From the Desk of Kaleb Jacob, Principal CIO
Last week, another facility fell prey to unauthorized access. This time, it could have created unsafe drinking water for a Florida community with just a few clicks. We all remember about a year ago when there was a rush for everyone to work from home (WFH) leaving empty offices behind. Many of our clients needed to ramp up a secure VPN solution and some others needed laptops STAT to help get the initiative off the ground. WFH introduces two things into your security recipe that you may not have had to deal with before.
The first one was that you left a secure environment for one that was not designed with cybersecurity in mind. You are most likely sharing the same WIFI connection where your kids are surfing the web or learning from home, and even your thermostat, camera system and maybe even your toaster is surfing too. Maybe both you and your spouse with different employers connect to work. This is not considered a safe environment because those factors can potentially infect your business network. Worse, if you have an easy WIFI password like your name, address, ZIP, or phone number, your neighbor’s kid is probably on yours if their parents restrict their hours.
The second was to create a secure way to access your office to access files, applications or just your desktop. For that, we set up two different sets of credentials:
- VPN account to access the firewall.
- Your network logon to access the server, network or workstation.
These two credentials were either a different username and password for each user, or we synched your network account to the firewall using multi-factor authentication where you needed to type a 30 second rolling code to access the VPN. The latter is more secure and easier on the user. Both are high-end solutions that the big companies are used to, and actually inexpensive. So why not use a free or cheap remote access application? Oftentimes these applications leave a port open for you to access it from outside the office. Bots continuously scan your firewall or router many times per day or even per hour looking for open ports. When it finds one, it can try some basic hacking techniques or alert a human hacker to probe it further. One way it tries to gain access is to use common passwords that it has pre-programmed into it such as Summer2020, P@ssw0rd, and so on to the tune of thousands of attempts via a BOT per hour. Another way is called credential-stuffing where the offending program runs through passwords obtained in previous hacks to try to gain unauthorized access. Where are these credentials obtained? The Dark Web – eBay for hackers. On larger breaches, credentials are posted there and hackers buy them and either phish or hack their way into our virtual lives. In the article at the bottom of this page, credential-stuffing appears to be how this was done, as it mentions that the credentials were likely stolen in 2017.
For our valued clients that don’t like changing your password very often: If it’s 2021 and you haven’t changed it since 2017, it is time. Doing that alone at the Oldsmar Water Plant would likely have kept this from the headlines today. However, it was worse than that. All of the PC’s at the Oldsmar Water Plant had the same password, and some were even Windows 7 which Microsoft hasn’t supported for over a year now. If you have a Windows 7 (or earlier like XP) computer on your network, it is a cancer to your entire network and it is vulnerable to attacks that a fully patched Windows 10 computer is less likely to fall prey to. Another safety net to avoid what happened below is a Dark Web Service, which Eagle Network Solutions offers starting at $99/month. We even offer this to clients that do not use any of our other services. This service could have alerted the users of the stolen credentials that their passwords were on the Dark Web, and would likely revealed the actual password too.
Having an early warning system and the ability to change your password upon learning of it is the new norm. Following that up with Security Awareness Training for users, and they may not have had the same password on all PC’s and probably would have changed them more often avoiding all of this. Our Security Awareness Training is a series of short video classes (less than 5 minutes long) each with a brief quiz at the end. We assign 2 or 3 a month to all of your users and a console shows who took the training. HR Professionals love the Learning Management Dashboard approach. The classes are easy and in layman’s terms, teaching associates what to look for before clicking on an attachment or alert them to common scam efforts. We also follow up with a real phishing campaign where we send realistic looking emails to try to entice them and see if they learned the material that they trained on. It records if they opened it, clicked a link or if they entered credentials. This starts at $50/month depending on the number of users.
Your employees are your biggest risk when it comes to cybersecurity, and usually because they just made a mistake. When they make such a mistake, they don’t always report it because they fear repercussions. If your organization doesn’t train them, then it’s not all their fault. We can apply security patches to computers, but we can’t patch your people.
Here is the article on the Oldsmar Water Plant. See if you can pick up the mistakes they made along the way, and compare that to how you run your business.
https://threatpost.com/florida-water-plant-hack-credentials-breach/163919/
We are here if you need us.
All my best,
Kaleb