{"id":21139,"date":"2022-04-01T15:16:04","date_gmt":"2022-04-01T19:16:04","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=478799"},"modified":"2022-04-04T11:17:19","modified_gmt":"2022-04-04T15:17:19","slug":"cyber-security-today-week-in-review-for-april-1-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-april-1-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for April 1, 2022"},"content":{"rendered":"<p>Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday April 1st, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/22645571\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\"><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>In a few minutes I\u2019ll be joined by Terry Cutler, head of Montreal\u2019s <a href=\"https:\/\/www.cyologylabs.com\/?r_done=1\" rel=\"noopener\">Cyology Labs<\/a>, to discuss a few headlines from the past seven days. But first a brief roundup of some of what happened:<\/p>\n<p><a href=\"https:\/\/worldbackupday.com\/en\" rel=\"noopener\">World Backup Day<\/a> urges IT departments to take a rigorous approach to backing up corporate data. Terry and I will go over what you need to be doing.<\/p>\n<p><a href=\"https:\/\/www.trellix.com\/en-us\/assets\/docs\/trellix-csis-organizations-and-nation-state-cyber-threats-report.pdf\" rel=\"noopener\">Trellix issued a report<\/a> on nation-state threat actors. These are countries, or their proxies, who are largely doing espionage and stealing corporate information, such as product or pharmaceutical secrets. Seventy-four per cent of survey respondents suspect that a state actor targeted their organization in the previous 18 months. Terry and I will delve into this report.<\/p>\n<p>We\u2019ll also look at reports that internet providers and companies, including Apple, are <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2022-03-30\/apple-meta-gave-user-data-to-hackers-who-forged-legal-requests\" rel=\"noopener\">sometimes fooled<\/a> into giving away information about subscribers by crooks pretending to be police dealing with an emergency.<\/p>\n<p><a href=\"https:\/\/www.itworldcanada.com\/article\/newfoundland-and-labrador-health-system-attackers-copied-200000-patient-and-employee-files\/478645\" rel=\"noopener\">The province of Newfoundland and Labrador admitted<\/a> that more than 200,000 patient and employee files were accessed in a cyberattack that temporarily crippled the healthcare system last November. The actual number of people affected might be smaller because of repetitions in the files. One healthcare region hacked said it is paying closer attention to user passwords and multifactor authentication as it rebuilds its network.<\/p>\n<p>Meanwhile <a href=\"https:\/\/therecord.media\/hive-ransomware-shuts-down-california-health-care-organization\/\" rel=\"noopener\">the Hive ransomware gang claims<\/a> it hit a California non-profit agency that helps people access healthcare in the state. The agency\u2019s website says it\u2019s investigating certain activity with a forensics specialist.<\/p>\n<p>Last week police in England detained and then released a bunch of people between the ages of 16 and 21 that reporters suspected of being part of the Lapsus$ extortion gang. Perhaps they weren\u2019t as deeply involved as was thought, because this week the Brazil-based IT company Globant admitted it was hit by Lapsus$. <a href=\"https:\/\/www.globant.com\/news\/globant-official-update\" rel=\"noopener\">The company said<\/a> a \u201climited selection\u201d of its source code as well as project-related documents of a very limited number of clients were accessed<\/p>\n<p>More malware-infected software packages were found in the NPM open-source library, another warning to developers that code taken from these libraries need to be closely scanned before being put into their projects.<\/p>\n<p><a href=\"https:\/\/www.fbi.gov\/news\/stories\/coordinated-operation-disrupts-global-bec-schemes-033022\" rel=\"noopener\">Police in a number of countries arrested<\/a> 65 people including nine U.S. residents, two Canadian residents and 12 in Nigeria as part of a global crackdown on business email compromise scams. Often these are scams that convince employees to transfer money to what they think are legitimate bank accounts. They do it by cracking emails and pretending a customer is changing banks.<\/p>\n<p>Finally, in case you thought ransomware attacks aren\u2019t too costly a customer relationship management software company called Atento <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/lockbit-victim-estimates-cost-of-ransomware-attack-to-be-42-million\/\" rel=\"noopener\">said an attack last year cost it $42 million<\/a>. Of that $34 million was lost revenue, $7.3 million was spent on repairing and improving IT systems<span style=\"font-size: large;\">.<\/span><\/p>\n<p><em>(The following transcript has been edited for clarity)<\/em><\/p>\n<p><strong>Howard:<\/strong> Let\u2019s start with the importance of a solid IT Backup strategy. I think it would be obvious because data theft has been with us almost since the beginning of the public internet. However, big causes of data losses are also hardware failure and human error. Yet some companies, big and small, still don\u2019t get backup right. The only way they find out is when there\u2019s a crisis. Why is that?<\/p>\n<p><strong>Terry Cutler:<\/strong> Making a backup and not testing. It\u2019s like not having a backup at all, and not just that we have to also worry about can hackers get into the system and actually wipe out that data. We\u2019re seeing what\u2019s happening in Ukraine with the wiper malware. So it\u2019s very important that you know who has access to the data. If the internal backups are being wiped can we can we get access to to the backup?<\/p>\n<p>Howard: So it\u2019s important to have a rigorous backup strategy because it\u2019s part of your disaster recovery strategy. What are some of the worst backup incidents that you\u2019ve come across in your career?<\/p>\n<p><strong>Terry:<\/strong> One happened a couple of years ago when a customer got hit with ransomware. All of their current backups were were were encrypted. And the attackers were asking for over a million dollars to recover the data. They tried their tape backup but found out that their offsite tapes weren\u2019t being regularly changed so that data was over seven months old \u2014 and when you\u2019re dealing with health information you need to have more regular and more up-to-date copies of your data. They tried to restore the data from the tapes. But then we found out that the server that\u2019s being ransomed is the only server that can run that old version of software for the tape to be able to re-index. Then we found out that the database [on the tape] was corrupt it would have taken weeks to re-index it. We sent it out to a data recovery firm and were able to recover most of the data, but it\u2019s still seven months old. So test your strategy.<\/p>\n<p><strong>Howard:<\/strong> Experts say you need a 3-2-1 backup strategy. Explain that.<\/p>\n<p><strong>Terry:<\/strong> The 3 represents having three copies of your data at all times. Two of those should be on different media. And one of them will be held offsite.<\/p>\n<p><strong>Howard<\/strong>: A lot of it people get confused between an incremental backup and a differential backup.<\/p>\n<p><strong>Terry:<\/strong> The biggest difference is that the incremental backups will only include data that\u2019s been changed since the previous backup. Let\u2019s say you\u2019ve backed up a terabyte of data but only 200 megs of it changed. It\u2019s only gonna back up 200 megs. A differential backup will back up all of the files since the last full backup. Differential copies will help you recover faster because you just have to restore the full copy, then just restore the latest differential copy. The danger you\u2019ll have with incremental copies is that you may have 17 copies to fully restore data. If one of those copies is damaged it\u2019ll break the whole chain of recovery. So there\u2019s a lot of risk.<\/p>\n<p><strong>Howard:<\/strong> Another thing to keep in mind is you\u2019ve got to make sure that your backup isn\u2019t always linked to your live network. That can be difficult if you\u2019re in a business where you\u2019ve got to make like backups every 30 seconds.<\/p>\n<p><strong>Terry:<\/strong> That\u2019s the example I just gave. You had two side-by-side storage units with a fiber-optic connection between the two making backups of each other in case one failed. But because they were on the same network they both got encrypted.<\/p>\n<p><strong>Howard:<\/strong> So when you\u2019re planning you got to make sure that doesn\u2019t happen. I came across a list of common mistakes that small IT departments make and they include things like inconsistent backups, forgetting that there are other offices in the company that may be outside the main branch, ignoring mobile devices, relying only on physical storage, not using your backup software\u2019s automation features, forgetting your archive needs and not storing a copy of your backup offsite. Are these the kinds of things you\u2019re seeing?<\/p>\n<p><strong>Terry:<\/strong> Yes, and I think that the moral of the story comes down to test, test, test. And I think it\u2019s also really important that you have proper software and hardware inventory, because, going back to that [ransomed] customer, they weren\u2019t prepared for this. So they had no idea where their software installation keys were, they didn\u2019t know where to download the software for their accounting solution, didn\u2019t have the proper license keys to activate the products. In another case they didn\u2019t know what third parties have access to their network. So they might be fully secured from external threats, but they don\u2019t realize that a third party has access to the internal network to sensitive information. We saw in a previous case where an MSP (managed service provider] got attacked and the attackers got into 40 of their customers via TeamViewer and ransomed them all. So it\u2019s very important to know who has access to your data. The other thing is how fast can you recover from any type of disaster?<\/p>\n<p><strong>Howard:<\/strong> One thing that that\u2019s vital to remember is that cloud providers probably don\u2019t back up the data that you have with them. Email providers like Gmail or your web hosting provider may not be backing up your backup.<\/p>\n<p><strong>Terry:<\/strong> There was a high-profile case that just happened recently with [cloud storage provider] StorageCraft. <a href=\"https:\/\/www.citizensjournal.us\/cloud-backup-provider-storagecraft-permanently-loses-customer-data\/\" rel=\"noopener\">By human error they accidentally destroyed<\/a> all customer backups. And that is is pretty much every CEO\u2019s nightmare. They get hit by ransomware and there\u2019s no data backup. What\u2019s worse is that some customers of StorageCraft could also be managed service providers, who have their own customers. So if their customers ever got hit. Um, they\u2019re trying to rely on storage craft to recover their data. That\u2019s why offline backups are key.<\/p>\n<p><strong>Howard:<\/strong> There was a problem with a Canadian company called Web Hosting Canada. <a href=\"https:\/\/www.itworldcanada.com\/article\/web-hosting-canada-reveals-cause-of-outage\/457684\" rel=\"noopener\">They lost some data<\/a> and some customers might have had trouble because the provider didn\u2019t have immediate access to their data. [Most but not all website data was recovered]<\/p>\n<p><strong>Terry:<\/strong> It\u2019s like the whole zero trust model \u2014 Have your proper offsite backups. Trust no one.<\/p>\n<p><strong>Howard:<\/strong> And you need to do two vital things: Once you have a backup strategy, you\u2019ve got to regularly verify the integrity of your backup data and you\u2019ve got to have it staff practice restoring your data.<\/p>\n<p><strong>Terry:<\/strong> Exactly.<\/p>\n<p><strong>Howard:<\/strong> You can get lots of good advice on backing up on backup strategies from your existing vendors. You don\u2019t necessarily have to hire a consultant. The big IT suppliers that you already deal with, including Microsoft, will have free advice. And so does your trusty taxpayer-supported sources, which are governments. In Canada that\u2019s the Canadian Centre for Cyber Security, in the United States it\u2019s the Cyber Security and Infrastructure Security agency, and for those of you in the U.K. who are listening, it\u2019s the National Cyber Security Center. They\u2019ll have free advice that will get your IT department thinking about how you can develop and a mature store backup strategy.<\/p>\n<p><strong>Howard:<\/strong> Let\u2019s turn to the Trellix report. For those of you who don\u2019t know, Trellix is the name of the merged FireEye and Mcafee Enterprise companies. This is one of the first reports from the new firm and they talk about the importance of being aware of nation-state or nation-state-supported threat groups that may attack your company for a variety of motives. What I got from this is that organizations underestimate the number of attacks from nation-states that they may face. What did you learn?<\/p>\n<p><strong>Terry:<\/strong> From this report, but also from the years that I\u2019ve been going back and forth with my friends in Ottawa who helped investigate this exact matter[foreign interference]. Years ago they [the RCMP] didn\u2019t have the expertise nor the jurisdiction capabilities to stop this. The other thing is when someone [a nation state] has embedded themselves into things like firmware it\u2019s very, very difficult to know there are beaconings [back to the group] going on.<\/p>\n<p>There\u2019s no silver bullet to stop the hackers from getting in, but there are technologies and experts that exist that you can have in the background that will give you a holistic situation, a situational awareness of your entire network. So while these components are being attacked the company would be able to get notification that these weird things are happening. It really comes down to visibility: Do you have detection technology in place to notice something\u2019s going on? And you have a response plan to get the hacker out once he\u2019s been detected?<\/p>\n<p><strong>Howard:<\/strong> One of the dangers of a nation-state attack is data theft of intellectual property that could lead to the collapse of your company because it passes on the data to one of its prize companies and puts you out of business. The report doesn\u2019t mention it, but one example is the collapse of Canada\u2019s Nortel Networks. <a href=\"https:\/\/www.bnnbloomberg.ca\/did-a-chinese-hack-kill-canada-s-greatest-tech-company-1.1459269\" rel=\"noopener\">There was one Nortel official who investigated suspicious activity on the network and is certain that the theft of intellectual property from hackers from China led to Nortel\u2019s downfall.<\/a><\/p>\n<p><strong>Terry:<\/strong> They were warned multiple times by intelligence agencies.<\/p>\n<p><strong>Howard:<\/strong> Is attribution of an attacker important? Isn\u2019t it my job as a CIO or CISO or IT leader to protect important data no matter who attacks me?<\/p>\n<p><strong>Terry:<\/strong> The problem is sometimes you\u2019re too close to the data you lose sight of what\u2019s possible. That\u2019s why it\u2019s important to go to a third party that can look into these matters for you and get fresh eyes on your situation. We\u2019re going to find things that you typically wouldn\u2019t think of. A lot of times customers don\u2019t have the in-house expertise. The CIO or CISO\u2019s job is to bring as much risk visibility into the organization as possible. But sometimes they just don\u2019t have the staff to do it.<\/p>\n<p><strong>Howard:<\/strong> So what should companies do to blunt the threat of a nation-state attack given that countries have the luxury of time and money behind these attacks?<\/p>\n<p><strong>Terry:<\/strong> It really comes down to can you monitor your network in a holistic way and look at all the traffic that\u2019s leaving your company. Look for things like beaconings to unapproved servers in China or Russia when your organization\u2019s in Canada. That might not be normal. Make sure you have endpoint detection and response technology.<\/p>\n<p><strong>Howard:<\/strong> Finally, you spotted an interesting post by American cyber reporter Brian Krebs. Tell us about that.<\/p>\n<p><strong>Terry:<\/strong> <a href=\"https:\/\/krebsonsecurity.com\/2022\/03\/fake-emergency-search-warrants-draw-scrutiny-from-capitol-hill\/\" rel=\"noopener\">Hackers were able to break into law enforcement agencies and used legitimate email accounts to ask for urgent request information from providers<\/a>. Usually if law enforcement wants information about a specific individual they need a subpoena [or court order] to get it, but there is a process called an urgent request that law enforcement can make. Companies like Facebook or Apple will provide that information because it\u2019s coming from a legitimate source. But in some cases cybercriminals got into a legitimate law enforcement email address and asked for people\u2019s information like the address of a subscriber, their IP address and some other personal details.<\/p>\n<p><strong>Howard:<\/strong> Just to be clear there usually has to be a matter of life and death so police can quickly track down who is behind a cyber attack or an imminent criminal offence. There was a mention of Apple and Meta from Bloomberg News. Meta, of course, is the parent company of Facebook. Sources told Bloomberg that these two companies ah provided customer data to hackers who were masquerading as police. Meta issued a statement saying, \u2018We review every data request for legal sufficiency and use advanced systems and processes to verify law enforcement requests and so we can also detect abuse. We block known compromise accounts from making requests for work with law enforcement to respond to incidents involving suspected fraudulent requests.\u2019 And in this particular reported case they\u2019ve also Investigated it. It seems to me that and this is a matter of perhaps police forces are trusting email, like a lot of other companies do. And in some cases they may not have the processes that they need to make sure of the authenticity of a request for personal information.<\/p>\n<p><strong>Terry:<\/strong> It sounds to me that law enforcement needs to beef up their cyber security. There is technology out there that monitors email accounts that looks for what\u2019s called impossible travel. For example, one day you\u2019re logging in from Montreal as as a police officer, the next hour you\u2019re logging in from Lagos, Nigeria. An alert would be triggered and it can block the account.<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-april-1-2022\/478799\">Cyber Security Today, Week in Review for April 1, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features discussion on World Backup Day, the threat of cyber attacks by nation-state threat groups and how crooks fool internet providers to get personal information of users<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-april-1-2022\/478799\">Cyber Security Today, Week in Review for April 1, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"author":17,"featured_media":20700,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389,388],"class_list":["post-21139","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-podcasts","category-security","tag-cyber-security-today","tag-privacy-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/21139","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=21139"}],"version-history":[{"count":5,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/21139\/revisions"}],"predecessor-version":[{"id":21195,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/21139\/revisions\/21195"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20700"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=21139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=21139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=21139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}