NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
OT Security: Safeguarding Your OT Assets in An Increasingly Connected World

OT Security: Safeguarding Your OT Assets in An Increasingly Connected World

While once rare, cybersecurity incidents targeting Operations Technology (OT) assets have become increasingly common in the past few years. This unfortunate trend prompted Verizon (in their 2020 Data Breach Investigation Report) to examine, for the first time in its then 12 year publication history, the involvement of OT assets vs. IT assets in security incidents. This report also included a section specifically aimed at organizations in the Mining, Quarrying, and Oil & Gas Extraction business. 

Norsk Hydro & Stuxnet: The Canaries in the Coal Mine

man pressing touchscreen with ot services

Norsk Hydro

Verizon’s 2020 report was released in the wake of the devastating 2019 ransomware attack on Norsk Hydro, which forced the organization to resort to manual operations at 170 sites in 40 different countries and cost the company tens of millions of dollars in damages. While OT networks and assets weren’t the primary target in this attack, the spill-over from the IT-focused attack disrupted OT networks substantially and shone a light on how unprotected many OT systems and assets really are. 

Stuxnet

However, the Norsk Hydro attack was not the first widespread, OT-disrupting attack. In 2010, Stuxnet, a highly sophisticated computer worm that targeted computers involved in uranium enrichment, disrupted OT systems across Iran, India, and Indonesia. The program began by checking to see if an infected computer is connected to specific programmable logic controller (PLCs) models manufactured by Siemens (PLCs are devices that computers use to interact with and control complex industrial machines like uranium centrifuges). 

Computers that weren’t connected were ignored (and typically left unharmed). However, computers connected to the PLCs then had their programming altered, causing the centrifuges to spin too quickly and for too long, extensively damaging and even destroying delicate and expensive equipment. While this was happening, Stuxnet directed the PLCs to report that all equipment was working normally, which, in the world of remote monitoring, made it incredibly difficult to detect and diagnose the problem before extensive damage had already been done.

OT assets bring with them unique security implications, and as an organization’s footprint expands, their security risk scales as well. This reality, partnered with broader market changes, is significantly influencing OT security environments. To keep your organization secure, businesses with significant OT assets need to take steps to secure their OT devices and improve their overall cybersecurity posture. 

IT Security vs OT Security: A Brief Overview

While many organizations used to manage their IT and OT networks separately, IT and OT systems have a lot in common and rely on very similar tools. However, these tools are used in different ways: while IT tools are designed to interact with humans so they can complete their work tasks, OT tools are designed to interact with machines and ensure that the industrial control systems within your organization are operating correctly and available for the tasks your organization depends on them for.

One of the reasons OT and IT were kept apart for so long is that traditionally OT environments were “air-gapped”: kept isolated from the broader IT network and run in separate, siloed environments without internet access. However, the rise of IIoT (the industrial internet of things), which allows OT assets to be controlled and monitored remotely, has broken this isolation. While remote capabilities allow organizations to enjoy decreased costs and increased efficiency, the trade-off is that OT systems are no longer automatically protected from internet-based threats, such as cybersecurity attacks. 

woman pressing the ulcok button on a touchscreen

The Security Risks Associated with Operational Technology

IT security has been a priority for most organizations for decades, but unfortunately, OT security has not received the same amount of attention. According to the 2020 Global IoT/ICS Risk Report:

  • 71% of IoT and Industrial Control Systems (ICS) networks are running on outdated operating systems that are no longer receiving security updates,
  • 66% have not been updated with the latest antivirus software, and 64% of these networks rely on insecure passwords. These findings are alarming and highlight several pervasive problems.

Direct Internet Connections

Many OT reliant organizations depend on direct connections to the public internet; this is a serious problem, as even a single internet-connected device can provide a gateway for cyberattackers to introduce malware onto a network or infiltrate the network and gain access to sensitive or proprietary information.  

Insecure Passwords

While easy-to-remember passwords are great for providing convenient entry for authorized workers, it also makes it easy for attackers to brute-force their way onto your network. To improve password security, you should consider following the NIST password guidelines (please see section 5.1.1.1 Memorized Secret Authenticators) or investing in a secure password manager. 

Misconfigured APs Are a Security Risk

A single misconfigured wireless access point (AP) can compromise the security of your entire network. To help prevent unauthorized network access, you should audit all APs regularly and ensure any new APs added to the network are correctly configured.

Outdated Operating Systems

While transitioning to a new operating system may pose a bit of a headache, outdated operating systems that no longer receive security updates are a prime target for security attacks. To help improve your security posture, you should inventory all machines and access points on your network to ensure they are able to take advantage of their manufacturers’ latest security patches and updates. 

Operating systems that are no longer supported should be phased out as quickly as possible and replaced with more secure options. During the transition, your security team should monitor your currently outdated systems more closely than usual since they present a particularly tempting entry point to attackers.

Inadequate OT Employee Training

Without proper employee cybersecurity training, even the best policies, most secure systems, and the latest and greatest security products will fall short. All employees should undergo regular cybersecurity training, and you should include security training during your onboarding process.

Well-trained employees are an incredibly valuable security asset, giving you eyes and ears across your network. You should ensure employees can identify potentially suspicious activities (such as phishing scams) and know who to report potentially suspicious activities to. 

You should also consider running tabletop cybersecurity exercises. Tabletop exercises are similar to fire drills: allowing your employees to put their cybersecurity skills and knowledge to the test in a no-stakes environment. Employees are presented with a hypothetical cybersecurity incident which they have to respond to. This not only allows employees to get comfortable using their cybersecurity knowledge and helps them familiarize themselves with your incident response plan but is also a great way to identify gaps in your security posture and response procedures so that they can be addressed before those deficiencies can be used against you. 

hacker trying to breach a computer wiht brute force

As Your OT Footprint Expands, Industry Operators Need to Consider These Cyber Risks As Well

As your OT footprint expands, so do your cyber risks. However, by adopting a security-focused and proactive mindset, you can help ensure your cybersecurity posture remains robust. 

Keep Third-Party Risk Management Top-of-Mind

Many OT-heavy organizations rely heavily on third parties. While oil and gas businesses looking to transition to renewable energy sources are looking to partner with third parties to ease this transition, many mining companies also rely on third parties to provide support services such as equipment assembly and maintenance. However, without proper planning and integration, partnering with a third party can increase risk and create security gaps in both parties’ systems.

To help keep your OT ecosystem remains secure, you should ensure that your new partners are able to smoothly integrate with your OT and IT networks. Linking two systems introduces risk to both, so it is important to ensure that this partnership won’t inadvertently introduce security gaps that could leave either party or both parties vulnerable. You should also carefully vet all partners to ensure they meet your rigorous cybersecurity standards and limit third-party access to only the systems they require to do their work. Should a third party require access to a critical or sensitive system, this access should be carefully monitored for suspicious activity in case your third-party partner’s network or organization becomes compromised. 

Beware of Cyber Espionage

Cyber espionage, particularly in the mining industry, remains a serious threat. Common cyber espionage attackers include competitors looking for an economic advantage and state-sponsored attackers looking to disrupt or cripple a rival country’s economy (such as the suspected attacks by Russian hackers on power companies, government agencies, and banks in Ukraine starting in 2015). 

Mining Companies

Both state-sponsored attackers and corporate interest groups view mining companies as treasure troves of valuable data and may seek to use cyber espionage tactics to gain unauthorized access to geological exploration research (including details on the location and value of natural deposits), corporate strategy documents (containing pricing information), and sensitive information on proprietary extraction and processing technologies. 

At the same time, insights into business strategies and mine values could be leveraged during merger and acquisition negotiations in an effort to outbid a competitor or lower the price of an acquisition target. Stolen trade secrets and IP can also be used to reduce R&D costs for the attacker, providing a long-term competitive advantage. A good example of cyber espionage in action within the mining industry came in 2011 when global mining company BHP Billiton was targeted by both state-sponsored attackers and competitors in an attack that sought to gain access to market pricing information for key commodities. 

Energy Providers, Including Oil & Gas

Oil and gas companies, as well as other energy providers, are also vulnerable to cyber espionage attacks. In 2021, many large international oil and gas companies were targeted in an attack that leveraged malware called Agent Tesla and other RATs (remote access trojans) to steal sensitive data, banking information, and browser information by logging keyboard strokes. While the Agent Tesla cyber espionage campaign mainly targeted energy companies, the attackers also targeted a small number of organizations in the IT, manufacturing, and media industries. 

By fortifying your current cybersecurity posture, keeping security top of mind, and investing in robust and comprehensive employee cybersecurity training, you can help ensure your OT assets and other critical systems are better able to fend off potential cyber attacks. 

Phishing Attacks Target OT Assets As Well

Phishing attacks have begun to target OT assets and networks as well as IT networks. As such, all OT personnel should undergo cybersecurity training that includes how to identify potential phishing scams, what to do if they suspect they have been targeted by a phishing scam, and whom to report the potential scam to for further investigation.

Securing Your OT Devices: Steps for All Organizations

Take a Proactive Approach

As the old saying goes: the best offense is a good defense. A proactive approach to cybersecurity includes: 

Learn What to Look For

When it comes to cybersecurity and suspicious activities, It’s critical that your entire team knows what sort of red flags to look for. While false flags can temporarily divert personnel away from other critical tasks, underreporting can allow threats to sneak through, so it is always best to err on the side of caution. 

To help identify and investigate suspicious activities, many organizations turn to managed SIEM solutions. SIEM experts have extensive experience with cybersecurity and stay up to date on the continually evolving threat landscape, which allows them to quickly assess potentially suspicious activities and attacks that could impact your OT ecosystem.

You should also seriously consider investing in a managed firewall solution. Unlike passive firewall programs, managed firewall solutions include access to a team of security experts, who will monitor and fine-tune your firewall as well as ensure all necessary security patches are downloaded and implemented as soon as they become available. 

Invest in Network Mapping & Connectivity Analysis

It’s really easy to get lost without a map. Network mapping allows you to understand the physical and digital locations of all devices on your network, pinpoint issues, and isolate potentially compromised equipment quickly and effectively. This way, should an incident such as a malware or ransomware attack occur, your security team can quickly isolate infected machinery from the rest of the network, limiting or even preventing damage and disruption. 

Implement a Zero-Trust Framework

Zero-trust frameworks are built on the security philosophy of “never trust, always verify”. Zero-trust systems assume that every person, device, application, and network is presumed to be a threat until they have been properly vetted and verified. As such, each entity must prove its legitimacy (essentially show its digital ID badge) before it is allowed to connect to the OT network.

Many Zero-trust systems rely on dual-factor or multi-factor authentication (MFA) tools, which require users to provide more than one form of identification. Typically, this may require a user to provide a username and password, as well as an additional piece of identification, such as a short-lived code sent to their mobile device or a fingerprint scan, or provide the correct answer to a security question. By adding an extra layer of verification, organizations can make it more difficult for an attacker to gain access to your OT systems.

Control Identity & Access Management

Not every worker needs to be able to access every part of your network, and overly-permissive access can pose a serious security risk. Controlling who is able to access what parts of your system is a critical piece of your overall cybersecurity posture, especially since every set of access credentials issued presents another potential entry vector for attackers. 

If an employee falls for a phishing scam or leaves their credentials unsecured or exposed, it could allow attackers to access critical systems or gain access to sensitive information. As such, all organizations should:

  • Educate employees about the importance of safeguarding their access credentials
  • Teach employees about the dangers of credential sharing
  • Adopt a least-privilege policy, and ensure it is maintained across your organization. This will limit access rights to those users who absolutely need them.
  • Revoke access privileges of former employees as soon as possible. Attackers will often look to leverage dormant accounts, and since the person the account is intended for is no longer using it, the use of these credentials is often not discovered right away.
  • Revoke temporarily-granted access for visitors, guests, and other third parties as soon as it is no longer required.

Create an OT Systems Management Program

An OT systems management program is a great way to ensure you are covering all of your security bases. Most programs typically include:

  • Asset inventory management
  • Lifecycle management, including:
    • Defining system requirements to ensure desired physical system outcomes
    • Establishing specifications to ensure security and reliability
    • Control and supply chain management over these systems
    • A schedule for replacing outdated components
  • Configuration management
  • Patch and vulnerability management
  • Network and system design
  • User and account management
  • Log and performance monitoring (critical for both reliability and security)
  • Incident and trouble response
  • Backup and restore functionality

A good OT systems management program offers a wide range of benefits, including:

  • Providing valuable insights into all hardware and software on your OT network, allowing your security team to identify vulnerabilities swiftly
  • Properly updating and configuring systems, which reduces attack surface areas
  • Providing a way for your team to update automation systems for key operational tasks in an operationally efficient manner 
  • Providing a mechanism that handles reporting and monitoring across your OT and IT systems in a consistent manner, thereby simplifying the reporting process.
  • More advanced and effective security controls by offering both proper visibility and access to underlying endpoints and other network infrastructure

Segment Your Network

Network segmentation is a great way to safeguard your most valuable OT assets and systems. Segmenting your network is a physical security measure that sections off vulnerable or sensitive systems and networks from the wider network. In IT, this may take the form of segmenting the accounting department’s network (which contains both private financial information and sensitive employee information) from less-critical or sensitive areas of the network, such as the guest wifi.

Network segmentation is becoming increasingly common in organizations that deal with critical infrastructure, including oil and gas companies, power companies, utility companies, and manufacturing companies, and is a great way to improve your security posture by better isolating and safeguarding critical and sensitive systems and assets. 

Consider Partnering with a Trusted MSSP

Securing your OT assets and networks against cyber attackers can be a daunting prospect, particularly for organizations without their own in-house cybersecurity teams. Fortunately, experts like VirtualArmour are here to help. Our team has extensive experience working with companies in a variety of OT-heavy industries, including the energy sector, mining, and manufacturing

We offer a variety of security services, including:

We also offer tailored services à la carte, allowing you to select the services your organization requires so you can create a personalized premium or essential services package designed to meet your organization’s unique needs. We are also pleased to offer personalized, one-time expert consults

With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and assistance, as well as industry-leading response times. Whether you are looking to assess your current OT cybersecurity posture, update or create your incident response plan, or coordinate employee training via our VirtualArmour Academy, the experts at VirtualArmour are here to help. For more information or to get your free, no-obligation quote or free cyber risk report, please contact our team today.

What the War in Ukraine Means for American Cybersecurity Engineers

What the War in Ukraine Means for American Cybersecurity Engineers

The Russian invasion of Ukraine has shocked the world, driving millions from their homes as they seek safety. However, in the internet age, wars aren’t fought in the physical world alone, and cyber warfare has become an increasingly serious threat. 

woman on her laptop with a lock icon on the screen

The Invasion of Ukraine is Already a Cyberwar

Though most of the news coverage of the situation focuses on developments in the physical world, early cyber skirmishing has already begun. Cyberattacks have recently targeted the Ukrainian defense ministry, and two banks in what the country’s deputy prime minister stated is the largest attack of this type ever seen in the country. 

While the Kremlin has denied they are behind the denial of service attacks, the disruption has brought concerns about the threat of cyberconflict into the spotlight. Ilya Vitayuk, the cybersecurity chief of Ukraine’s SBU intelligence agency, has stated that it is still too early to definitively identify the perpetrators behind the attack. This is because, as with most cyberattacks, the perpetrators worked hard to cover their tracks. However, he also added, “The only country that is interested in such … attacks on our state, especially against the backdrop of massive panic about a possible military invasion, the only country that is interested is the Russian Federation.”

Ukraine has accused Russia of cyberattacks in the past and believes the Kremlin is behind a string of cyberattacks against Ukraine starting in 2014. In an age when war is fought on battlefields, both physical and digital, combat is no longer confined to combatants on the ground. While Ukraine’s SBU has made cybersecurity a major security focus in the current conflict, a cyberattack on Ukraine by Russia or its allies could have wide-reaching consequences for Ukraine’s allies as well. As such, countries and private organizations alike need to remain vigilant.

The American Government Prepares to Respond

Cyberattacks, even those specifically targeting Ukraine, could seriously impact the United States. 

In response to the invasion of Ukraine, CISA (Cybersecurity and Infrastructure Security Agency) has issued a statement. Entitled Shields Up, it states (as of the writing of this article):

“While there are no specific or credible cyber threats to the US homeland at this time, Russia’s unprovoked attack on Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, may impact organizations both within and beyond the region. Every organization—large and small—must be prepared to respond to disruptive cyber activity. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyber-attacks. When cyber incidents are reported quickly, we can use this information to render assistance and as a warning to prevent other organizations and entities from falling victim to a similar attack.”

President Joe Biden has announced the American government is prepared to respond to cyberattacks from Russia if necessary, and “For months, we have been working closely with our private — with the private sector to harden their cyber defenses, sharpen our ability to respond to Russian cyberattacks, as well.” NBC News also reported that President Biden has a “menu of options for the US to carry out massive cyberattacks designed to disrupt Russia’s ability to sustain its military options in Ukraine.”

However, as the Shields Up announcement indicates, cyberwarfare concerns are not contained to the national and international stage. Organizations of all sizes and in all verticals need to be taking appropriate steps to proactively safeguard their digital assets. 

room of people on their electronic devices

What Sort of Cyberattacks Should We Anticipate?

While we have no way of knowing exactly what sort of attacks the cyber warfare front of the Ukraine-Russia conflict will bring, we can look to a history of previous international attacks for guidance. According to Forbes, organizations should be prepared to handle:

Advanced Persistent Threats (APTs)

APTs is a broad term used to describe any attack campaign where an attacker, or group of attackers, establishes an illicit, long-term presence on a network in order to covertly mine highly sensitive data. Most intrusions of this nature that target private companies tend to focus on the theft of intellectual property, compromising sensitive data (such as employee or private user data), sabotaging critical infrastructure (such as deleting database data), or taking over websites with a goal of illegal financial enrichment, the strategies deployed against private companies can be used against nations and companies alike. 

With cyber warfare on our doorstep, now is the time to batten down the hatches and strengthen your cybersecurity posture. By improving your overall security posture, you can proactively guard against ATPs by making it difficult for intruders to infiltrate your network in the first place, preventing them from establishing a covert, long-term presence. 

Malware

Malware refers to any form of malicious software, typically spread by infected email attachments and suspicious website links deployed as part of phishing scams. While most email providers automatically filter out suspicious messages, one of the best steps organizations can take to improve their cybersecurity posture is to invest in employee cybersecurity training. 

Cybersecurity is everyone’s responsibility, from the CEO down to the summer intern. Teaching workers to identify and report suspicious activities can stop an attack before it even begins, so all team members should receive robust cybersecurity training as both part of their onboarding process and on an ongoing basis. 

Ransomware

Ransomware is a subset of malware, which uses malicious code to encrypt files and prevent legitimate users from accessing data or systems on either their individual machine or the organization’s network. 

DDoS

DDoS (Distributed Denial of Service) attacks are attempts to crash a web server or other online service by flooding the supporting infrastructure with more traffic than the network can reasonably handle. 

This type of attack can be instigated by either a large group of attackers working together or a single attacker with a sufficiently large botnet (connected computers performing repetitive tasks as directed by the user in charge). The goal of DDoS attacks is to overload the server, forcing it offline and preventing legitimate users from accessing the organizations’ products or services. 

Network Security Attacks

Network security attacks is an umbrella term for attacks aimed at disrupting an organization’s network and system for a variety of reasons, including causing service disruptions, stealing data, or corrupting files. While this is often done for financial gain, in the case of the cyberwarfare front of Russia’s attack on Ukraine, it is likely to be for political or military gain. 

To help safeguard themselves from these types of attacks, organizations should be taking proactive steps to safeguard their networks from network breaches. 

person being locked out of their phone

What Steps Should Your Organization Be Taking to Best Safeguard Your Digital Assets

Follow All Current Advice From Your National Cybersecurity Authority

The situation, both on the ground in Ukraine and in the digital sphere, is continually evolving, with new threats always on the horizon. To best safeguard your organization, it is vital to stay up to date on the situation and follow the current advice of your national cybersecurity authority. 

Establish A Relationship With Local Governments in Jurisdictions Where Your Company Operates

  • In the United States, InfraGard is responsible for coordinating information sharing between critical infrastructure providers.
  • Organizations operating in the United Kingdom should review information provided by NCSC’s Critical National Infrastructure hub.
  • Organizations in the European Union should speak to their local CSIRT (Computer Security Incident Response Team) and CERT (Computer Emergency Response Teams) contacts. A full list of these can be found here
  • In Germany, the BSI (Federal Office for Information Security) has released several cybersecurity warnings related to the situation. Current security warnings can be found here
  • In Australia, the Australian Cyber Security Centre (ASCS) is providing guidance using ongoing alerts. You can also register to receive alerts from ACSC, and they provide general cybersecurity advice for small and medium businesses and organizations and critical infrastructure

Success Depends on Interorganizational Trust

Even the most comprehensive, best-designed cybersecurity strategy can be easily undermined if your organization lacks interdepartmental trust. A solid relationship between stakeholders and your security team is critical if you want to keep your organization secure. 

Building trust can be hard, but there are concrete steps your security team can take to build stakeholder trust. This includes:

Overcommunication 

Clear, concise, focused, and on-point communication is critical, and there is no such thing as too much information. Too many stakeholder-security team conflicts are rooted in a lack of communication, miscommunications, or misunderstandings. Opening the lines of communication, and keeping them open, is an excellent way to build trust.

Honesty & Transparency

When it comes to cybersecurity, honesty is the best policy. When it comes to admitting fault, acknowledging a mistake, or delivering bad news, stakeholders and security teams alike appreciate honesty. By being honest about your organization’s current security posture (including any deficiencies), security and stakeholders can work together to fortify your organization’s cybersecurity posture. 

On the other hand, lies, omissions, and misrepresentations cause cracks in your cybersecurity posture and foster inter-organizational distrust, with potentially disastrous consequences. All trusting relationships are built on a foundation of honesty.

Diligence

Hard work, dedication, and commitment from both your security team and your stakeholders is critical for building organizational trust. Both sides of the table need to know that the other side is working hard to fulfill their obligations and is willing to own up to any mistakes or shortcomings. It’s a lot easier to build trust when you know the rest of the team has your back.

A Willingness to Listen & Accept Feedback

Communication is a two-way street, and both stakeholders and security teams need to be willing to listen and accept honest feedback and not dismiss the other side’s suggestions and concerns out of hand. When one side feels that the other isn’t taking their concerns, expertise, or advice seriously, it undermines the relationship and damages trust, weakening the organization and compromising its security posture. 

Action

Talk is great, but only when it is followed by concrete action. When either the security team or the stakeholders promise to do something, the other side needs to see that they will follow through. When we can’t trust our teammates to act on their promises, those promises become meaningless. 

That being said, we are only human, and sometimes promises are broken. When this happens, it is critical to acknowledge that the promise was not honored, provide an explanation (budgetary concerns, staffing shortages, etc.), amend the promise so it can be reasonably accomplished, commit to action, and then act to fulfill the promise. A cycle of inaction and broken promises can impact more than your cybersecurity posture; it can poison your organization, driving away good workers and demoralizing those who remain.   

ransomware downloading on a laptop

Initiate a “Request for Intelligence” From Your Threat Intelligence Partner

You can’t adequately defend yourself if you don’t know what you are defending against. A request for intelligence is a comprehensive report compiled by your threat intelligence partner. When requesting your report, make sure you specify your intended audience (such as your board of directors or security team) and any specific concerns you may have so that your vendor can tailor the report accordingly and ensure all critical and relevant information is included. 

A good request for an intelligence report should go beyond the normal overviews your partner is providing and should include specific concerns related to your vertical, industry, and operating locations. It should also provide information on threat actors you should be concerned about, as well as the TTPs (tactics, techniques, and procedures) those threat actors typically use. 

Collaborate Closely With Your Security Vendors

Your security vendor needs to take a proactive role when it comes to preparing your organization for cyber conflict and defense. 

  • Vendor account representatives can help ensure your organization receives the correct level of care and attention and help you get the most out of your security products and services.
  • You should also work closely with your product vendors to confirm turnaround times and automation options for ruleset and patch updates (to ensure your software automatically downloads and installs security patches as soon as they are made available).

A good vendor should be already communicating with you about the situation in Ukraine, but if you have not received any communications, you should reach out directly to your vendor, representative, or support team.

Keep an Eye Out for Disinformation & Misinformation

Disinformation and misinformation featured heavily in the lead-up to the conflict in Ukraine. On February 3rd, 2022, the United States even predicted that Russia might use fake graphic videos as a pretext for invasion, a prediction that came true two weeks later. Videos like these and other forms of misinformation and disinformation serve two purposes: to bolster internal sentiment for an invasion (or justify an ongoing invasion) and distort the narrative abroad. 

As such, it is vital to get your news from trustworthy sources and rely on the advice of local and national leaders as well as your security team to ensure you are getting the facts. As the situation continues to evolve, it is also vital that you are keeping your incident response plans up to date and keeping the lines of communication open both across your organization and between your organization and relevant third parties, such as your managed security services provider (MSSP) and relevant government bodies. 

Consider Adopting Secure Communications Tools

Organizations that are concerned about the security and privacy of their business communications (including eavesdropping, data loss, communications metadata exposure, or non-compliance) should consider increasing communications security or switching to more secure communications tools. Organizations with employees in and around Ukraine should also be aware that those individuals may face communications disruptions.

Encrypted messaging and calling solutions like Element and Wickr are ideal for low-bandwidth environments and can be used to enhance the security of your everyday communications as well as work as out-of-band communication channels during incident responses. They can also be used to provide traveling executives with improved communications security. If you are concerned about the security of your current in-house communication tools or are looking to replace them with a more secure option, your managed security services provider can help you make the right choice for your organization. 

Build Out Your Incident Response Ranks

Small and medium-sized organizations often don’t have the resources to support a full, in-house cybersecurity team, which is why many choose to partner with an MSSP. A good MSSP can help you augment your in-house security team, provide employee cybersecurity training, and help you evaluate your current cybersecurity position and incident response plans

Should an incident occur, your MSSP can help you respond effectively (mitigating, or even eliminating, damage), conduct a thorough investigation into the root cause of the incident, and help you prepare any reports required for relevant legislative bodies (such as GDPR, HIPAA, or CCPA).

Safeguard Your Endpoints & Practice Good Software Hygiene 

Safeguarding your endpoints (smartphones, laptops, and tablets that have access to your network) and hosts (such as networks) is vital. Endpoint detection and response (EDR) involves using tools and solutions to detect, investigate, and mitigate suspicious endpoint and host activities. Unlike traditional anti-virus software, EDR isn’t reliant on known behavioral patterns or malware signatures, allowing it to quickly and easily detect new threats. Depending on the nature of the threat it has detected, EDR is also designed to trigger an adaptive response (much like your immune system springing into action).

One of the easiest yet most critical steps any organization can take to improve their security posture is to keep all their software up to date. When software developers discover vulnerabilities in their products, they release patches to address them. Cybercriminals often target recently patched software in the hopes that not all organizations have been as diligent as yours about installing new security patches. Installing patches takes a few minutes, and the process can often be automated and scheduled so that patches are installed during non-business hours to completely eliminate downtime. 

Take Proactive, Preventative Steps Before an Incident Occurs

As the old saying goes, the best defense is a good offense. By being proactive and shoring up your cybersecurity defenses before an incident occurs, you stand a better chance of mitigating or even eliminating damage. Regular pen (penetration) testing, which involves hiring an ethical hacker to stress-test your defenses and search for vulnerabilities, can help highlight security deficiencies so they can be addressed before a cyber attacker is able to exploit them.

Investing in ongoing cybersecurity training is also critical: Employees who can’t identify potential threats are more likely to fall for things like phishing scams, and employees who don’t know how to respond to an incident won’t be able to respond effectively. As such, it is critical that you review your incident response plans regularly and make sure all relevant stakeholders are kept up to date.

You may also want to consider running tabletop scenarios. Tabletop scenarios work like cyber incident fire drills: Your team is presented with a hypothetical scenario and asked to respond, allowing them to put their cybersecurity training to use in a no-stakes environment. Tabletop scenarios not only familiarize your employees with potential threats and help them hone their response skills, but they are also a great way to identify and address security gaps before they can be exploited. 

Concerned About Your Cybersecurity Stance? VirtualArmour is Here to Help!

The situation in Ukraine has put many organizations on edge, and trying to figure out how to shore up your organization’s cybersecurity defenses against cyber conflict may be overwhelming. Fortunately, the VirtualArmour team is always here to help.

We offer a variety of security solutions, including:

We also offer tailored services à la carte, allowing you to pick and choose the services your organization requires to create your own premium services package or essential services package. We also offer personalized, one-time expert consults.

We have extensive experience working with organizations in a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring and industry-leading response times. 

Our team of experts can help you assess your current cybersecurity posture and create or update your incident response plans. We also provide cybersecurity training through our VirtualArmour Academy. For more information or to get your free, no-obligation quote or free cyber risk report, please contact our team today.

Suggested Reading & Useful Links

The Cybersecurity Situation in Ukraine

The situation in Ukraine is constantly shifting, and it can be hard to stay up to date and get the facts your team depends on to best inform your cybersecurity posture. To help you get the information you need, we have compiled a list of links to relevant organizations below. 

The United States

Europe

The United Kingdom

Australia

Educational Articles from VirtualArmour

Cybersecurity is a complex and continually evolving field. To best safeguard your organization and its digital assets, it’s important to stay up to date. 

To learn about the latest news and developments in the cybersecurity sphere, please consider visiting our Articles and Resources page and reviewing the educational articles listed below.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

Ransomware: Don’t Get Locked Out

Ransomware: Don’t Get Locked Out

Over the past few years, ransomware has become increasingly sophisticated and remains distressingly common. As such, all organizations need to be taking steps to shore up their cybersecurity defenses in the wake of this common and devastating threat. To help you get the information you need, we sat down with VirtualArmour SOC engineer Kurt Pritchard to discuss what ransomware is, a brief history of recent notable ransomware attacks, and what steps your organization can take to improve your cybersecurity posture.

If you have recently experienced, or are currently experiencing, a ransomware attack, please contact our team straight away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

man locked out of his phone

What is Ransomware?

The National Cyber Security Centre in the United Kingdom defines ransomware as a type of malware that prevents legitimate end-users (such as you or your employees) from accessing a computer, tablet, or smartphone on your network or the data that is stored on the infected device. 

A ransomware attack can also spread quickly, locking users out of multiple infected machines and cutting you and your employees off from all the data stored on your local network. Once the device has been seized, and the files have been encrypted, the attacker typically demands payment (the ransom), frequently in cryptocurrencies, before promising to unlock the impacted devices and restore usability. 

However, even if the ransom is paid, the attacker may not follow through on their end, leaving many organizations with locked devices and encrypted files even once the ransom has been paid.

Even if You’re Locked Out, The Attacker Isn’t

Users also need to be aware that while the attack prevents them from accessing the impacted device, it remains fully accessible to the attacker. As such, the data stored on it may be stolen, deleted, or encrypted during the attack. Depending on the nature of the data impacted, this can lead to serious legal and regulatory issues, as well as serious reputational damage.  

Ransomware & Phishing Attacks Go Hand-in-Hand

Ransomware typically targets users using social engineering, specifically phishing attacks. During a phishing attack, the cybercriminal poses as someone the user trusts (such as their boss or the company’s bank) and then tricks them into handing over sensitive information such as usernames and passwords or granting the attacker administrative privileges. 

Doxware: A Subset of Ransomware

Doxware (also called extortionate) is a type of ransomware. However, unlike traditional ransomware, doxware typically involves seizing sensitive files and threatening to release confidential information on the open internet. Such information could include private financial records, sensitive proprietary information, or other data that organizations do not want shared freely. Another major difference between ransomware and doxware also typically targets individual sensitive files (such as financial reports), while ransomware typically targets the device’s entire hard drive.

woman locked out of her computer

Ransomware May Have Peaked in 2017, but Remains a Serious Threat

Though information from Google Trends strongly suggests that ransomware peaked in 2017 with the devastating WannaCry attack, more recent attacks such as those conducted by the cybercriminal group REvil and the supply chain attack that targeted Kaseya software users remind us that ransomware remains a serious threat. 

WannaCry: The 2017 Attack That Crippled the NHS

WannaCry targeted a number of organizations, including the National Health Service (NHS) in the United Kingdom, impacting both hospitals and doctor’s surgeries, compromising medical care for patients, and putting lives at risk. 

The WannaCry ransomware attack on the NHS ran from May 12th, 2017, to May 19th the same year and left doctors, nurses, and other healthcare professionals scrambling to care for patients while the IT system remained completely inaccessible. As a result of the attack, healthcare professionals were unable to access vital information, such as patients’ electronic documents, and critical life-saving devices such as MRI and CT scanning facilities were knocked offline. 

In total, around 230,000 computers in approximately 150 countries were impacted.

The attackers demanded $300 in Bitcoin per machine in exchange for unencrypting the impacted files. However, the attackers also introduced a time limit: If the payment wasn’t submitted within three days, it would double to $600 in Bitcoin. Unfortunately, some researchers who did pay the ransom were still unable to decrypt their files, and priceless research data was lost forever. 

WannaCry has been hailed as one of the most widespread and damaging cyberattacks to date. 

The Kaseya Attach Highlighted a New Trend in Ransomware: Supply Chain Attacks

Though WannaCry may be behind us, ransomware attacks continue to grow in both number and sophistication, with an increasing number of devices being impacted. 

One way ransomware is evolving is the recent trend of using ransomware directly, like in the case of the Kaseya attack of 2021. The group behind the attack, the Russian cybercrime group REvil, launched a ransomware attack targeting Kaseya (a cybersecurity company well known for their remote monitoring and management software) on July 2nd, 2021. However, unlike most ransomware attacks, the cybercriminals didn’t attack their victims directly but instead used Kaseya as an unknowing intermediary to target organizations that relied on Kaseya’s monitoring software. 

Unfortunately for the 200 businesses affected by the attack, Kaseya was the perfect target. According to John Hammond, a senior security researcher at Huntress, the Kaseya attack was “a colossal and devastating supply chain attack”, noting that because Kaseya is plugged into everything from large enterprises to small companies, “it has the potential to spread to any size or scale businesses.” This is because Kaseya’s VSA (virtual system/server administrator) is integrated into desktops, network devices, printers, and servers – leading to a potentially limitless impact. Ransoms varied from user to user, with demands ranging from a few thousand dollars to $5 million or more per organization.

Fortunately, REvil group members were arrested in Russia last January, with the FSB (Russia’s intelligence bureau) stating that the group now “ceased to exist”

Beyond Desktops & Laptops: Ransomware Attacks Now Targeting Android Smartphones

With users relying on their phones now more than ever, ransomware attackers are taking notice. Charger, a new ransomware program specifically designed to target Android smartphones, targeted unwitting users who downloaded the EnergyRescue app (purportedly designed to enhance the battery life of phones and tablets). Impacted users were subject to a ransomware attack that began by stealing contact data and text messages from the infected device. 

Next, the ransomware program asked users to grant it administrative permissions. Once the ransomware had admin access, the ransomware would begin to run, locking users out of their devices and demanding payment. The message warned that users who failed to pay up would remain locked out (ransomware) and have portions of the private information they had stored on their phone sold on the internet “black market” every 30 minutes (doxware).

Though it is still unclear who was behind the Charger ransomware, researchers noticed that one of the first things Charger did when installed was check the device’s location settings. If the device was located in Ukraine, Russia, or Belarus, the malicious code remained dormant, suggesting the cybercriminals behind the attack may be based in Eastern Europe. 

Android’s security team has since removed the EnergyRescue app from the Play Store, and though the malware is thought to have infected only a handful of devices, it remains an important example of how ransomware is evolving and may now include both ransomware and doxware strategies in a single attack. This incident also illustrates why it is important to only download applications and other forms of software from companies and developers that you know and trust and that if something appears too good to be true, it likely is.

maqn locked out of his laptop

Safeguarding Your Business and Its Digital Assets

Ransomware remains a serious threat to organizations of all sizes and in all industries and verticals. However, there are steps you can take to improve your cybersecurity posture and better secure your organization’s data and devices. 

Trust is Key: Opt for Reputable (& Verified) App & Software Developers

Make sure you, your employees, and anyone else whose devices have access to your network are only using apps and software from trusted companies such as Microsoft or Adobe rather than unknown, potentially malicious companies. 

It also doesn’t hurt to independently verify that “new Microsoft app” was actually developed by Microsoft and not a suspicious actor looking to catch less distracted users unaware. 

Everything Has a Price: Don’t Let it Be Your Privacy or Security

Everything has a price, whether the cost is laid out upfront or not. An app that promises to give you access to normally expensive software (such as the Adobe suite or a program that promises the same functionality) for free or at a fraction of the cost should give you pause. If you aren’t paying for it, it usually means you’re the product, not the customer. 

It’s always better to opt for a paid program or app from a reputable source than to download the “free version” from an unknown or suspicious entity in the name of saving a bit of money. If the app or program is full of ransomware or other forms of malware, you could end up paying much more than you bargained for.

Read Your Emails Carefully

Before you open that file or download that form, make sure to do your due diligence and check who it is from. If the sender appears to be your boss, your bank, or another trusted entity but they are asking you to do something irregular (such as purchase a large number of gift cards, hand over your login credentials, or provide your banking details), make sure you reach out independently (such as by phone) to verify the request.

You should also look for things like typos in the domain name (such as an email from Your Trusted Bank, not Your Trusted Bank) or variations on the sender’s name. For example, if your boss is Jane Smith, and her work email is [email protected]com, but this email came from [email protected]org, [email protected]hotmail.com, or jansmith instead of janesmith, you should proceed with extreme caution and reach out to the purported sender independently for verification before you click on any links, download any files, or complete any other actions the sender has asked you to. 

If you don’t recognize the sender it’s always safer to leave the attachment unopened or the link unclicked and consider forwarding the email to your security team. Passing the email along will not only help you determine if the request is legitimate, but can help your security team track phishing attacks targeting your organization and its employees and improve security for everyone.  

Backup Everything Regularly

Ransomware attacks prey on our fear of losing critical data. By regularly backing up all data stored on your network, you may be able to recover most, if not all, of the data that you can’t currently access without having to pay the ransom. Depending on the nature of your business, and the nature of the data being stored, you may want to consider opting for a cloud system such as iCloud, Google Drive, Microsoft OneDrive, or Dropbox or consider backing up your files locally using an external hard drive. 

However, before you make your final decision, you should ensure your preferred choice complies with all relevant security, privacy, and data protection standards, such as GDPR, HIPAA, or PCI DSS.

An Up to Date Operating System is a More Secure Operating System

One of the simplest things you can do to help keep your security posture strong is to keep your operating system and other software up to date. When developers discover vulnerabilities, bugs, or other security issues with their products, they develop and release patches to fix them. However, you can only take advantage of a new security patch if you actually download it, making out-of-date software a security liability. 

Because security patches are publicly announced, everyone, including cybercriminals, now knows about the vulnerability the patch is designed to fix. As such, attackers frequently target companies running recently patched software in the hopes that not all organizations are as diligent as yours about keeping their software up to date: It’s always better to invest the 20 minutes it takes to update your software than risk compromising your operational security. 

Anti-Virus Software Still Plays a Critical Role

While many people may think antivirus software is outdated, it still plays an important role in your cybersecurity defenses when combined with other security measures. Antivirus software is just one of many tools that, when combined appropriately with other security measures, help keep your organization safe.

It Always Pays to Have a Plan & Invest in Cybersecurity Training

Should your organization fall victim to ransomware or another type of cyberattack, it is critical you have an incident response program in place to help you and your team respond swiftly and effectively. All new employees should undergo cybersecurity training as part of your onboarding process, and all employees, from the CEO downwards, should also undergo regular cybersecurity training to keep their skills and knowledge top of mind and up to date.

secure laptop

Worried About Ransomware? VirtualArmour is Here to Help!

While the internet may feel like it is becoming more like the Wild West every day, there is hope. By partnering with organizations like VirtualArmour, you can take proactive steps to shore up your defenses and keep your data safe and secure. Our team of cybersecurity experts has your back every step of the way: Whether you are looking to develop or update your incident response plan, bolster your internal IT or cybersecurity team, or respond to an ongoing cybersecurity incident, we’re always here for you: 24/7/365. For more information, please contact our team today

Suggested Reading

Cybersecurity is a complex and continually evolving field, so it is vital that you stay up to date and in the loop if you want to safeguard your organization and its data effectively.

To help you stay on top of the latest cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Common Threats (and How to Avoid Them)

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.

Hack the Chat

Hack the Chat

Chatbots, those little customer service pop-up menus on websites that ask how they can help you, are becoming ubiquitous, changing how users interact with both websites and the businesses behind them. 

Machine-learning programs such as Siri, Alexa, Google Assistant, and website chatbots have become one of the fastest online sales generating tools businesses have at their disposal. A 2016 study by Oracle found that 80% of businesses planned to onboard customer interaction AIs to their website, and a 2019 article by Gartner predicts that by the end of 2022, a full 70% of white-collar workers will interact with conversational platforms (chatbots) daily. 

However, while website chatbots are incredibly useful, they can also pose a security risk if appropriate cybersecurity measures aren’t taken. In this article, we will discuss how chatbots can leave your organization vulnerable and explore steps your organization should be taking to secure your website chatbot.

If your organization has recently experienced, or is currently experiencing, a cybersecurity incident such as a chatbot hack, please contact our team right away and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next).

man speaking with online store chatbot on his phone

How Chatbots Can Improve the Customer Experience

Chatbots offer many advantages to both customers and businesses. Chatbots allow customers to independently move down the sales funnel, offer users more information about your company’s products and services, and provide your company with valuable data on customer interests. 

By taking over these functions from live staff members, businesses can free up valuable team members for other business-building activities or reallocate the funds that would have been spent on sales staff wages for other uses. Chatbots are also not constrained by reasonable shift lengths or labor laws and never need sick days or vacations.  

When implemented correctly, chatbots can:

Identify Leads in Real Time

Chatbots allow you to engage with customers while they are using your app or website, catching them when they are most engaged. It also allows customers to get answers to common questions right away (an IBM study found chatbots can handle 80% of routine tasks and customer questions) and make the entire website experience more engaging. Chatbots can also gently guide customers towards the next sales funnel stage.

Improve User Engagement

Unlike human beings, chatbots can easily engage with multiple customers at once without losing focus. They can also regularly send customers product updates and offers, offer instant responses to customer inquiries, and are available 24/7/365. They can also be programmed using multiple languages to better engage with all of your target demographics.

Collect Valuable User Data & Engage in A/B Testing

Modern marketing runs on user data, and chatbots are well-positioned to collect it. Chatbots can seamlessly gather customer data in real-time (and ask follow-up questions to gain more information), analyze the data, and provide you with the information you need to continue to improve your products or services and reach new consumers.

Chatbots also allow you to contact A/B tests simultaneously (and much faster than manual A/B testing) and swiftly provide your team with test results and the chatbot’s analysis.

woman messaging a chatbot on an online store

Chatbot Risks

Chatbots are a valuable tool, but like any digital tool, they are also vulnerable to cybercriminals. Without proper security precautions in place, chatbots can be used to:

  • Impersonate individuals 
  • Deliver ransomware and other forms of malware
  • Engage in data-theft
  • Alter data
  • Engage in phishing or whaling attacks

Many companies offer chatbot programs, but not every chatbot is as secure as it could be. Common chatbot vulnerabilities include:

Hack the Chat: How Bad Actors Are Taking Advantage of Chatbots

Before you implement a chatbot, you should ensure it meets your company’s existing security standards and make sure your team is aware of the types of attacks cybercriminals commonly use against chatbots.

Types of Chatbot Attacks

Network Hacks

Much like a burglar can creep through an unlocked window, cybercriminals can use unsecured or insufficiently secured chatbots to gain access to your network. As such, cybercriminals will frequently evaluate chatbots for potential vulnerabilities that can be exploited to gain wider network access.

Social Engineering Attacks Using Chatbots

Cybercriminals can also turn chatbots into tools of their own. If a cybercriminal already has an existing customer’s username, they may be able to leverage the chatbot in a social engineering scheme to reset the account password (granting the cybercriminal access), make unauthorized purchases, or change the payment information on the user’s account.

Real-time Chatbot Takeovers

In this scenario, a cybercriminal would have to have already infiltrated your website and be in a position to intercept customer communication via the chatbot. Because chatbots are an extension of your company, customers may let their guard down as they would around one of your human employees. 

Cybercriminals can take advantage of that presumed trust to ask users for sensitive personal information, such as social insurance numbers or credit card numbers, or direct users to send funds outside of usual payment avenues. 

Safeguard Your Website With These Chatbot Best Practices

Keep Your Software Up to Date

One of the easiest things any company can do to quickly improve their security is keep their software up to date. When software developers discover vulnerabilities, bugs, or other issues with their programs, they release patches to fix them. By downloading all security patches as soon as they become available, you can proactively safeguard your network and the digital assets stored on it. 

Unpatched software is also particularly vulnerable. Companies typically announce when a patch is released, alerting both legitimate users and cybercriminals. This can inadvertently increase a company’s chances of being targeted by cybercriminals as these criminals redirect their attention to companies that they know are using the recently patched software in the hopes of exploiting the vulnerability before all network users have downloaded the patch.

Hire an Experienced Chatbot Developer

While you may be excited to get your chatbot up and running, it pays to shop around and find a developer with chatbot security and design experience. Before you begin production, make sure to ask your developer how they plan to secure your chatbot and make sure their plan meets your high security standards.

Restrict Chatbot Use to Registered Users Only

While restricting chatbot use privileges to registered users may hinder your efforts somewhat from a sales perspective, it can pay attractive security dividends. Cybercriminals are always on the lookout for easy targets, and adding this extra layer of security both eliminates (or at least reduces) anonymity and makes your website chatbot a less appealing target. Requiring users to register with your website before using the chatbot is an easy to implement and cost-effective security measure.

Implement Two-Factor Authentication

In addition to requiring usernames and passwords, you may want to consider implementing two-factor authentication. This adds an extra layer of security during the login process, requiring users to enter two different pieces of information to verify their identity. 

This often takes the form of a strong password paired with a text message prompt or a hardware element. As such, for a cybercriminal to successfully log in to a legitimate user’s account, they would need the user’s username and password as well as access to the one-time code sent to the user’s phone or the physical hardware element attached to that user’s account.

Install a Web Application Firewall (WAF)

Web application firewalls are designed to safeguard your website from malicious traffic and harmful requests. This is critical since it could help prevent cybercriminals or their botnet from using your chatbot to inject malicious code into your network (such as during a ransomware or other malware attack). 

Implement End-to-End Encryption on Chatbot Messages

End-to-end encryption is a critical security measure and should be used both for chatbot conversations and in any context where a message is sent from one person or entity to another (including chatbot sessions, email, and internal employee chat programs). 

Implement Authentication Timeouts

This simple yet effective step, designed to limit how long a user remains logged in before they are automatically logged out, is incredibly effective. If a user remains logged in but inactive for too long, a prompt window will appear asking them to re-enter their login credentials or confirm that they are still active. The prompt window may also be designed to inform the user that they have been logged out. This simple design change can prevent crimes of opportunity, where a cybercriminal is able to take advantage of a still-logged-in user to wreak havoc. 

Self-Destructing Messages

While this may sound like something out of a spy movie, self-destructing messages are a great way to make your chatbot more secure. This security measure is just what it sounds like: either after a chat session has concluded or a select amount of time has elapsed, all messages sent to and any sensitive information shared with the chatbot is automatically erased. While some users may find this inconvenient, the inconvenience is outweighed by this approach’s security benefits.  

Put Your Chatbot to the Test With Pen Testing

As the old saying goes, the best defense is a good offense. Pen (penetration) testing involves hiring an ethical hacker (sometimes called a “white hat”) to stress test your defenses and try to break into your network. The pen tester documents any security gaps or deficiencies they find and then shares their findings and their recommendations with you and your security team once the test is complete. 

By proactively seeking out vulnerabilities, you can ensure these shortcomings are addressed before any actual cybercriminals can exploit them. 

Consider Offering a Bug Bounty

While this option can be risky because it involves actively inviting technically-savvy users to look for security issues, offering a bug bounty can also pay off. Bug bounties are just what they sound like: if a user finds a security bug and tells your team about it, you offer them a reward as a thank you. 

Chatbots can be a great way to reach customers, improve the customer experience, and help move potential customers down the sales funnel. However, like all digital tools, chatbots can pose a risk to your company’s overall security if appropriate measures aren’t taken. 

Worried Your Chatbot is A Security Liability? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. The VirtualArmour team is staffed by security experts from a wide selection of cybersecurity and IT disciplines. Whether you’re starting from scratch or improving an existing website or chatbot, our team is here to help. We offer a variety of services, including vulnerability scanning and managed firewall services.

For more information, or to start improving your company’s security posture, please contact our team

Suggested Reading List 

Cybersecurity is a complex and continually evolving field, and keeping up to date is critical if you want to safeguard your organization and its digital assets effectively. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

What is the Difference?: MDR vs EDR

What is the Difference?: MDR vs EDR

The GoDaddy attack last November once again highlighted how vulnerable our digital systems can be, prompting many organizations to re-think their current cybersecurity posture in the wake of this troubling, and escalating, trend. Though every organization brings with it unique security considerations, there are a few strategies and policies that all organizations should consider implementing.

The goal of cybersecurity is to safeguard your organization’s digital assets, including data and systems. Both EDR and MDR work to achieve this goal in different ways, and a good strategy will rely on both approaches to create a robust, more comprehensive cybersecurity strategy.

person on laptop setting up EDR services

EDR: A Software-Focused Approach to Cybersecurity

EDR (endpoint detection and response) is a software-based cybersecurity approach designed to detect and respond to endpoint threats. Endpoints refer to any remote computing devices that are able to connect with your network, including computers, smartphones, tablets, servers, and IoT devices. Endpoints act like the doorways to your network, making them key points of entry for cybercriminals. As such, these portions of your network are vulnerable and require special security considerations.

Good EDR is Reactive… 

EDR is designed to safeguard these endpoints by using both tools and solutions to detect and address threats to your endpoints and hosts (such as networks). Should an endpoint or host become infected with malware or otherwise compromised, the software can also quarantine the affected systems or endpoints to help slow or stop the attack. EDR is incredibly valuable because it can detect advanced threats without relying on behavioral patterns or malware signatures like anti-virus software does. EDR can also trigger an adaptive response to a threat (much like your immune system responding to an infection), allowing your system to learn from the situation and adjust its response accordingly. This approach not only helps contain the situation at hand but also helps improve your threat responses moving forward. 

… But Also Proactive

In addition to learning from past incidents, good EDR also takes a proactive approach by seeking out new potential threats before they become actual threats. EDR is also able to gather data about the overall health of your network and record network activity. Should an attacker manage to slip past your defenses, this treasure trove of data gathered before, during, and after the attack will prove invaluable for identifying the root cause of the attack so that steps can be taken to improve your security moving forward. 

team of people working on a strategy for EDR services

MDR: A People-Focused Approach to Cybersecurity

While EDR is a tool-based approach, MDR is a people-using-tools-based approach. MDR (managed detection and response) is a service that monitors your network 24/7/365 in order to detect, triage, and respond to cybersecurity threats

EDR vs MDR

EDR works like a security system, setting off an alarm if a window is broken or a door is forced open in an attempt to scare off the intruder and alert the business owner that something is amiss. Unfortunately, even if the security system alerts the business owner, the owner may not immediately realize something is wrong. After all, she is a busy woman with a business to run. She is also only one person: if the break-in happens while she is asleep or in a meeting, she may not see the alert on her phone until she wakes up or the meeting has ended.

On the other hand, MDR is more like hiring a security guard: You already have an expert on-site, keeping an eye out for any suspicious activity. Should a break-in occur, the security guard can respond right away. That doesn’t mean that alarm systems aren’t useful, but they are more useful if you have a security guard keeping an eye on things as well.

MDR is one piece of the SOCaaS (security operations center as a service) ecosystem, helping create a holistic, turnkey solution to continuously monitor threats across your network. 

Good MDR Incorporates EDR

MDR solutions are empowered by EDR solutions, much like how a security guard is better able to perform their job because of an alarm system. MDR analysts and other cybersecurity experts are able to use the data gathered by the EDR system, as well as the abilities it provides, to more easily assess the threat and respond swiftly and appropriately. By leveraging EDR systems, your cybersecurity team can use the data the system has collected to better prioritize threats (such as identifying which users are logged in and which systems and files are being targeted) and move quickly to shut down impacted systems or institute quarantines to contain the threat and minimize or even avoid further damage.

MDR is a particularly effective approach for small and medium-sized organizations, which are less likely to have in-house cybersecurity teams to manage and respond to threats identified by their EDR systems. Many managed security services providers offer a variety of services that can be mixed and matched to suit your needs, whether you are looking to fully outsource your cybersecurity needs or simply augment your existing in-house security team.

Looking to Improve Your Security Posture for 2022? VirtualArmour is Here to Help!

Not everyone is a cybersecurity expert, and that’s okay. No matter your cybersecurity needs, VirtualArmour’s team of experts is always here to help. In addition to MDR, we also offer:

VirtualArmour also offers tailored services on an à la carte basis, allowing you to pick and choose the services your organization requires to create your own premium services package, essential services package, or tailored one-time expert consult. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring as well as industry-leading response times. We have extensive experience working with a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers

For more information about MDR, or to get started designing your custom MDR solution, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, and keeping up to date is critical if you want to safeguard your organization and its digital assets effectively. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles with your team.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing scams tend to peak during and around the winter holiday season, catching individuals and businesses alike unprepared. To help ensure you and your team have the information you need to identify and avoid these scams, we sat down with one of our VirtualArmour cybersecurity engineers to learn more about this common cybersecurity threat.

If you are currently experiencing, or have recently experienced, a cybersecurity incident, please contact our team for immediate assistance and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next). Our team can help you fend off the attack, identify the root cause of the issue, and create an actionable, comprehensive plan to help mitigate or even avoid further damage.

photo of a credit card with a fishing hooks in it, symbolizing how people use phising to steal credit card information

What is Phishing?

Phishing is a type of social engineering typically used to steal user data such as login credentials, personally identifiable information (PII), or payment card information. This type of cyber attack involves a threat actor masquerading as a trusted party (such as your bank) in order to trick you into opening an email, text message, instant message, or other electronic message and inadvertently handing over sensitive information such as personally identifiable information (such as your full name, birth date, or social insurance number) or payment information (such as your credit card number). 

Phishing attacks pose a serious threat at both the personal and corporate levels. Though most email spam filters are able to stop the most egregious attempts at phishing, even the best filters and firewalls aren’t able to catch everything. Phishing scams continue to evolve, and the sheer number of phishing emails alone is staggering. Research into the volume of email, spam, and malicious attachments and URLs directed at companies found that a company with 5000 employees will still have an average of 14,400 phishing emails arrive in employee inboxes each year, and those are just the emails that were savvy enough to get past the spam filter. 

With so many emails alone slipping past our defenses, employee training on how to spot and report potential phishing scams is key. However, many threat actors are changing tactics and moving away from email and towards other forms of electronic communication.

Phishing Tactics Have Evolved

When many of us think of phishing emails, we likely still picture some scammer pretending to be a fabulously wealthy prince from some faraway land promising riches in return to helping them covertly move money out of their home country (a common ruse referred to as an advance-fee scam).

The advanced-fee scam is a classic ruse that involves the threat actor asking you to help them by either transferring money to the target (purportedly for “safekeeping” or to evade authorities) while also asking you to pay a fee to help move the money with the promise that they will both send you money to cover the advanced payment and reward you handsomely for your cooperation.

Though this elaborate ruse has become cliche even outside of cybersecurity circles, unfortunately, many individuals and companies still fall for this and similar advance fee scams. A recent CNBC article found that these advanced fee scams still net cybercriminals well over $700,000 USD per year.

Why Do Phishing Scams Peak Around the Holiday Season?

Phishing campaigns typically soar in popularity over the holiday season in an attempt to prey on festive (and often frazzled) shoppers using increasingly sophisticated phishing scams. 

However, it isn’t just holiday shoppers that fall for these campaigns; many businesses and other organizations of all sizes continue to fall victim to these types of attacks.

One common example of a popular business-targeted phishing scam involves sending the target an email with a domain that appears to link to the company website and contain innocuous information (such as a festive meal menu with a .doc file extension, paired with an email asking the employee to please indicate their meal preference and dietary restrictions for the company party). However, though the email appears legitimate at first glance, a red flag such as a misspelled domain (for example, virtaularmour.com’ rather than ‘virtualarmor.com’, note the transposed ‘u’ and ‘a’) indicates that this email is likely malicious and should be both flagged as spam and reported to your company’s IT or cybersecurity team.

“Smishing” (SMS Phishing) Scams Are On the Rise

Though these types of scams tend to peak around the holiday season, they are still common year-round. The fake delivery text is a new form of this age-old scam that has been making the rounds and is rapidly becoming one of the most common formats for smishing scams. 

One theory behind the rise in this particular style of phishing scam is the increase in lockdowns worldwide, prompting a rise in online shopping, particularly during the holiday period. Before clicking on any links in a suspicious text message, it is critical to verify whether the text message is legitimate (such as by calling your local post office or delivery depot to verify if there really is a parcel waiting for you).

How to Recognize (& Avoid Falling Prey To) a Smishing Attack

If you receive a suspicious text that may be part of a smishing scam, there are a few steps you can take to help avoid falling prey: 

  1. Never respond to a potentially suspicious text message. If a response appears to be necessary, respond via a verified official channel (such as calling your delivery company or local post office directly).
  2. Never click on any links or phone numbers sent from a user you don’t recognize.
  3. Never share any payment information or personally identifiable information, such as your social security number, birth date, or full name. 
  4. Report any messages that appear suspicious to the relevant authority.
    1. In the United Kingdom, reports can be filed with the National Cyber Security Centre here.
    2. In the United States, reports can be filed with the FCC here and FTC here.

A common example of a scam asking for payment information is a scammer posing as your bank and asking you to update your account information (usually under threat of being locked out of your accounts or some other undesirable outcome). In this case, you should contact your bank immediately via an official channel (most banks print a toll-free number on the back of their credit or debit cards or somewhere on your bank statement) and independently verify that your information requires updating. This not only helps you avoid falling victim to a potential phishing scam but also alerts your bank so they can warn other customers about the scam so they can avoid falling prey as well.

laptop screen with phishing tactics being used on an unsuspecting user

Awareness is Critical

Education and awareness are a cornerstone of any solid cybersecurity strategy. By educating yourself and others about common scams and red flags to look for, you can help reduce the chance someone falls victim. Individual scams are often short-lived, so you need to act quickly; Verizon reports that 50% of scam targets open emails and click on phishing links within an hour of receiving a suspicious email.  

Investing in employee cybersecurity training is vital. When it comes to scams, your employees are one of your first lines of defense, which is why all employees, from the summer intern up to the CEO, should undergo regular cybersecurity training. To help set everyone up for success, you should also include cybersecurity training as part of your company’s onboarding process. 

Vulnerability Scanning Offers Total Visibility Into Your Infrastructure

You can’t defend yourself against cybersecurity threats if you don’t know they exist. Vulnerability scanning helps ensure that no threat makes its way past your defenses by providing detailed information on threat intelligence, device health, threat mapping, and support ticketing. Being able to view all traffic on your network at all times is critical for spotting suspicious activities, so you can respond swiftly and effectively to safeguard both your data and your organization should a threat actor sneak past your defenses. 

Social Engineering Takes Many Forms

Many of these attacks depend on social engineering. Social engineering involves manipulating potential victims into revealing personally identifiable information and can be used to access either personal or organizational accounts. Social engineering attacks typically rely on consistent communication between the attacker and the target and frequently take the form of text messages, instant messages, or emails. 

As COVID-19 continues to force workers to trade their desks at work for their kitchen tables, spare rooms, and home offices, attacks of this nature are becoming more frequent and more effective. This, combined with more mundane but still frustrating events such as a purportedly missed delivery (which you can conveniently reschedule by clicking on this completely legitimate link), has created an ideal environment for threats like phishing scams to flourish. 

Worried About Phishing Scams? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. VirtualArmour is full of experts like the cybersecurity engineer who helped us write this educational article. Whether you need help drafting a cybersecurity strategy, are looking for someone to monitor your network 24/7/365 for suspicious activities, or are looking to bolster your internal IT or cybersecurity team, our team is here to help. For more information, or to start improving your organization’s cybersecurity posture, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Common Threats (and How to Avoid Them)

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.