In fairness, this article is just as applicable to basically anyone with a phone or Internet connection. We all can use a reminder on how to best deal with these threats. Enjoy the article and share it with your friends.
So I find myself writing my first blog post in a very long while sitting in a very strange location. It’s filled with nice office furniture, a comfortable chair, multiple monitors and computers, and a standing desk. I have a distant memory, even a vague notion I have been here before. And then it hits me – I remember! This is my office…at work…and not my basement.
Like so many Americans and so many people around the world, I went hope last March amid the chaos that was the start of the COVID-19 pandemic. I am entirely grateful to work for an employer who saw the value of protecting and isolating its employees and to work in an industry that was already quite flexible and mobile. We never really lost a step in terms of customer support or project work, but as a team of engineers working together and supporting one another, everything changed.
Microsoft Teams and Cisco WebEx and webcams and headsets became our new best friends. Meetings became video calls. Basements became offices. Lunch table conversations became chat sessions fueled by home kitchen refrigerator raids. Breaks became….well they kind of just faded away. Work and home sort of blended together, but we survived and we worked hard and customers kept running and projects got done.
In the middle of all that, my blog did not get pushed to the back burner. It got propped up on the back ledge of the stove and at some point fell off behind the appliance to become covered in dust and grease and largely forgotten – at least until now. I am back in the office. I am spring cleaning and prepping and getting back into the groove of things. I talk to humans in person again which is a little awkward when you have to fight the urge to press a mute button or turn off your camera only to discover you cannot control the realities of human interaction. And with this newly discovered energy and encouragement, I am going to rededicate myself to sharing my thoughts on security and security news.
Its great to be alive and healthy and able to work. Thank you for your patience! More to come soon!
This is yet another example of the cybercriminal bad guys taking advantage of a crisis situation and attempting to catch us with our collective guards down. I know many in the business world are now nearly completely reliant upon Skype, Teams, WebEx, and Zoom to function on a daily basis, but that need to stay connected cannot supersede the sound security practices that protect data and keep us safe.
Remember this simple truth – if you get an email message regarding an issue with an online service or tool, stop and don’t click any email links. Go directly to the website you know and trust from a browser. Any messages or alerts sent via email will be there on the website waiting for you. President Reagan’s montra is applicable and not cliché, Trust but verify.
This is the logical evolution of the ransomware threat in terms of data loss. No longer is the fear only the loss of access to data. Now we need to fear data being stolen and sold or leveraged in new and frightening ways. Please be aware!
We often want to approach IT security from a detached and somewhat clinical position, evaluating threats and vulnerabilities with an objective logic devoid of an understanding of the motivations employed by the cyber criminals involved. Now is not the time to take that approach to IT security.
Our nation faces a very real and immediate threat in the form of cyberattacks from foreign nations motivated by anger and revenge. As IT security professionals, we cannot prepare and defend our networks and computer resources in a vacuum. We must remain aware of the sociopolitical situation in order to understand the potential nature of the attacks to come and timing of those attacks relative to political decisions and military actions taking place around the world.
Financial institutions has begun to receive alerts from the Federal Reserve based on information provided by the Department of Homeland Security concerning potential threats from Iran and Iranian proxies motivated to disrupt networks, services and social feeds in the United States. Specific IP address information is being provided as a first step to content filtering and threat identification.
Please remain diligent in your defensive posture during this period of immanent threats. Educate your users as to the situation and the possibility of social engineering attacks associated with these threats. Stay abreast of the situation and monitor multiple news sources. Be cognizant of the fact that a week from now, Windows 7 and Windows Server 2008 will reach end of life and security patching for those products will cease. Devices running those operating systems will, for all practical purposes, have large targets painted on their chassis. If you find yourself with devices that you have not been able to update yet, take steps to properly isolate these devices and restrict access to the Internet.
Now is not the time to assume that you or your organization will not be a target. Be prepared and aware.
Given the nature of these vulnerabilities, please review your environment and make sure your version of Chrome is up-to-date.
This post is intended to be a little more than simply a stroll down memory lane in the IT security world of 2019. Take a moment to consider each one of these incidents and how each could affect you and your organization. Have you executed on any lessons learned? Have you mitigated or remediated all associated vulnerabilities? Are you monitoring for future activity? We need to learn from these types of incidents and strive to continually get stronger. Enjoy the read.
This is not unexpected. Cybercriminals are fairly smart and they are motivated to target the resources with the greatest and/or most effective access. As more and more of the world moves their respective Exchange and Active Directory resources to the cloud, O365 and Azure administrators move up the valued target list.
This article simply points out something we have known for some time. We must take phishing threats and associated awareness training seriously. This must become a priority for every organization, large and small. This issue also places a brighter spotlight on the security associated with service providers and 3rd party administrators. Make sure your security controls take those resources into consideration as well.
The Dark Web is a scary place. Even the name sounds very ominous. Most people know that it is bad when business or personal information shows up on the Dark Web. But at the end of the day, those same people do not really know what the Dark Web is and what is going on in the shadowy recesses of the anonymous Internet. That is OK and to be expected. The Dark Web is shady and cryptic and difficult to understand by design.
But Burk IT understands the threats associated with the Dark Web and the potential sale and distribution of valuable personal and business-related information. Because the threat is real and awareness is key, Burk IT includes Dark Web monitoring in all of our core Managed Services agreements. As part of that monitoring service, our customers will from time to time receive emails alerting them to compromises of content associated with their business user accounts. This article will hopefully shed a little light on that process and how to react to and best leverage that information for the safety of the business and its individual computer users.
What is the Dark Web?
Before you can understand what is really taking place with Dark Web monitoring, you need first know what the Dark Web is and is not. The best analogy I have seen to describe the Dark Web is to think about an iceberg*. The top part of the iceberg, the part that you see bobbing up and down above the water, that is the public Internet or the World Wide Web. This is the open part of the Internet where you can search for cat videos or find great lasagna recipes or read the box scores for your favorite baseball team.
Just beneath the surface of the water and expanding downward and outward is where the true mass and size of the iceberg lives. This is the Deep Web. These web servers are where the work of the Internet gets done. This is where your online purchases get processed and your banking portal data gets generated. This is where your social media history lives, and your private chats get hosted. This is the home of the “cloud” and the backbone of e-commerce.
In an obscure, hard to find corner of the iceberg near the ocean floor lies the Dark Web. This part of the Internet is not advertised, and it cannot be reached by traditional web browsers like Microsoft Edge or Google Chrome. Access to the Dark Web requires the use of a Tor Browser which is designed to anonymize the PC and user exploring the far reaches of the Dark Web. Dark Web websites end in the extension “.onion”, referring to the many layers of obfuscation in place to provide safely anonymous browsing.
Despite its ominous name, not every user on the Dark Web is a cybercriminal peddling his or her wares on the virtual black market. Because of the anonymity it provides, the Dark Web is used by many legitimate groups including political dissidents, journalists, whistleblowers and even normal Internet consumers simply desiring to avoid the constant gathering of metadata traditional web browsing affords. Yet, the Dark Web also brings together evil doers trading in child pornography, illegal drugs, violence and identity theft information. Because of this illegal trafficking, Dark Web monitoring is an important component of any modern cybersecurity program.
What is Dark Web Monitoring?
Given the secretive and anonymous nature of the Dark Web, the logical question arises – what exactly is being monitored on the Dark Web? This is a very important question to pose because many of the TV, web and print ads touting Dark Web monitoring would lead you to believe that these companies can definitively protect your identity and purge every bit and byte of your personal information from all these criminal forums. That is not exactly the truth.
Dark Web monitoring was born from federal government contracts with private firms designed to understand what information was being posted and traded on the Dark Web for national security and law enforcement purposes. These private firms quickly realized the commercial value of the tools and techniques they had developed, so business and personal Dark Web monitoring offerings were quickly designed and marketed to general public.
Dark Web monitoring services basically scour Dark Web news boards, commerce sites, and other forums looking for PII (personally identifiable information) that has been posted for sale or trade. This research is performed using custom bots, software artificial intelligence and human assets to ensure the information is as timely and actionable as possible. These services then correlate the PII detected with the corporate domains and user accounts being monitored and report on the findings that match.
The information reported by a Dark Web monitoring service varies from vendor to vendor but generally includes the following:
Username / Email address associated with the compromised account – This ID is typically associated with the domain name for the business or organization being monitored by the service.
Date the compromise was found – This is the date the service’s algorithms and human resources discovered the compromised information in the Dark Web.
Date reported / posted / added – This is the date the discovered information is validated and provided to the monitoring customer, usually via a traditional web portal or secure email.
Password / Password Hint / Password Hash – This is typically the entire cleartext password of the account in question, or a portion of that password as a verification tool for the end user. A password hash is a masked version of a user password usually compromised from an online website or backend website resource. These hashes are easily decrypted by cybercriminals and are, therefore, very damaging when discovered in the wild of the Dark Web.
PII information – Many monitoring services will also report whether additional personal information was present associated with the compromised credentials including full name, address, phone number, and social security number.
Source or origin of the compromise – This information is often speculative, but most Dark Web monitoring services will provide insight into the source or nature of the breach that led to the presence of these credentials and other PII on the Dark Web.
All of this information is value and warrants a response, but it is also very important to consider the information that the Dark Web monitoring service CANNOT provide and the actions the service CANNOT take on behalf of the compromised entity:
Date / Time of the original compromise – Monitoring services most often cannot pinpoint the exact date or time of a data compromise. Even if the compromise is attributed to a known breach of a business, service, or website, specifics about the timing surrounding those breaches are not typically public knowledge. If the compromise was the result of an attack against an end user such as phishing or a malware attack, knowledge of the timing of those types of attacks is nearly impossible. It is also important to note that most of the information posted on the Dark Web was stolen weeks if not months earlier.
Date the compromised information was first posted to the Dark Web – Monitoring services have become extremely efficient at finding and correlating data from the Dark Web, but they are still far from the ability to monitor the whole of the Dark Web in real-time. There can be a significant delay of days or weeks between the time information is posted to a site or forum on the Dark Web and its discovery by a monitoring service.
Removal of compromised information from the Dark Web – It is one thing to discover information associated with an individual on the Dark Web. It is a wholly different problem to try to purge information from these forums and sites. Generally speaking, once this proverbial genie is out of the bottle, there is no putting it back. Remember, these are Dark Web MONITORING services. They can let you know something bad has happened, but they cannot necessarily reverse the damage already done.
What should you do when you receive a Dark Web alert?
Many people will read the previous paragraph and decide that there is no real value in Dark Web monitoring if you cannot remove personal information once it is posted. I would disagree on the following grounds – 1) It is better to know than to not know what personal information is in the wild, and 2) With knowledge comes power and the ability to better mitigate the situation quickly. So, what should you do if you or your organization receives an alert that PII is on the Dark Web?
- Rotate the passwords associated with the affected user account – The biggest fear for most business IT administrators is that when a website is compromised, the user’s password associated with that website may be the same password that person uses on the business network. Internet users have become creatures of habit when it comes to passwords and tend to reuse passwords across multiple sites and systems. This behavior makes the job of the cybercriminal that much easier when he or she decides to see what all can be stolen using those compromised credentials. Also, consider three other options when you are changing those passwords:
- Switch from short, complex passwords to longer, easier to remember passphrases consisting of several words or a memorable sentence. Passphrases are significantly harder to crack for cybercriminals and require changing less often.
- Consider using a good Password Manager (1Password / KeePass / LastPass). It is a good practice to use unique passwords or passphrases for every website and system you access. A password manager is a safe way to keep up with all those different credentials.
- Implement multi-factor authentication for websites and systems whenever possible. Multi-factor authentication in the form of authenticator apps or SMS texts adds a strong barrier to protect against identity compromise. Even if a cybercriminal gets his or her hands on your username and password, that person still cannot authenticate as you without your phone or token. Most major websites and services support multi-factor authentication now including Facebook, Twitter, Amazon and Google.
- Request new credit cards and other account numbers when necessary – In some situations, Dark Web monitoring services can alert you to card or account fraud before the affected bank or store knows something has gone wrong. React quickly by alerting the bank or store and requesting new account info.
- Consider freezing your credit – The best way to prevent identity theft and stop the bad guys from opening lines of credit in your name is to take away that option. Freezing your credit line by contacting each credit bureau (Equifax, Experian, and TransUnion) is an easy, low cost process that can provide peace of mind despite the scary nature of the Dark Web.
- Educate! Educate! Educate! – The best thing anyone can do to fight cybercrime is to learn about the enemies at the gate, learn how to keep out and fight back against those enemies, and then share that information with others. Train yourself. Get training for those around you. Share what you have learned.
Hopefully this article has helped to demystify the Dark Web and add some clarity to the process surrounding Dark Web monitoring. The tools that protect us from cybercrime keep getting stronger and more effective. We too need to continue to get stronger in our knowledge of the threats we face and the actions we need to take to protect ourselves. Keep fighting!
* Susan Grant of the Consumer Federation of America