FROM THE DESK OF TODD SWARTZMAN, RealTime CISO

I had an informative call recently with a cyber insurance risk manager, and he mentioned that one of the primary drivers of the increasingly growing number of cyber insurance claims is what is known as contingent exposure. Contingent exposure refers to third-party risk. These are the potential risks that your own vendors, (along with their various processes, staff members, and even their own vendors) may inadvertently introduce to your business simply because you are a customer or a partner of theirs.

Many of us have experienced the repercussions of this on the personal side because of the significant CDK and Change Healthcare data breaches that occurred this year. Let’s not forget the disruption caused by CrowdStrike, which resulted in delayed flights for several days. While these companies directly faced these serious issues, many of us ended up suffering from the fallout in terms of lost time, increased frustrations, and, in some cases, delayed payments related to insurance claims. All this reinforces the importance of carefully considering how your business can better manage its third-party risks.

HOW TO MANAGE THIRD-PARTY RISKS

Managing third-party risks can often be as straightforward as simply asking vendors if they have a robust cybersecurity plan in place, including comprehensive cyber insurance coverage. This practice not only helps in assessing the overall security posture of these vendors but also ensures that they are prepared for potential cyber incidents. The cost of cyber insurance rates can be expected to rise this year due to the substantial claims that have been filed by Change Healthcare and CDK, highlighting the increasing financial pressures on the insurance industry in light of recent data breaches and security challenges.

FINAL THOUGHT.

Make sure your business has cyber insurance and make sure all of your third-party vendors have a cybersecurity plan/cyber insurance. It’s really that simple.

The #1 way to avoid a business email compromise (BEC) is to stop and think every time you’re interacting with an email (or attachment).

TELL TALE SIGNS OF A BEC ATTACK 

It’s pretty easy to spot a BEC if you’re paying attention to the emails that you open.

Your first RED FLAG… is if you receive an email and it prompts you to sign in directly from a link within the email to an account you probably use frequently such as a:

• Microsoft 365 account

• Google Workspace

• Drop Box

• Sales Force (etc…)

THE 2ND RED FLAG…

The second red flag within the email is if it prompts you to take action such as one of the following:

• Click the link;

• Download “something”;

• Listen to a voicemail;

• Look at an Invoice, Refund, etc…

If you click the link, the BEC email will take you to a “login page” that looks almost identical to a ‘real’ login page.

STOP!

1. Think about what just happened and why you would need to enter your email & password.

DID YOU CLICK THE LINK? OH NO. NOW WHAT SHOULD YOU DO?

1. Check the URL in the address bar of that logon page that the email lead you to directly. Is it the correct one for whatever you’re logging into?

2. Check with your security officer, IT department or IT provider if you have the slightest unease that this could be a scam. They should be able to assist.

3. Is this the type of thing you normally receive from this person? Maybe it’s ok, maybe not – if something doesn’t smell right, give them a call and verify if it’s legit.

These days, the number one strategy the bad guy uses is to try and get your username, password plus MFA approval within these fake logon pages. Most commonly a fake Microsoft 365 login page.

REAL VS FAKE

• Here is a real one, the address will start with: https://login.microsoftonline.com/

• The fake one will start with something other than https://login.microsoftonline.com/, there are tens of thousands of fake login pages created on any given day.

I hope this helps reduce your risk of an email compromise. Stay alert and think before you clink on a link in any emails!

As Hurricane Helene travels toward the Florida Coast and into Alabama and Georgia, now is the time to take action and be prepared to protect your computers, printers, files and data.

1. ENSURE YOU HAVE A BACKUP

• Backup your files! It's good practice to frequently backup your data files. We recommend a hybrid-cloud image-based backup that can be used to restore data and applications even if your server is destroyed, and that can restore data from different points in time.

• Print a copy of your important/emergency contacts and take them with you if you do not have access to them from your phone or computer, you'll have them available to use via a landline.

• RealTime Clients: Everyone who is on our Business Continuity Service – Your servers are backed up and replicated offsite daily. If there is a problem, we correct that as part of the service. As the Hurricane approaches, RealTime will confirm your local servers are backed up and replicated to offsite data centers.

2. SECURE YOUR EQUIPMENT

• COMPUTERS

  • Shutdown the operating system.

  • If connected to a surge protector or UPS - unplug from the wall outlet (or unplug power cables from the surge protector or UPS if wall outlet isn't accessible).

  • Unplug Ethernet cable from the back of computer or docking station.

• PRINTERS

  • Power off the printer.

  • If connected to a surge protector - unplug as described above.

  • Unplug the Ethernet cable from the back of the printer.

  • Unplug the phone cable from the back of the printer (if a fax line is connected).

• SERVERS AND NETWORK EQUIPMENT

  • Perform a normal shutdown of the servers. RealTime clients: Please coordinate with RealTime service desk. 

  • Unplug all connections - Take photos to document how things were prior to the event. 

  • Firewalls, Switches, Access Points - unplug them from power. Unplug the firewall from the internet connection as well. Ideally, unplug all the network connections (surges can travel through the network cabling).

  • Battery backups - power these off and then unplug them.

  • Phone systems - Check with your vendor to see what steps you can take to protect it.
     

3. COVER POWERED OFF EQUIPMENT WITH PLASTIC

When a major storm is predicted, elevate your CPUs, printers, servers, and other network devices, as well as other electrical appliances like space heaters, off of the floor.  For high winds, move computers away from windows.  If there is a possibility of water leakage, cover computer equipment with plastic.

4. CONTINUING OPERATIONS AFTER THE STORM

•  If you are in the path, power and internet connectivity may be hard to come by for a few days. Generators can provide enough power to run your critical computer equipment – just be sure you are connecting up to something that can deal w/ the power fluctuations many generators have. Please ask RealTime before connecting things up to generators as they can damage sensitive equipment. Modern battery backups may have the capability to condition the power off of a generator – check with the manufacturer to confirm before trying this.

• 4G/5G USB modems or Mifi can get you connected in an emergency. Everything you do may not work, but basic web browsing.

• Forward your phones – If the office is expected to be out a few days, most phone service providers have a way for you to forward calls to your business to a cell phone or alternate number. Get the steps now, before you need them.

5. BE PREPARED

Knowing what steps to take ahead of time will help you be prepared in the worst-case scenario. RealTime is committed to ensuring our clients are prepared with the proper technology to meet their current/future needs as well as advising them about safeguarding their business from weather-related, cyber and other disasters. 

If you would like further information about RealTime managing Information Technology for your business, contact us at info@realtime-it.com.

Four minutes is all the time it took for a bad actor to infiltrate an email account through a phishing attempt.

WHAT HAPPENED?

We just had a case where our monitoring system alerted us to suspicious activity in someone’s Microsoft 365 mailbox. We disabled access and reset sessions and credentials, but a quick look through the audit trail shows that the bad actor used stolen credentials that they had obtained through a malicious shortcut in a phishing email. Within 4 minutes of obtaining the credentials, the bad guy was able to quickly create an inbox rule to redirect specific messages to an alternate inbox folder in hopes of hiding future activities from the mailbox owner.

 DID THIS EMAIL ACCOUNT USE MULTI-FACTOR AUTHENTICATION?

Yes! The attack was what is known as a AiTM (attacker in the middle or MITM, man in the middle). An MITM attack is where a threat actor puts themselves in the middle of two parties, typically a user and an application, to intercept their communications and data exchanges. For example, if you look at the diagram below you will see that the phishing attempt led the user to a realistic looking website that was a fake. They make the webpage look identical to a legit website, like your bank, for example, and then get you to input your credentials and they harvest your data this way. 

Below is a simplified diagram of what happened:

FINAL THOUGHT

Thankfully we were able to shut this attack down within minutes of starting, well before anything bad could happen. However, the reality is that most small businesses using MS Office 365 do not have the capability to detect and respond to this sort of suspicious activity. To protect yourself and your business, be proactive in verifying the validity of the emails in your inbox to be sure they are not phishing attempts and make sure all methods of protection, such as MFA, are enabled. When in doubt, don’t click on the links in the email, type the known URL in a separate window and check it out for yourself. It may take a few extra steps, but in the long run it can save you from a potential financial disaster.

If you needed a good object lesson to continue promoting regular security awareness training within your organization, here it is:

Ascension hacked after employee downloaded a malicious file.

The employee thought it was something legit, downloaded, and opened it. This gave the attackers access to a portion of Ascensions’ network and subsequently allowed access to a few of their servers, prompting them to enact their incident response plans and take some systems offline on May 8th, 2024 to contain the cyber security event – their words. 

QUICK DETECTION IS KEY

To their credit, Ascension appears to have quickly identified the issue, indicating an effective managed security service capable of detecting unusual behavior. This aspect forms a crucial part of a comprehensive approach to mitigating cybersecurity threats for the organization. Initial findings suggest that the intruders accessed files from a limited set of file servers. An Ascension representative's statement mentioned ongoing investigations revealing that some of the compromised files likely include Protected Health Information (PHI) and Personally Identifiable Information (PII) belonging to specific individuals, with variations in the data types exposed. 

This is a comprehensive explanation of the synergistic relationship between different cybersecurity layers in mitigating the impact of cyber attacks. It is evident that Ascension prioritizes the training of its employees in security awareness, a fundamental practice in minimizing cyber threats. Despite these efforts, human errors remain a possibility, necessitating additional proactive measures to further enhance cybersecurity defenses.

Other notable points:

• Systems were set up to find and check strange actions. Nowadays, attackers use system tools to go unnoticed for a while. Many current EDR and MDR systems can spot user behaviors to some extent.

• Data logging can show if information was viewed and taken from their systems. It helps you grasp the situation better, which many small businesses lack.

• They have a plan for emergencies to show them what to do. It's better to have a simple plan than to figure it out suddenly. It helps to know what to do, who to call, and what to avoid.

• They did a fairly good job with the message they conveyed to customers. On the internal front, though, there appears to have been some confusion and disarray.

Their systems were mostly down for about two weeks perhaps because of investigations and making sure the hackers were gone. A good Business Continuity Plan includes having instructions for backup methods when computer systems are down, so you can keep running your business with some limitations, depending on what you need. 

Ascension statement: https://about.ascension.org/en/cybersecurity-event