80 percent of employees surveyed reported using non-encrypted USB drives that they’ve often acquired for free at trade shows or conferences.

The fact that these drives are unencrypted is bad enough, but there’s another, even more frightening dimension to the problem. Such drives could be pre-loaded with malware, which could easily make it onto your company’s network the moment they’re connected to any office machine.

Apricorn had this to say about the results of the survey:

“With the ever-increasing amount of data breaches and compromises, companies need to carefully monitor what data is being created in their organizations, and what is leaving.

Government, healthcare, finance and education industries have access to copious amounts of sensitive information and most of these industries are using USBs without advanced permission. Not only are these companies leaving themselves vulnerable, they are placing their customers’ and employees’ data at risk.”

Although the company notes that there is an awareness of the damage that lost or compromised data can cause, not much is being done about preventing that loss, at least where the use of USB drives is concerned. According to the survey, fully half of the respondents indicated that they didn’t need to seek permission to use a USB drive to copy or transport potentially sensitive information.

Does your company have a robust set of policies in place to control the use of USB drives? Are all the USBs used by your employees encrypted and secure? Do you have a policy in place regarding proper reporting procedures should a USB drive go missing? Important questions, all.

Corporate Attacks On The Rise Through Vulnerable Printers

Few things are more ubiquitous in an office environment than printers. Of course, these days, most printers are much more than simply that. They can also scan, copy and even send emails. As such, they’ve become an increasingly attractive option to hack, according to the latest data released by Barracuda Networks.

The reason is simple. Most printers aren’t as well protected as PCs and other devices on your network. They’re the weak point in your company’s defensive armor.

The upsurge in this type of attack seems to be focused on Cannon, HP and Epson printers, and works like this:

A printer is compromised and used to send spoofed scanned attachments, usually bearing an innocuous subject line such as “Scanned From HP,” “Scanned from Epson” or “Scanned from Cannon.”

Most employees don’t think twice about opening such attachments because they appear to be from a legitimate source inside the company, which is, of course, exactly what the hackers are counting on.

While any sort of payload can be delivered in this manner, the most common strain found installs a back door on the target PC, allowing the hackers to:

  • Monitor behavior and log keystrokes
  • Change computer settings
  • Copy files
  • Access other connected systems
  • And more.

In a clear indication that the malware could be used to launch a ransomware style attack, it also gives the hackers the ability to replace the PC’s wallpaper with any file they choose.

Employees should be more mindful about this type of attack and always double check to make sure the sender is valid. Also, it’s important to hover over the links embedded in such emails in order to be sure they’re valid before clicking on them.

If you haven’t been on the receiving end of an attack like this yet, count yourself lucky and stay vigilant.

Attackers Targeting Job Seekers Via Listings And Recruitment

Cyber-criminals around the world are increasingly focusing their attention on job seekers.  According to the security firm Flashpoint, there has been a notable uptick in ploys involving phony job listings that attempt to get job seekers to give up personal information.

Perhaps the biggest surprise is the fact that this is only now becoming a growing threat.  After all, from the cyber-criminal’s point of view, it’s low hanging fruit.  Job seekers expect that they’ll be asked for all types of personal information when applying for positions, after all.

As long as the criminals take the time to make their offers appear legitimate, most applicants wouldn’t think twice about sending in their resume (complete with physical address and phone number), and then, a bit later in the process, their social security number and other personal and confidential information.

According to Flashpoint analyst David Shear, it’s not just personal information the criminals are after, however.  Increasingly, criminals are seeking to engage the services of the people who “apply,” by using them as unwitting money mules, or using them as part of an intricate money laundering scheme.

On top of that, it’s all too easy for the criminal to respond to an applicant’s inquiry with an email containing an attachment (usually a poisoned PDF).  Again, since the applicant thinks he (or she) has replied to a legitimate offer for employment, odds are excellent that they’ll open the attachment without hesitation.

At that point, whatever payload the poisoned file contained is installed onto their computer, which can have devastating consequences, depending on the nature of the malware the criminals want to install.

Shear also notes that he and his team have seen an increase in the number of inquiries on the Dark Web asking after compromised business accounts, and offers this explanation as to why: “Attackers want access to business accounts in order to leverage their phony job listings and recruit people who would ultimately participate in fraud without their knowledge.”

All that to say, job seekers beware.  It seems that no low is too low where these criminals are concerned.