Cyber Security Made Simple
Cyber Security Made Simple
This article covers cyber security, including common entry methods and prevention/recovery strategies.
Ransomware has been the most damaging cyberattack we’ve observed in the recent years. This involves criminals illegally accessing your network, then using encryption to block your access to your own data. Often, your backups are also encrypted, leaving you no path to recovery. To coerce payment, attackers may threaten to leak your stolen data online using reputational damage as a reason for you to pay. While most attacks encrypt all data and backups, in rare instances, only a single component is affected. This typically occurs due to an incomplete breach of security or passwords.
Understanding Ransomware
How They Get In
Attackers commonly gain entry through targeted (spear) phishing. Once inside, they exploit known vulnerabilities in tools like Veeam and SQL. Weaknesses will always exist, whether due to unapplied patches or newly discovered exploits without current fixes.
We frequently encounter successfully phished accounts. Fortunately, most users have low IT privileges, which helps limit the potential damage. However, a clever hacker can sometimes leverage this low-level access to escalate their privileges within the network.
User Education and Testing
One of the main ways to prevent access is via User Education and Testing. This is a critical component of Cyber Security. The National Cyber Security Centre provides useful training material here
How to Protect Yourself
Backup and Replication
1. Off-Site Immutable Backup and Replication: The most straightforward way to protect your data is to sync backups to a remote location with immutable storage. This means the data cannot be altered or deleted. Regularly testing these backups through restoration is crucial to ensure their integrity. This approach is often more effective than solely trying to prevent all intrusions. Particularly since human behaviour is a variable we cannot fully control.
2. Protected On-Site Storage: Ideally, you should maintain immutable backup devices on-site with highly restricted access (e.g., on separate network segments/VLANs). These storage devices should offer ample capacity and numerous restore points. This is vital because if only a portion of your data is encrypted, it might take time to detect the breach. Once the network is segmented, you should then prevent normal user VPN access from seeing any more than the intended server or service. Thus, a compromised VPN would not have access to the backup network.
Permissions
3. Reduce IT Support Permissions: If an IT support staff member falls victim to spear phishing, and their standard login has extensive access to servers, networks, and cloud environments, the likelihood of a successful hacker exploiting this access significantly increases. Furthermore, “management” machines often store credentials for critical systems like storage devices, backups, and virtualisation platforms. Therefore, access to these should also be severely limited.
4. Avoid Common Passwords: Don’t use the same passwords across all devices and infrastructure. Use of Windows Local Administrator Password Solution (LAPS) to manage local admin passwords via Active Directory, preventing lateral attacks and allowing easy device recovery is a good option.
5. Regular Patching: It is strongly recommended to keep firewalls, backup software, servers and server-based services up to date. Compromises on VPNs, backup software and server services often provide credentials for further exploits. Consider update rings or 3rd party patch management software.
6. Effective Firewalls: If your firewall has the processing power for DPI SSL inspection, make sure it’s enabled. A firewall that doesn’t inspect SSL traffic isn’t very useful today. Also, avoid “allow all” for outbound traffic.
Essentials
7. Foundational: It’s crucial to start with the foundational security measures you should already have in place. We’re operating on the assumption that you’re using Multi-Factor Authentication (MFA/2FA) across all entry points, including VPNs. MFA is essential but may still be compromised with phishing and token theft from the browser.
We also expect that you’ve moved beyond basic anti-virus. You are likely utilising a more comprehensive solution, like Microsoft Defender for Business.
Furthermore, we trust you’ve avoided poor security practices, such as forwarding PPTP or L2TP VPNs directly to any Windows servers.
8. User and Device Passwords: Implement a robust password policy or consider modern authentication methods like passkeys where possible. Passkeys offer enhanced security by eliminating traditional passwords and relying on your phone’s biometrics and Bluetooth.
Cyber security Terms
Social Engineering
Exploiting human nature, often with urgency to reveal information, make payments or other risky activities.
Data Entry Phishing
Typically an email or SMS encourages clicking on a malicious URL designed to look like an official page and fill in a form with information. E.g. “Your password is about to expire, renew it now.”
QR Code compromise (Quishing)
Similar to above, could be a QR code on a car parking machine or at a show, a QR code on a stand that has been replaced with a fake. A restaurant menu etc. Typically, this will redirect to a malicious site. It can harvest credentials such as credit card details and a password.
Physical Security
Typically, things like access control systems, biometrics, cages, walls, and CCTV. This along with policies which do not allow visitors to join the internal network or plug their laptops physically into any wall socket. Visitors should use a dedicated guess socket designated by IT.
Endpoints
In cybersecurity, an endpoint refers to any physical device that connects to a computer network. It can be a point of entry or exit for data communication. Essentially, it’s the “end of the line” where users directly interact with data and applications. This would typically be a desktop, laptop, phone, server.
More cyber security terms
Malware
Malware, short for malicious software. This is the code that is used to initiate ransomware, trojans, viruses, and browser hijacks etc.
Account Compromise
This means someone other than the legitimate owner has obtained the login credentials or found another way to act on the account owner’s behalf. Essentially, it involves taking control of the account.
Various methods are possible such as phishing, social engineering, malicious links, and key loggers. Finally, brute force attacks or credential stuffing are also possible.
Multi-factor Authentication
Multi-Factor Authentication (MFA) is a security system that requires users to provide two or more verification factors to gain access to an account or system. Thus, it’s a method of authentication that goes beyond simply asking for a username and password. Moreover, it adds additional layers of security to verify a user’s identity.
This would typically be via text, email, or an authenticator app. It might involve a code entry or an acknowledgment via biometrics.
Malicious URLs
A malicious URL, also often called a “bad web link”, is a web address that, when clicked or accessed, leads to activities designed to compromise your device. It might steal your information or trick you into performing actions against your best interest.
To protect yourself, hover before clicking, manually type URLs. Use reputable, high-end anti-virus and malware that may have sandbox facilities to check the link’s security before clicking and executing it.
If you would like to discuss any of the above, please do contact us