At Infonaligy, we deal with many companies who approach us for assistance with improving their organizational cybersecurity.
Cybersecurity is a complex topic with lots of moving parts. Very few organizations have an IT environment that could be classified as ‘simple’, and what works in one environment may not work in another. Starting with a solid understanding of the business, process flows, and critical tools is generally the only way to provide a solution that works for your business. This understanding is normally achieved with some level of IT audit that allows us to identify gaps and prioritize those gaps for resolution based on resource constraints.
For the rest of this article, I will completely ignore the advice provided in the previous paragraph…
While it may be impossible to create a one-page slide that covers every cybersecurity risk to your organization, it is certainly possible to identify the issues that we see repeated again and again. An unfortunate truth is that I often tell our Incident Response clients, “I wish we had met a month ago,” because they have been breached in one of the two methods addressed below.
First, some context about the two largest cybersecurity risks that your organization is facing today: Business Email Compromise and Public-facing RDP servers. It is important to know that neither of these risks indicate that you are being specifically targeted. Malicious actors are using automated tools to send out billions of malevolent attacks per day and playing a numbers / percentage game. Up to this point, this low effort/high reward tactic has been incredibly successful – especially given how difficult it is to find and prosecute the bad guys.
Business Email Compromise (BEC):
- In 2019, the total BEC losses reported to the FBI was nearly $1.8 Billion dollars. So far in 2020, the FBI has reported a 4x increase in the number of cases. The bad guys know this makes money, and they are pouring more and more resources into it.
- This issue impacts all companies. There is a constant flood of phishing emails, and it only takes one careless or distracted person to give the bad guys a foothold into your network. Whether they use that foothold to make fraudulent financial transactions or infect your company with ransomware, getting your money is their ultimate goal.
- Steps to take:
- Multi Factor Authentication – this solution is widely recognized as a best business practice, as it is nearly 100% effective in defeating email account takeover (greatly reducing your risk of fraudulent financial transactions). I’ll be honest, getting buy-in to change how people log in to their email can be difficult, especially since it is an extra step. But 100% of our Incident Response clients wish they had done this prior to their hacks.
- End user training – Services like Mimecast, KnowBe4 and others not only provide employee training (that is auditable), but also send simulated phishing messages so employees are aware of the ever-changing techniques being used by malicious actors.
- Endpoint protection – In the event that an email sends a link or an infected document that results in a ransomware event, a tool like SentinelOne can automatically stop the event, and also undo any changes made to the protected system.
- Implement a backup solution for servers that automatically synchronizes data to another site.
- Email filtering service that works with O365 to stop malicious emails before they get to your employees’ mailboxes. A service like this has the added benefit of increasing productivity by reducing spam as well.
- Regular Dark Web reporting. A Dark Web report is a great tool to quickly identify any users whose information has been found for sale on the Dark Web. This allows you to contact them quickly and have them change passwords before their accounts are breached.
Public Facing Remote Desktop (RDP) servers
- These servers are a favorite target of malicious actors that constantly scan the internet for IP addresses with open RDP access. Once a server is identified, it is bombarded thousands of times a day with username/password combinations in an attempt to brute-force guess the password. It is trivial to find password lists that contain billions of passwords, and since this process is automated, all they need to do is start a script and let it run until they are able to successfully log in.
- Any server with a public IP address should not allow Remote Desktop services. Remote Desktop should be restricted to users connected to the local network (either physically on site or connected through a VPN connection).
- My strongest professional recommendation is to have a plan to remove any RDP servers that currently use a public IP addresses. Once a malicious actor is able to get in to your network, they can steal your data, infect you with ransomware, and leave you without the ability to operate.
- Steps to take:
- Plan a transition away from Public Facing RDP servers
- To echo the advice in the BEC section above, implement a backup solution that allows you to recover a server that has been encrypted with ransomware
Once those issues are addressed, I recommend that you scope out an IT assessment that will provide a deeper dive into how you can add additional cybersecurity protections.
My goal for you is not to try to fix everything at once, but to help build walls high enough to protect you from as much malicious traffic as possible. These recommendations are the low hanging fruit with high impact that will benefit any organization and keep the money out of the pockets of criminals.
If you need assistance implementing these steps or if you would like to discuss further steps, please reach out to us – we are here to help, and are committed to making the internet a safer place.