Is the Cloud really risk-free?

Is the Cloud really risk-free?

The Cloud presents plenty of benefits that make it a very attractive choice, especially for SMBs who don’t want to be burdened with higher in-house IT costs, putting your data in the Cloud is not risk-free. Just as storing data on physical servers has its security threats, the Cloud presents certain security concerns as well. These include

  • Data breach: A data breach is when your data is accessed by someone who is not authorized to do so.
  • Data loss: A data loss is a situation where your data in the Cloud is destroyed due to certain circumstances such as technological failure or neglect during any stage of data processing or storage.
  • Account hijacking: Like traditional servers, data in the Cloud could be stolen through account hijacking as well. In fact, Cloud account hijacking is predominantly deployed in cybercrimes that require entail identity thefts and wrongful impersonation
  • Service traffic hijacking: In a service traffic hijacking, your attacker first gains access to your credentials, uses it to understand the online activities that happen in your domain and then uses the information to mislead your users or domain visitors to malicious sites.
  • Insecure application program interfaces (APIs): Sometimes, Cloud APIs, when opened up to third parties, can be a huge security threat. If the API keys are not properly secured, it can serve as an entry point for cybercriminals and malicious elements.
  • Poor choice of Cloud storage providers: A security lapse from the Cloud storage provider’s end is a huge security concern for businesses. It is very important to choose a trusted and experienced Cloud service provider who knows what they are doing.

Apart from the above, there are some common threats that apply to both the Cloud and traditional data storage environments such as a DDoS attack, or a malware attack where your data in the Cloud becomes susceptible because it is being shared with others and at other places.

Some Cloud security mechanisms that SMBs can invest in to keep their data safe

Cloud firewalls: Much like the firewalls you deploy for your local IT network, Cloud firewalls work to prevent unauthorized Cloud network access.

Penetration testing: Penetration testing is a sort of a Cloud security check where IT experts try hacking into the Cloud network to figure out if there are any security lapses or vulnerabilities that could serve cybercriminals.

Obfuscation: In obfuscation, the data or program code is obscured on purpose such that the system delivers unclear code to anyone other than the original programmer, thus mitigating any malicious activity.

Tokenization: Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.1

Virtual Private Networks (VPN): Another, more commonly used mechanism is the VPN. VPN creates a safe passage for data over the Cloud through end-to-end encryption methodology.

Investing in a good Cloud security system is a must, but, in the end, you also need to remember that Cloud security is not only about antivirus software, firewalls, and other anti-malware tools. You need to pick the right MSP and work closely with them to implement a Cloud security solution that works for you.

1https://searchsecurity.techtarget.com/definition/tokenization

Things to consider before switching to the Cloud

Things to consider before switching to the Cloud

More and more businesses are switching to the Cloud to store their data and rightly so. The Cloud offers numerous benefits over the traditional, physical on site server. For example,

  • Anytime, anywhere access to your data: Information in the Cloud can be accessed from anywhere using an internet connection, unlike in the case of traditional servers, where you need a physical connection to the servers
  • Significant cost savings: You cut hardware costs, because the Cloud follows a ‘pay-as-you-use’ approach to data storage
  • SaaS compatibility and support: The Cloud allows the use of Software-as-a-Service since the software can be hosted in the Cloud
  • Scalability: The Cloud lets you scale up and down as your business needs change
  • 24/7 monitoring, support, and greater access reliability: When your data is in the Cloud, the Cloud service provider is responsible for keeping it safe and ensuring it is securely accessible at all times. They monitor the Cloud’s performance and in the event of any performance issues, they provide immediate tech support to resolve the problem

Your big Cloud move: What to consider

If you are considering moving to the Cloud, you will find it helpful to sign-up with an MSP who is well-versed with the Cloud. They can advise you on the benefits and risks of the Cloud and also offer the Cloud solution that’s right for you. In any case, before you migrate to the Cloud, make sure you are dealing with a reputed Cloud service provider who has strong data security measures in place. You can even explicitly ask them what security mechanisms they have invested in to manage data access and security.

Yes, moving to the Cloud has it benefits, but it also has its challenges including security risks. Learn more in our next blog, “Is the Cloud really risk-free?”

Shipping Crates with cranes on a wharf

Gaining access to a company that provides products or services for other organizations is an effective way for hackers to attack many targets at once. As a result, businesses that are part of a supply chain are becoming an increasingly attractive target for cyber attackers, especially those acting under the direction of foreign governments.

Large-scale Attacks

Several major cyber security incidents during the past year demonstrate the large-scale effect of an attack on an entire supply chain. The attack against IT services provider SolarWinds was one of the largest and most effective, as it was conducted by hackers working for the Russian intelligence service. This attack compromised Solar Winds’ updates, which 18,000 customers subsequently downloaded. The attackers then targeted about 100 of those customers, some of which were US government agencies.

Another recent major attack against US supply chains exploited a vulnerability in Kaseya’s software, which attackers used to conduct a ransomware attack affecting thousands of this company’s customers throughout the world. This attack included threats of future attacks if the victims disclosed the attack to law enforcement agencies or other third parties. These threats are a recent development in ransomware that demonstrate the attackers’ strong desire for secrecy.

Small-scale Attacks

Other attacks against supply chains are much less likely to draw attention than these major incidents, but they can still be very effective. Furthermore, an attack that’s tightly focused on a limited number of targets can also be harder to detect. These factors create a trade-off between casting a wider net to compromise more systems and minimizing the risk of detection. As a result, malicious actors are using more care in designing their campaigns, often choosing a more targeted strategy.

Bigger attacks certainly get more attention, but some supply chain compromises warrant closer examination due to their potential impact on the supply chain. These small-scale attacks can be just as effective in creating discrete pathways into a network, especially through developer and mobile environments. Many supply chain compromises are currently focusing on developer environments due to the high privileges these users often have. Mobile environments also provide attractive attack vectors due to the difficulty in tracing the source of these attacks. The high probability of success for these attacks make it likely that they’ll remain a threat to supply chains for the foreseeable future.

Prevention

The expected growth in the frequency and sophistication of supply chain attacks increases the need to detect these attractive vectors. Rapid advances in the technology that supply chains use will increase their complexity, thus making it more difficult to defeat these attacks. Organizations should therefore examine strategies from protecting themselves from the likelihood that one of their suppliers will eventually fall victim to a cyber attack.

The first step in this process is to establish a clear security pathway between an organization and its suppliers, ensuring strong defenses at all links in the supply chain. These defenses largely consist of managing access control, which is relatively straightforward in modern security systems. The next step is use a design that offers resiliency in the event a supplier is compromised, meaning that the effects of an attack tend to be limited to the initial target.

Information security teams can also increase their network protection by understanding what’s on their networks and how they connect to the internet. For example, the SolarWinds attacks succeeded only because those installations had direct access to the internet. Ensuring that supply chain systems don’t have direct internet access creates a major barrier to ransomware and similar attacks.

Horizon flickr photo by Tristan Taussac shared under a Creative Commons (BY-ND) license

Secure Sockets Layer, Protocol, and Database Security related words wordmap

Hypertext Transfer Protocol Secure (HTTPS) is quickly becoming a more popular internet protocol than HTTP for website and application connections. While HTTPS is fast and secure, it must execute code in a trusted execution environment (TEE).

Intel staffers Gordon King and Hans Wang have proposed a new protocol called HTTPS-Attestable (HTTPA) that will improve on HTTPS by eliminating the requirement for a TEE on the client side. King and Wang describe HTTPA in a paper distributed through ArXiv in October 2021.

HTTPS

HTTPS is an extension of HTTP that’s widely used for secure communication over a network, especially the internet. It originally used Secure Sockets Layer (SSL) to encrypt data, although it now uses Transport Layer Security (TLS). HTTPS is therefore also known as HTTP over TLS or HTTP over SSL. The general purposes of HTTPS are to authenticate websites that the user accesses and protect the privacy of the exchanged data while it’s in transit between client and server. Specifically, HTTPS uses bidirectional encryption to protect communications from eavesdropping and tampering, including man-in-the-middle attacks.

HTTPS requires a trusted third party to sign digital certificates on the server side, which has historically been an expensive operation. As a result, HTTPS has been used mostly on secured corporate information systems like payment transaction services. However, a partnership between the Electronic Frontier Foundation and web browser developers successfully campaigned to increase HTTPS’s prevalence in 2016. Within five years, websites were using HTTPS more often than HTTP, especially for protecting page authenticity.

HTTPA

HTTPA uses remote attestation to improve on the security of HTTPS. This technique provides applications with assurance that trusted software in a server-side TEE is handling the data through the use of certificates or cryptographic methods. HTTPA ensures that the expected code is running and that it hasn’t been modified by an administrator, process or tool, all of which are possible sources of malicious actions.

A TEE is an area of memory that allows an application to perform computations on sensitive data. ARM and Intel both offer hardware-based TEEs, TrustZone and Software Guard Extension (SGX) respectively. King and Wang note in their paper that SGX provides in-memory encryption, which helps protect runtime computations by reducing the risk of modifications and leaking of sensitive data. HTTPA also uses remote attestation to protect vendor identity, verification identity and trusted computing base (TCB) identity.

Benefits

The primary benefit of HTTPA is that performing computations on server-side TEEs and providing web clients with verification that this was done increases the security of web services. Clients currently have no way of verifying that a server hasn’t been hijacked, leaving open the possibility that its data has been maliciously modified.

HTTPA also allows web services to confirm that the client’s workload is running inside a TEE with protected code. However, HTTPA only protects the application, not the server itself. In addition, it involves extending the HTTPS handshake to include the attestation, consisting of the HTTP request and response for the preflight, attest and trusted sessions.

HTTPA is a general solution for standardizing attestation over HTTPS. It also protects and manages requested data for HTTP domains by establishing multiple trusted connections. In addition, HTTPA leverages HTTPS, making it less complex than other approaches to improving the security of HTTPS.

SSL flickr photo by EpicTop10.com shared under a Creative Commons (BY) license

Neon Green closeup of QR code

Businesses use Quick Response (QR) codes to provide a variety of services for their customers, such as locating apps for ordering a product and tracking shipments. They aren’t human readable, which allows scammers to easily embed malicious links in QR codes. This type of scam is becoming more common as the use of QR codes increases, according to the Better Business Bureau (BBB).

A QR code is a two-dimensional barcode that the Japanese automotive manufacturer Denso Wave invented in 1994. It’s a machine-readable label that contains information about a specific product such as identification, location and a pointer to an application or website. A QR code can use any of four encoding modes, including alphanumeric, binary, numeric and kanji. They may also use extensions for these modes.

Scam Examples

QR scams differ greatly in their execution, but they generally rely on the victim scanning the code without thinking about what they’re doing. In particular, scammers hope that the victim won’t consider the QR’s source before scanning it.

The most common QR scam of this type involves distributing content that contains a QR code, which could be a piece of mail, flyer, text message or social media post. The code typically opens a web page when victims scan the QR code with their camera. This website is usually a phishing website controlled by the scammer that resembles a legitimate website. In this case, the website prompts the victim for personal information, especially login credentials.

For example, a victim may receive a letter claiming to offer a consolidation for student loans. The letter also contains a QR code that appears to link to an official government website that deals with student loans. This scam can be highly effective when it’s sent to someone who is currently paying off a student loan. Another approach is to use QR codes to launch a payment app or follow a social media account that the scammer controls.

Scammers can also embed a Bitcoin address in QR codes, which is a common form of cryptocurrency scam. In this scam, consumers may receive a message on a social media platform purporting to be from a forex trader offering an investment opportunity. The victim is expected to pay a withdrawal fee through a Bitcoin machine and send it to the provided QR code. Next, the victim receives an email requesting a transfer fee, which should tell the victim that the message is a scam.

Prevention

The most effective method of avoiding scams involving QR codes is to confirm that the code came from the party you think it did. Contact that party directly and ask if they sent the QR code before scanning it. You can also make QR scanning more secure by adding an app. Antivirus (AV) companies frequently offer apps that check a QR code before opening it, allowing it to detect links that perform malicious actions such as forced downloads and phishing scams.

Look for signs of tampering in advertising materials. Scammers may alter legitimate business ads by placing a sticker with their QR code over the ad’s original QR code. Use extreme caution when a QR code uses a TinyURL, which is an abbreviation of the complete URL. In this case, you don’t know where the URL will direct you, so it could be a scam.

Call us at DirectOne for complete computer and network protection. Over 20 years in business with only you in mind.

QR code flickr photo by Christiaan Colen shared under a Creative Commons (BY-SA) license

Keyboard with new red button for Phishing

Classic phishing is the most common type of phishing. Discover what it is and how to protect your company from this type of attack.

Phishing’s origins have been traced back to 1995. That’s when a group of hackers devised several schemes to steal money and sensitive information from America Online (AOL) users. Many of the tactics used back then are still in use today. As a result, this type of phishing is referred to as classic phishing.

In classic phishing, cybercriminals send a massive number of cookie-cutter emails to people all over the world. In these emails, hackers masquerade as a reputable person or a legitimate organization. Using a convincing pretense, they try to trick the email recipients into performing an action. Typically, they want the recipients to click a malicious link or open a weaponized email attachment.

What happens next varies widely. The malicious link might lead to a spoofed (i.e., fake) website designed to capture victims’ credentials or it might lead to a site that installs malware on their devices. Opening the weaponized attachment might also lead to victims’ devices being infected with malware. The malware might be a web trojan that collects credentials from victims’ devices or a keylogger that captures input from their keyboards.

The credentials, account information, and other sensitive data gathered from a classic phishing attack is often used to steal the victims’ money or data. Sometimes, though, it is sold to other cybercriminals on the dark web.

10 Signs an Email Might Be a Classic Phishing Scam

Out of the three types of phishing, classic phishing scams are the easiest to spot. For more than 25 years, hackers have been sending out massive mailings of them, giving security researchers plenty of specimens to dissect and analyze. Researchers have found that classic phishing emails often include one or more red flags. An email might be a classic phishing scam if it includes:

  1. A request to verify or update information. In the first known phishing campaign in 1995, hackers posed as AOL employees and asked people to either verify their account details or confirm their billing information. More than a quarter century later, hackers are still posing as employees of legitimate organizations and asking people to verify sensitive information.
  2. A confirmation for an order you did not place. When you order products and services from large e-retailers such as Amazon and Walmart, they send you an email that confirms the order and gives details about it (e.g., what was ordered, expected delivery date). Some hackers create fake order confirmations and use them as phishing fodder. Besides listing bogus details about the order, the confirmation includes a link that can be used to supposedly dispute the purchase. The hackers hope that you will click this link, thinking that someone used your store account to make an unauthorized purchase.
  3. A request for a donation. Preying on people’s compassion, cybercriminals like to send out phishing emails that pretend to be collecting donations for the less fortunate (e.g., victims of natural disasters, cancer victims). People who fall for the scam are sent to spoofed donation websites designed to steal their money as well as their financial account information (e.g., credit card numbers, PayPal passwords, bank account numbers).
  4. A notification that someone is sharing a file with you. Cybercriminals often take advantage of the popularity of file-sharing services such as Dropbox and iCloud. They create phishing emails that look like official notifications and include a generic message such as “I just shared a video clip with you that was too large to email” or “Your manager has just shared a new document with you”. If you click the provided link, you will likely be downloading malware on your device.
  5. A notification about winning a prize. Although prize notifications are not as common as they used to be, you might still encounter phishing emails that inform you about a lottery or contest you supposedly won. To claim your prize, all you need to do is pay a “processing fee” and provide some sensitive information.
  6. A deceptive sender email address. Classic phishing emails often include a deceptive email address in the “From” field. The hackers use an email address that is very similar to that of the legitimate organization they are pretending to be from. For example, the address in the “From” field might be “promotions@amazan.com” in hope that people will misread it as an “@amazon.com” address.
  7. A generic greeting. Classic phishing emails are sent to the masses, so they typically include a generic greeting (e.g., “Hello”, “Dear PayPal customer”) or no greeting at all. In some cases, the recipient’s email address is used in the greeting (“Dear JaneDoe@ABCServices.com”).
  8. An urgent tone. Classic phishing emails often try to create a sense of urgency so that you act immediately. The hackers first let you know about a problem that requires your attention. Then, they tell you that there will be unfortunate consequences if you do not take action quickly. For example, an email supposedly from Netflix might state that your payment card has expired and you need to update it in the next 48 hours to avoid a service disruption.
  9. Misleading links. A misleading link is one in which the actual URL does not match the displayed URL or linked text. For example, the linked text might specify a legitimate company’s name or web address, but the actual URL leads to a spoofed website designed to steal sensitive information or install malware.
  10. An email attachment. Hackers sometimes attach weaponized files to their emails. Legitimate businesses typically do not email files without advanced notice. So, unless you specifically requested a document from a company, be wary of any attachments supposedly emailed by one. Also be wary of attachments emailed by individuals if you did not request the file.

How to Defend Your Business Against Classic Phishing Attacks

To protect your business from classic phishing attacks, you can use the stop, educate, and mitigate strategy:

Stop as many classic phishing emails as you can from reaching employees’ inboxes. To do so, you need to keep your company’s email filtering and security solutions up-to-date. You might also want to explore getting an email security solution that uses advanced technologies to catch malicious emails.

Educate employees about classic phishing emails so they can spot any that reach their inboxes. It is important to educate employees about classic phishing scams and how to spot them (e.g., generic greeting, misleading links). As part of this training, be sure to inform them about the risks associated with clicking an email link or opening an email attachment, especially if the email is from an unknown sender. Also show them how to check for misleading links in emails by hovering the mouse cursor over them (but not clicking them).

Mitigate the effects of a successful classic phishing attack. Hackers are continually coming up with new classic phishing schemes, so your company might fall victim to an attack despite everyone’s best efforts to prevent it. Taking a few preemptive measures might help mitigate the effects of a successful classic phishing attack. For example, since obtaining login credentials is the goal of many classic phishing scams, you should make sure each business account has a unique, strong password. That way, if a phishing scam provides hackers with the password for one account, they won’t be able to access any other accounts with it. Equally important, you need to perform backups regularly and make sure they can be restored. This will enable you to get your data back if an employee inadvertently initiates a ransomware attack by clicking a link or opening an attachment in a classic phishing email.

The individual steps for implementing the stop, educate, and mitigate strategy will vary depending on your business’s needs. We can help you develop and implement a comprehensive plan to defend against classic phishing emails.

Phishing with icon flickr photo by Infosec Images shared under a Creative Commons (BY) license

The Latest Data Breach & Why It Keeps Happening

The growing value of information is increasing the incentive of hackers to obtain data from both individuals and organizations. These incidents include ransomware attacks in which the perpetrator encrypts the victim’s data or threatens to publish that data unless the victim pays a ransom. Another tactic is to simply sell the information, either to a specific party or the highest bidder.

The data breach at UC San Diego Health (UCSDH) is one of the most recent of these attacks and is especially significant due to the large number of protected health information (PHI) records involved.

Timeline

The investigation is still ongoing, but the most current information shows that the breach began as early as December 2, 2020. UCSDH received a preliminary report of the attack on March 12, 2021 and launched an investigation that verified the attack on April 8, 2021, at which point the attacker’s access to UCSDH systems was terminated. UCSDH announced the breach on July 27, 2021, which was being widely reported by major media outlets by July 30, 2021.

Investigation

As is normally the case, the UCSDH didn’t immediately disclose the data breach to the public. Instead, it reported the matter to the FBI and continued its internal investigation. Once the breach was publicly disclosed, the UCSDH also began directly informing affected individuals of the breach. In addition, UCSDH has promised to provide free credit monitoring and identity theft prevention services to affected individuals one it has completed its investigations. UCSDH has also urged all users to changed their passwords and begin using multi-factor authentication (MFA) to access their accounts.

Method of Attack

The method of attack for the UCSDH data breach was a phishing scheme against the email accounts of UCSDH employees. Details of the attack haven’t been released yet, but it generally involves sending emails to the target addresses purporting to be sent by someone the victim has reason to trust. It usually informs the victim that one of their accounts may have been compromised and requests the victim to log on to that account to verify their information via a link in the email.

However, this link leads to a login page that the hacker controls, although it resembles the actual login page as closely as possible. If the victim attempts to log in to the false page, the hacker will then have the victim’s login information. From there, the hacker can use that information to login to the real account.

Information Disclosed

This data breach resulted in the disclosure of personal information of UCSDH patients, employees and students including the following:

  • Full name
  • Address
  • Date of birth
  • Email
  • Fax number
  • Social Security number
  • Student ID number
  • Username and password

In addition, the breach also compromised the PHI of affected UCSDH members, including claims information such as the date and cost of health care services received. It also disclosed Medical Record Numbers (MRNs), along with medical conditions, laboratory results, diagnoses, treatments and prescriptions. Financial information was another type of data involved in the breach, including payment card number, financial account numbers, security codes and other payment information.

The UCSDH breach illustrates the need to remain alert to the possibility of identity theft. The best defense against this type of activity is to monitor your health and financial accounts regularly for signs of unexpected activity. You should also contact the company maintaining that account as soon as possible when you suspect your account has been compromised.

Data Breach flickr photo by EpicTop10.com shared under a Creative Commons (BY) license