Tag Archive for: compliance

Quick Tips for Secure Cloud Deployment

“Can we move this to the cloud?” This question will continue to increase in frequency for the foreseeable future, as we have seen IT exponentially converging toward cloud Software as a Service (SaaS) over the last several years. While some of the more popular names like DropBox, Salesforce and Google Drive dominate the consumer and “prosumer” branding space, there are more powerful tools like Microsoft Azure (which underpins Microsoft 365 Office Suite and much more) that are increasing in market share for small business and enterprise. 

When your company transitions to a SaaS model, it will be important to consider the security risks since the cloud deployment is at the top of the stack and most typically managed and secured by a third party cloud service provider (CSP). So what is an IT manager or CTO to do? Cloud computing and storage has immense benefits, but how does one vet the various risks and choose the right SaaS solution?

A cloud security checklist!  

  • Evaluate Your Data: Paramount to everything else, IT and security staff must determine what type of data will be stored to the cloud and perform a risk assessment against it. How valuable is the data? What happens if it is lost or stolen? If it is inaccessible for hours/days/weeks what are the specific consequences to the business? As part of this assessment, it is also important to understand and assess the business continuity and disaster remediation practices of the SaaS provider. How long will your company be holding redundant data in house until the SaaS solution is trusted entirely?
  • Ask About Encryption: Know how securely the data is transmitted to the cloud. Is it encrypted during transmission and while stored? Many people will take this for granted, because most data would be transmitted securely by default, but it is important to know the risks and the procedures while taking extra precautions based on your own company’s potential edge cases. 
  • Consider Redundancy: Verify that the data in the SaaS environment is being backed up. How much redundancy exists? What are the provider’s data retention procedures? What are the procedures or fees for extracting data? 
  • Triple Check and Be Prepared: Since your company will not be managing the connectivity, storage, or the applications once they have been deployed to the cloud, it is crucial to understand how the SaaS application is running. Be sure to understand the intimate details of segmentation, resource allocation and security. Depending on your choice of provider and your budget, as well as the provider’s service packages, it may be possible to save money if you do not have to make any changes once deployment has been deployed. This is an opportunity to benefit in the long term by doing sufficient research up front. 
  • Ask About Ongoing Security: Make sure that the data transmission and storage is compliant with modern security standards. Discuss what monitoring the provider has in place, and make sure the client-facing interface supports things like 2FA as a standard practice. Are the submitting themselves to regular penetration testing? What are their internal remediation protocols? 
  • What About Passwords and Authentication? Review the type of authentication that is being used by the SaaS. Credentials, if compromised, could allow access to your corporate network, or other data if not properly segregated. So, make sure that authentication data is not shared between internal systems and the SaaS deployment. Also, as a general practice, make sure that all passwords used to log into the SaaS environment (and everywhere else) are unique, complex and have a lockout feature enabled.
  • Work With a Trusted Partner! While there are a million buzzwords and protocols that can be thrown around in a SaaS sales pitch, the thing that actually matters most is the cloud service provider itself. Nobody can be an expert in running their own business while also being an IT, cloud computing, storage and security expert. Make sure you choose a CSP that has the proper credentials and experience to manage your cloud SaaS environment effectively. 

Choose GoVanguard. A Microsoft Gold Partner and Tier 1 CSP. We offer service and deployment of the entire suite of Microsoft’s offering: powerful, elastic, cost-effective and featuring world class security standards. All Microsoft tools integrate with Office 365, Teams, Defender ATP and the glue that holds it all together: Microsoft Azure. Prices for the entire Microsoft Suite start in the $5.00 range per month. Contact Us to get started.  

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to successfully navigate data security protocols during this period of global pandemic, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!  

Reach out to us today and see how easy it is to take control of your security and keep your data secure. 

Coronavirus spreads to Infosec

Cybercriminals utilize anxiety, fear and a lack of understanding in order to engineer the environments in which people start making predictably bad security decisions. Spear phishing attacks target unsuspecting members of organizations into thinking they need to urgently click something in an email that unleashes a payload or grabs login credentials. Victims are engineered to trust the alleged sender, or sometimes they fear the consequences of ignoring a big opportunity! This is a fundamental attack vector that infosec professionals combat every day, but the COVID-19 Coronavirus introduces a valuable new angle to the attack: fear of the unknown.  

With companies like Google telling their employees to work from home, there will almost definitely be a cascade of big businesses pushing for as much remote work as possible – driving up the stock value of Zoom video conferencing software amid an otherwise nasty, global sell-off. This is a great step toward establishing a more nimble, decentralized workforce, but it also sets up the dominos for lots of insecure systems to be connecting improperly to company servers, and that opens up a wealth of new exploits! 

 

But the virus itself is also a juicy social engineering attack vector.  

This week, threat actors have begun to exploit the fear of the virus to spread the seeds of cybercrime with threats ranging from coronavirus-themed malware attacks, booby-trapped URLs and credential stuffing scams. Two malware campaigns connected to the coronavirus have been discovered in the wild, just this week.  

The first is a phishing email targeted to spread Remcos RAT and malware payloads. The message has an attached PDF offering coronavirus safety measures, according to research from ZLab-Yoroi Cybaze. Instead of safety measures, the PDF, named “CoronaVirusSafetyMeasures_pdf,” includes executables for a Remcos RAT dropper that runs with a VBS file executing the malware.  

The email attack showed a high level of sophistication in its ability to avoid detection by common firewalls, ZLab-Yoroi Cybaze researchers observed in a post on the threat, stating: “It established a TLS protected connection to a file sharing platform named ‘share.]dmca.]gripe,’ possibly to avoid reputation warnings raised by next-gen firewalls.”  

Victims are prompted to download the file, which then installs two executable files in the system directory on the victim’s computer. A VBScript then becomes the springboard to run the executables across the system. 

Another new email campaign reported by the MalwareHunterTeam includes a coronavirus-themed Microsoft Office document allegedly sent from the “Center for Public Health of the Ministry of Health of Ukraine.” Along with offering legitimate information, the document contains malicious macros that install a backdoor to allow keylogging, clipboard stealing and the ability to take screenshots from a victim’s computer. 

 

Sneaky, sneaky!  

According to some researchers’ estimates, there have been over 4,000 coronavirus-related domains registered globally in the last three months with 3-8% assumed to be malicious or suspicious, and they are being used to add a sense of legitimacy to multifaceted phishing attempts.  

Researchers at Cofense, said they observed a new phishing attack based on fake messages from The Centers for Disease Control (CDC) stating that the coronavirus has “officially become airborne” and there “have been confirmed cases of the disease in your location.” 

The email contains a phishing kit that asks recipients to click a link that appears to navigate to the CDC’s website to learn more about the local coronavirus threat.

COVID email

Phishing Email

 Behind the link is a series of malicious redirects used by attackers that take victims to one of several SSL-certified, top-level domains where users will be presented with a Microsoft login page. The recipient email address is appended within the URL, to automatically populate the login box with their account name. The user is prompted to provide their password, which will be sent to the malicious actor before redirecting the user to the legitimate CDC website. 

With these sorts of opportunities to launch sophisticated attacks against unsuspecting employees that are working from home in a manner which is uncommon for their routine while being under the threat of a poorly misunderstood pandemic is a recipe for a large uptick in malicious attacks, and companies need to prepare their organizations for the new vectors.  

Kaspersky has also issued their own findings about COVID-19 related email phishing attacks, stating: “The discovered malicious files were masked under the guise of .PDF, .MP4, .DOC files about the coronavirus,” researchers said in a statement released to Threatpost. “The names of files imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus-detection procedures, which is not actually the case.” 

The files contain a litany of security threats, including trojans and worms that are “capable of destroying, blocking, modifying or copying data, and interfering with the operation of computers or networks,” according to the firm. So far, ten different documents have been observed circulating. 

“As people continue to be worried for their health, we may see more and more malware hidden inside fake documents about the coronavirus being spread,” wrote Anton Ivanov, Kaspersky malware analyst. 

 

Staying protected 

So how can you avoid falling victim to these scam attempts? GoVanguard recommends that all companies.  

  1. Be extra cautious with emails and files received from unknown, but official sounding senders, especially if they prompt for actions and credentials. 
  1. Do NOT to click on ads or promotional links in emails. Instead, Google your desired retailer and click the link from the Google results page. 
  1. Beware of “special” offers. “An exclusive cure for Coronavirus” is not ever going to be emailed to you.  
  1. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders. 

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to successfully navigate data security protocols during thi period of global pandemic, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place! 

Reach out to us today and see how easy it is take control of your security and keep your data secure 

White House Data Breach

Malicious actors have penetrated the networks of the Department of Defense (DoD) agency tasked with securing and managing electronic communications for the White House. They have leaked personally identifiable information (PII) of White House staff, including Donald Trump and Mike Pence, which raises major red flags about the security of communications among U.S. officials as the 2020 election gets underway.

On Friday, the data breach became public via a report from Reuters when they confirmed that affected parties at the Defense Information Systems Agency (DISA) had been sent letters informing them of the breach.

DISA Command Flow Chart for White House Security Operations

DISA Operations Flow Chart

DISA acts as a provider of telecommunications and IT management for the President and other White House executive staff. This includes the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members of the

armed forces, according to the agency’s website.

DISA employs about 8,000 people, including military and civilians, but is known to contract some private companies that have federal contractor certifications. Interestingly, DISA was part of the task force that helped reform the government contractor security clearance process following the U.S. Office of Personnel Management attacks in 2014 and 2015. Those breaches compromised the records of about 21 million government employees, and the current DISA breach is estimated at 200,000, according to Forbes.

Notification documents started to leak onto social media over the weekend, stating, “During the May to July 2019 time frame, some of your personal information, including your social security number, may have been compromised in a data breach on a system hosted by the Defense Information Systems Agency.” The letter was signed by Roger Greenwell, DISA CIO and risk management executive.

DISA Disclosure Letter about White House Data Breach. From Roger Greenwell.

Letter from Officer Roger Greenwell

DISA does not believe that any data from the breach has been misused, according to the letter, but these sorts of data breaches are not typically about the data used immediately after the attacks. Instead, malicious acts against nations tend to be just a small part of a broader attack. Use of breached data can go on for years as malicious actors engage in on-going spear phishing attacks and data mining operations to work their way deeper into secure systems.

With the stolen data, talented hackers can work their way into the most secure environments – exposing critical data to the nation’s security.

“We take this potential data compromise very seriously,” Greenwell wrote. “As a result we have put additional security measures in place to prevent future incidents and we are adopting new protocols to increase protection of all PII.”

The nature of those additional security measures has not been disclosed, but DISA is going forward under the assumption that the attack was state-sponsored.

“No doubt this was a state-sponsored activity; this breach will be used to further target DISA employees with admin access to highly sensitive networks,” Rosa Smothers, senior vice president of cyber operations, KnowBe4, said in an email. “It’s a painful irony that the agency charged with providing secure comms for the White House has fallen victim to a data breach.”

The breach will likely have serious implications for the upcoming presidential election.

With the memory of “Russian Hackers” alleged meddling in the 2016 election, the electoral consequences of international cybercrime are still very much on the minds of American voters. If there is one thing the United States does not need right now, it is a major undermining of the integrity of the vote.

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties that proceed them. In order to stop malicious attacks from state actors to undermine the integrity of U.S. elections and the Republic itself, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!

Reach out to us today and see how easy it is take control of your security to keep the nation secure.

Are you Compliant with the New York SHIELD Act?

The New York Shield Act has broadly increased the scope of how “private information” is defined, and how it must be dealt with by any business that maintains the customer data of any citizen of the state of New York. The “Stop Hacks & Improve ELectronic Data Security” Act is an attempt to modernize the way that financial data is secured. It also expands the definition of a breach, and changes the threshold at which a company is obligated to disclose the theft of data to the state and to citizens of New York.

While there are many federal and state laws across the country with varying standards, SHIELD intermingles with some, but is written in such a way that it supersedes older laws, and applies more broadly than existing law in New York. Any business, of any size, in any state that collects Social Security numbers, W2 forms or other relevant financial data of a New York citizen breach notification components came into effect on October 23, 2019. The security safeguard requirements of the SHIELD Act will be in effect on March 21, 2020.

The new law broadly expands on requirements and specifies many new steps that companies must go through in the reporting of a data breach, and offers plenty of suggestions to create reasonable safeguards against malicious attack.

Data Breach Notification

The SHIELD Act amends New York’s existing laws to broaden the obligations of all businesses to notify customers of a breach. The big change in the definition of “private information” now includes e-mail addresses, biometrics, as well as security questions and answers for password and identity authentication in addition to the more typical definition that includes financial account numbers and personal contact data. SHIELD also expands the definition of a “data breach” from unauthorized acquisition to merely unauthorized access to private information. If any unauthorized person in the business environment could view the protected information of client, the data should be considered compromised.

Another significant change is that rather than simply notifying customers of a breach, the offending business party must also provide relevant links, phone numbers or other contact information for the agencies most appropriate to compensate for the specific types of compromised data. In some circumstances, this could include mandatory credit monitoring, but it could go as far as reporting specific cases to state and federal agencies for recovery and compensation of the individual affected parties.

Another shift is that for health care organizations which are bound to Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and are currently required to notify the Secretary of Health and Human Services of breaches under those regulations, the SHIELD Act adds the requirement to provide notification to the state Attorney General within ten business days of notifying the Secretary.

In-state businesses that experience a breach must also notify the New York State Office of Information Technology Services, who will provide a report on the scope of the breach and recommendations to improve the security of the system to the offending New York based business.

With such a large step in reporting requirements, it is crucial to make sure your compliance with SHIELD is up to par. If you are unsure, GoVanguard offers compliance assessment consultation and reporting as a first step to limiting your company’s exposure.

Safeguards

The SHIELD Act requires businesses to first be compliant with all other existing regulations like HIPPA… Businesses must also implement administrative, technical and physical safeguards to minimize risk.

This includes the following:

  • SHIELD requires staff to be trained to be in compliance with the new law.
  • Businesses must also have sufficient software and hardware controls, and they must maintain malware detection and protection tools. We recommend regular pentesting intervals to confirm the effectiveness of these systems.
  • The law may also mean records must be stored in a locked and monitored room and disposed of in accordance with very tight procedures.

While the law gives no leniency on penalties for small business, it does give some slack on standards that are “reasonable” and “appropriate” for the size of the business and the value of the data to comply with security standards.

Penalties

The SHIELD Act does not eliminate private rights to pursue restoration in court, but it does double the civil penalty from $10 to $20 per incident or $5,000, whichever is greater, for businesses who fail to sufficiently report a data breach. SHIELD also increases the statutory cap on the penalty from $150,000 to $250,000.

But even with the new and increased regulations and penalties, not everyone feels the Act goes far enough! Crane’s New York editorialist, Fouad Khalil, states:

“…the Shield Act, though a promising first step, is still very much a stopgap in the fight for complete consumer privacy. Organizations will still have more “control” over our private data because of a lack of enforcement.”

He goes on:

“At a time where consumer data protection is more important than ever, organizations trying to maintain sanity with all the laws and regulations must keep their privacy and security programs up to date. And government must be clear and forceful with the laws it is instituting. If both can play their part, this would be a victory for both consumers and businesses in New York.”

At GoVanguard, we recommend a systematic approach to information security. Carefully and simply implemented security protocols can minimize the risk of exposure to data breaches and the penalties the proceed them. In order to comply with The Shield Act, compliance protocols must be in place. That is why we have a rigorous cybersecurity risk assessment and program implementation regimen in place!

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure.

The Wawa credit card data breach is one of the worst retail failures of data security in recent history. 

Last week we reported on the consumer side of the Wawa credit card data breach that, as far as we can tell, affected every single swiped payment card between March and December 2019. In a nutshell, Wawa discovered a security breach back on December 10th, 2019 involving all of their POS systems, fast-forward to January 28th2020 and Wawa released a statement acknowledging that the recently stolen card holder data was featured on “Joker’s Stash”, a sprawling virtual hub of stolen card data that has served as the distribution point for accounts compromised in many of the retail card breaches. 

 This week, we will take a quick dive into some of the likely causes of the credit card data breach, baseline security controls that should have been in place, and some of the ways that GoVanguard recommends to help prevent security incidents like this from happening to your organization. 

Jokers Stash

Wawa Credit Card Data For Sale on “Joker's Stash”

 

So What Happened?

The root cause behind most data breaches perpetrated by external malicious actors (including this one) is typically poor implementation of administrative, technical and physical security controls. In the case of Wawa, malware was installed on multiple POS (point of sale) terminals – which is a common asset for malicious actors to target. 

The concerning part of the security incident, as told from Wawa’s own narrative, is that the malware was able to laterally move across multiple Wawa stores and all the way to central POS payment processing servers This means that it is likely that Wawa had no or poor network segregation in place which violates a core requirement of PCI-DSS: the standards which apply to all organizations that process card holder data (credit card and debit card transactions). It seems that Wawa did not have basic security and network segregation mechanisms in place like robust access control lists (ACLs) because physical stores should not be able to directly communicate between one another. Basic security controls like ACLs help prevent the lateral movement of malicious actors between information systems and contain the malicious actor to a specific location or system domain. 

Furthermore, the fact that the security breach went undetected for over nine months suggests that Wawa did not have any NIDS (network intrusion detection software) systemin place or it was not being monitored by staff – another PCI-DSS requirement for an organization like Wawa 

Lastly, Wawa unable to specify which stores were affected and which stores were not affected by the security breach. Wawa’s inconclusive response suggests that they had very little logs to analyze and pinpoint the exact lateral movement path of the malicious actor behind the security breachThis means there was probably no centralized logging facilities or SIEM (security information event management) in place – another PCI-DSS requirement for an organization like Wawa. 

Malicious Actor Attack Process

What Happens Next?  

The reputational and financial damage that this security breach will cause Wawa in the mid-long term is inestimable but Classaction.org says that the retailer is “swamped” with litigation; noting at least 11 major, federal lawsuits at this current moment.  

On January 29, 2019, Inspire Federal Credit Union added themselves to the list of plaintiffs. An unnamed, but official spokesman for Inspire Federal Credit Union stated 

“Furthermore, time will tell whether plaintiff is subject to an imminent threat of future harm because Wawa’s response to the data breach is so inadequate that it is doubtful that it has cured the deficiencies in its data security measures sufficiently to prevent a subsequent data breach.” 

Concisely put, it iapparent that Wawa had an immature information security program with deficiencies across many security controls including network segregation, malware detection, intrusion detection and centralized systems logging. All of these deficient security controls could have been enumerated and analyzed easily with a cybersecurity risk assessment, information security program gap assessment or network penetration test.  

 

What Can My Company Do To Avoid a Similar Breach?

The Wawa security breach demonstrates worst-case scenario for a retailer that depends on the trustworthiness of their brand, especially given the failure of so many basic security principles. 

GoVanguard is a cybersecurity provider on the forefront of an ever-changing, complex security landscape. We provide both snapshot-based and continuous security testing services including risk assessments and web/network penetration tests. 

Reach out to us today and see how easy it is take control of your security and keep your brand’s reputation secure.