NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
What is the Difference?: MDR vs EDR

What is the Difference?: MDR vs EDR

The GoDaddy attack last November once again highlighted how vulnerable our digital systems can be, prompting many organizations to re-think their current cybersecurity posture in the wake of this troubling, and escalating, trend. Though every organization brings with it unique security considerations, there are a few strategies and policies that all organizations should consider implementing.

The goal of cybersecurity is to safeguard your organization’s digital assets, including data and systems. Both EDR and MDR work to achieve this goal in different ways, and a good strategy will rely on both approaches to create a robust, more comprehensive cybersecurity strategy.

person on laptop setting up EDR services

EDR: A Software-Focused Approach to Cybersecurity

EDR (endpoint detection and response) is a software-based cybersecurity approach designed to detect and respond to endpoint threats. Endpoints refer to any remote computing devices that are able to connect with your network, including computers, smartphones, tablets, servers, and IoT devices. Endpoints act like the doorways to your network, making them key points of entry for cybercriminals. As such, these portions of your network are vulnerable and require special security considerations.

Good EDR is Reactive… 

EDR is designed to safeguard these endpoints by using both tools and solutions to detect and address threats to your endpoints and hosts (such as networks). Should an endpoint or host become infected with malware or otherwise compromised, the software can also quarantine the affected systems or endpoints to help slow or stop the attack. EDR is incredibly valuable because it can detect advanced threats without relying on behavioral patterns or malware signatures like anti-virus software does. EDR can also trigger an adaptive response to a threat (much like your immune system responding to an infection), allowing your system to learn from the situation and adjust its response accordingly. This approach not only helps contain the situation at hand but also helps improve your threat responses moving forward. 

… But Also Proactive

In addition to learning from past incidents, good EDR also takes a proactive approach by seeking out new potential threats before they become actual threats. EDR is also able to gather data about the overall health of your network and record network activity. Should an attacker manage to slip past your defenses, this treasure trove of data gathered before, during, and after the attack will prove invaluable for identifying the root cause of the attack so that steps can be taken to improve your security moving forward. 

team of people working on a strategy for EDR services

MDR: A People-Focused Approach to Cybersecurity

While EDR is a tool-based approach, MDR is a people-using-tools-based approach. MDR (managed detection and response) is a service that monitors your network 24/7/365 in order to detect, triage, and respond to cybersecurity threats

EDR vs MDR

EDR works like a security system, setting off an alarm if a window is broken or a door is forced open in an attempt to scare off the intruder and alert the business owner that something is amiss. Unfortunately, even if the security system alerts the business owner, the owner may not immediately realize something is wrong. After all, she is a busy woman with a business to run. She is also only one person: if the break-in happens while she is asleep or in a meeting, she may not see the alert on her phone until she wakes up or the meeting has ended.

On the other hand, MDR is more like hiring a security guard: You already have an expert on-site, keeping an eye out for any suspicious activity. Should a break-in occur, the security guard can respond right away. That doesn’t mean that alarm systems aren’t useful, but they are more useful if you have a security guard keeping an eye on things as well.

MDR is one piece of the SOCaaS (security operations center as a service) ecosystem, helping create a holistic, turnkey solution to continuously monitor threats across your network. 

Good MDR Incorporates EDR

MDR solutions are empowered by EDR solutions, much like how a security guard is better able to perform their job because of an alarm system. MDR analysts and other cybersecurity experts are able to use the data gathered by the EDR system, as well as the abilities it provides, to more easily assess the threat and respond swiftly and appropriately. By leveraging EDR systems, your cybersecurity team can use the data the system has collected to better prioritize threats (such as identifying which users are logged in and which systems and files are being targeted) and move quickly to shut down impacted systems or institute quarantines to contain the threat and minimize or even avoid further damage.

MDR is a particularly effective approach for small and medium-sized organizations, which are less likely to have in-house cybersecurity teams to manage and respond to threats identified by their EDR systems. Many managed security services providers offer a variety of services that can be mixed and matched to suit your needs, whether you are looking to fully outsource your cybersecurity needs or simply augment your existing in-house security team.

Looking to Improve Your Security Posture for 2022? VirtualArmour is Here to Help!

Not everyone is a cybersecurity expert, and that’s okay. No matter your cybersecurity needs, VirtualArmour’s team of experts is always here to help. In addition to MDR, we also offer:

VirtualArmour also offers tailored services on an à la carte basis, allowing you to pick and choose the services your organization requires to create your own premium services package, essential services package, or tailored one-time expert consult. With offices in both Denver, Colorado, and Middlesbrough, England, we are able to offer live, 24/7/365 monitoring as well as industry-leading response times. We have extensive experience working with a variety of highly-specialized industries, including energy, finance, healthcare, and retail, and are well-versed in the unique security and IT challenges faced by service providers

For more information about MDR, or to get started designing your custom MDR solution, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, and keeping up to date is critical if you want to safeguard your organization and its digital assets effectively. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles with your team.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing Attacks are Evolving: What You Need to Know to Keep Your Company Safe

Phishing scams tend to peak during and around the winter holiday season, catching individuals and businesses alike unprepared. To help ensure you and your team have the information you need to identify and avoid these scams, we sat down with one of our VirtualArmour cybersecurity engineers to learn more about this common cybersecurity threat.

If you are currently experiencing, or have recently experienced, a cybersecurity incident, please contact our team for immediate assistance and consider reviewing our educational article: Hacked? Here’s What to Know (and What to Do Next). Our team can help you fend off the attack, identify the root cause of the issue, and create an actionable, comprehensive plan to help mitigate or even avoid further damage.

photo of a credit card with a fishing hooks in it, symbolizing how people use phising to steal credit card information

What is Phishing?

Phishing is a type of social engineering typically used to steal user data such as login credentials, personally identifiable information (PII), or payment card information. This type of cyber attack involves a threat actor masquerading as a trusted party (such as your bank) in order to trick you into opening an email, text message, instant message, or other electronic message and inadvertently handing over sensitive information such as personally identifiable information (such as your full name, birth date, or social insurance number) or payment information (such as your credit card number). 

Phishing attacks pose a serious threat at both the personal and corporate levels. Though most email spam filters are able to stop the most egregious attempts at phishing, even the best filters and firewalls aren’t able to catch everything. Phishing scams continue to evolve, and the sheer number of phishing emails alone is staggering. Research into the volume of email, spam, and malicious attachments and URLs directed at companies found that a company with 5000 employees will still have an average of 14,400 phishing emails arrive in employee inboxes each year, and those are just the emails that were savvy enough to get past the spam filter. 

With so many emails alone slipping past our defenses, employee training on how to spot and report potential phishing scams is key. However, many threat actors are changing tactics and moving away from email and towards other forms of electronic communication.

Phishing Tactics Have Evolved

When many of us think of phishing emails, we likely still picture some scammer pretending to be a fabulously wealthy prince from some faraway land promising riches in return to helping them covertly move money out of their home country (a common ruse referred to as an advance-fee scam).

The advanced-fee scam is a classic ruse that involves the threat actor asking you to help them by either transferring money to the target (purportedly for “safekeeping” or to evade authorities) while also asking you to pay a fee to help move the money with the promise that they will both send you money to cover the advanced payment and reward you handsomely for your cooperation.

Though this elaborate ruse has become cliche even outside of cybersecurity circles, unfortunately, many individuals and companies still fall for this and similar advance fee scams. A recent CNBC article found that these advanced fee scams still net cybercriminals well over $700,000 USD per year.

Why Do Phishing Scams Peak Around the Holiday Season?

Phishing campaigns typically soar in popularity over the holiday season in an attempt to prey on festive (and often frazzled) shoppers using increasingly sophisticated phishing scams. 

However, it isn’t just holiday shoppers that fall for these campaigns; many businesses and other organizations of all sizes continue to fall victim to these types of attacks.

One common example of a popular business-targeted phishing scam involves sending the target an email with a domain that appears to link to the company website and contain innocuous information (such as a festive meal menu with a .doc file extension, paired with an email asking the employee to please indicate their meal preference and dietary restrictions for the company party). However, though the email appears legitimate at first glance, a red flag such as a misspelled domain (for example, virtaularmour.com’ rather than ‘virtualarmor.com’, note the transposed ‘u’ and ‘a’) indicates that this email is likely malicious and should be both flagged as spam and reported to your company’s IT or cybersecurity team.

“Smishing” (SMS Phishing) Scams Are On the Rise

Though these types of scams tend to peak around the holiday season, they are still common year-round. The fake delivery text is a new form of this age-old scam that has been making the rounds and is rapidly becoming one of the most common formats for smishing scams. 

One theory behind the rise in this particular style of phishing scam is the increase in lockdowns worldwide, prompting a rise in online shopping, particularly during the holiday period. Before clicking on any links in a suspicious text message, it is critical to verify whether the text message is legitimate (such as by calling your local post office or delivery depot to verify if there really is a parcel waiting for you).

How to Recognize (& Avoid Falling Prey To) a Smishing Attack

If you receive a suspicious text that may be part of a smishing scam, there are a few steps you can take to help avoid falling prey: 

  1. Never respond to a potentially suspicious text message. If a response appears to be necessary, respond via a verified official channel (such as calling your delivery company or local post office directly).
  2. Never click on any links or phone numbers sent from a user you don’t recognize.
  3. Never share any payment information or personally identifiable information, such as your social security number, birth date, or full name. 
  4. Report any messages that appear suspicious to the relevant authority.
    1. In the United Kingdom, reports can be filed with the National Cyber Security Centre here.
    2. In the United States, reports can be filed with the FCC here and FTC here.

A common example of a scam asking for payment information is a scammer posing as your bank and asking you to update your account information (usually under threat of being locked out of your accounts or some other undesirable outcome). In this case, you should contact your bank immediately via an official channel (most banks print a toll-free number on the back of their credit or debit cards or somewhere on your bank statement) and independently verify that your information requires updating. This not only helps you avoid falling victim to a potential phishing scam but also alerts your bank so they can warn other customers about the scam so they can avoid falling prey as well.

laptop screen with phishing tactics being used on an unsuspecting user

Awareness is Critical

Education and awareness are a cornerstone of any solid cybersecurity strategy. By educating yourself and others about common scams and red flags to look for, you can help reduce the chance someone falls victim. Individual scams are often short-lived, so you need to act quickly; Verizon reports that 50% of scam targets open emails and click on phishing links within an hour of receiving a suspicious email.  

Investing in employee cybersecurity training is vital. When it comes to scams, your employees are one of your first lines of defense, which is why all employees, from the summer intern up to the CEO, should undergo regular cybersecurity training. To help set everyone up for success, you should also include cybersecurity training as part of your company’s onboarding process. 

Vulnerability Scanning Offers Total Visibility Into Your Infrastructure

You can’t defend yourself against cybersecurity threats if you don’t know they exist. Vulnerability scanning helps ensure that no threat makes its way past your defenses by providing detailed information on threat intelligence, device health, threat mapping, and support ticketing. Being able to view all traffic on your network at all times is critical for spotting suspicious activities, so you can respond swiftly and effectively to safeguard both your data and your organization should a threat actor sneak past your defenses. 

Social Engineering Takes Many Forms

Many of these attacks depend on social engineering. Social engineering involves manipulating potential victims into revealing personally identifiable information and can be used to access either personal or organizational accounts. Social engineering attacks typically rely on consistent communication between the attacker and the target and frequently take the form of text messages, instant messages, or emails. 

As COVID-19 continues to force workers to trade their desks at work for their kitchen tables, spare rooms, and home offices, attacks of this nature are becoming more frequent and more effective. This, combined with more mundane but still frustrating events such as a purportedly missed delivery (which you can conveniently reschedule by clicking on this completely legitimate link), has created an ideal environment for threats like phishing scams to flourish. 

Worried About Phishing Scams? VirtualArmour is Here to Help

Not everyone is a cybersecurity expert, and that’s okay. VirtualArmour is full of experts like the cybersecurity engineer who helped us write this educational article. Whether you need help drafting a cybersecurity strategy, are looking for someone to monitor your network 24/7/365 for suspicious activities, or are looking to bolster your internal IT or cybersecurity team, our team is here to help. For more information, or to start improving your organization’s cybersecurity posture, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Common Threats (and How to Avoid Them)

Cybersecurity Basics By Industry

Minimizing Your Risks

About the Author

Kurt Pritchard is a SOC Engineer at VirtualArmour, you can learn more about him on his LinkedIn.

GoDaddy: Have You Been Impacted and What to Do Next?

GoDaddy: Have You Been Impacted and What to Do Next?

On November 22, 2021, the hosting platform GoDaddy revealed that an unauthorized third party had accessed their Managed WordPress hosting environment. Unfortunately, GoDaddy isn’t unique; many hosting providers remain vulnerable to similar attacks. In this article, we will discuss what is known about the incident so far.

What We Know About the Attack So Far

GoDaddy responded swiftly and effectively, working with law enforcement and an IT forensics firm to thoroughly investigate the incident and take appropriate steps to safeguard users. 

What Happened?

On November 17, GoDaddy identified suspicious activity inside their Managed WordPress hosting environment, triggering an internal investigation with the help of an IT forensics firm. It was later determined that an unauthorized third party had used a compromised password to access the provisioning system for their Managed WordPress legacy codebase.

In response to this troubling discovery, GoDaddy immediately blocked the unauthorized third party from their system and began alerting affected users. 

So far, the investigation reveals that the unauthorized third party had been using these compromised credentials to gain access to the system beginning on September 6, with a goal of obtaining private customer information, including:

  • The email addresses and customer numbers of as many as 1.2 million active and inactive Managed WordPress customers were accessed, which the company said may increase the chances of phishing attacks
  • The original WordPress Admin passwords set on these accounts, which were also exposed. As a preemptive measure, any account still using its original WordPress Admin password was subject to a password reset.
  • SFTP and database usernames and passwords of active users. Once this was discovered, GoDaddy immediately reset the passwords on these accounts.
  • The SSL private keys of a subset of active customers. To address this, GoDaddy immediately began issuing and installing new certificates on affected accounts.

Six Additional Web Hosting Providers Impacted

GoDaddy has also revealed that six other web hosts have been impacted by this incident. All six are European resellers of GoDaddy’s Managed WordPress hosting services and include:

What is GoDaddy Doing to Address the Situation?

The investigation is ongoing, and in addition to the actions outlined above, all impacted customers will be contacted directly by the GoDaddy team and provided with specific details. Customers can also contact the GoDaddy team via their online help center, which also includes country-specific phone numbers. 

security camera monitoring a lobby, people need this kind of security for the web

It Isn’t Just GoDaddy; All Hosting Providers Are Vulnerable

While GoDaddy is currently in the spotlight, incidents like this are hardly unique to one hosting provider. Cybercriminals frequently target websites, and many of those attacks are targeted at web hosting accounts.

Common web host vulnerabilities fall into three main categories: general web hosting vulnerabilities, shared hosting vulnerabilities, VPS and cloud hosting vulnerabilities:

General Web Hosting Vulnerabilities

Botnet-Building Attempts

This is when attackers attempt to use publicly available exploits to hijack your web servers and use your infrastructure as part of a botnet (connected computers instructed by a third party to perform repetitive tasks) to attack other organizations. 

Less secure web hosting providers are particularly vulnerable. However, once these vulnerabilities are discovered, they are typically patched fairly quickly.

DDoS Attacks

DDoS (distributed denial of service) attacks flood web servers or other online services with traffic in an attempt to crash the system. This can be done either by a large group of cybercriminals or a single criminal commanding a botnet. The goal of DDoS attacks is to overload the server and prevent legitimate users from accessing a company’s services or products.

Web Server Misconfigurations

Many basic website owners, particularly those using low-cost shared hosting, often have no idea whether or not their servers have been correctly configured. This is problematic because misconfigured servers are often left vulnerable and may be running unpatched or outdated applications. 

Incorrectly configured servers may also be unable to accurately verify access rights, and hiding restricted functions or links to the URL alone is unlikely to deter attackers. This is because attackers are likely technologically savvy enough to guess the probable parameters and typical locations of this sensitive information and then simply use brute-force attacks to gain access. 

Shared Hosting Vulnerabilities

If having your own server is like owning a single-family home, shared hosting environments act more like apartment buildings, where each account has its own unit within the larger structure. Unfortunately, that means a single attack can impact all of the accounts on a single server. 

Non-Siloed Environments

Organizations that op for shared hosting accounts are particularly vulnerable because these types of accounts exist like large pools of data. Though each account is allocated its own select resources, they all exist within a single environment, so all data, content, and other files occupy the same space and are only divided based on the file structure.

Since all of this data is stored in one location, shared hosting sites are intrinsically linked. This means that if an attacker is able to access the main directory, all sites within the pool may be at risk, and a single compromised account could provide the attacker with a way into the supposedly closed system.

Software Vulnerabilities

All types of hosting accounts can contain software vulnerabilities, but shared servers are typically more at risk. This is because the large number of accounts per server means that each server is likely to host a variety of different applications, each of which will need to be updated regularly to take advantage of security patches and other updated security measures. A single unpatched or out-of-date application may leave the entire server vulnerable.

Malware (Including Ransomware)

Malware, and particularly ransomware, is a growing problem. Though a ransomware attack may target any hosting provider, shared hosting servers are particularly ill-adapted to contain such an attack. Because multiple accounts are hosted on a single server, it is easy for a ransomware attack to spread from one company’s account and infect the rest of the accounts on the same server.

Shared IP Addresses

Shared hosting accounts also share IP addresses, with multiple sites typically being identified by a single IP address, much like all units in a single apartment building share one street address. Unfortunately, this means that if one account is compromised and begins sending out spam or otherwise behaving badly and is blacklisted by a company or service, all other sites sharing that IP address will be blacklisted as well. 

This is problematic because getting an IP address removed from a blacklist is typically quite difficult, and organizations are unlikely to cooperate if one of the accounts attached to that IP address continues to behave badly or disregard the organization’s terms of service.

woman review her computer settings and ensuring her cyber security are correct.

VPS & Cloud Hosting Vulnerabilities

Though virtual private servers (VPS) or cloud hosting options are typically more secure than shared hosting options, they are still vulnerable. Attackers often target these types of hosting accounts because of the advanced interconnected nature of these servers, presenting a lucrative payday for hackers. As such, these types of attacks are also typically carried out by more experienced attackers using advanced methods. 

Cross-Site Security Forgery

Cross-site security forgery, also called cross-site request forgery (CSRF), is a flaw that generally affects websites built using unsecured or poorly secured infrastructure. For convenience, many users save their credentials on select platforms, which can be a risky decision if the corresponding website is not secure. 

During a CSRF attack, the end-user is forced to execute an unwanted action, such as automatically transferring funds, on a web application in which they are currently authenticated. Using social engineering (such as sending a compromised link via chat or email), an attacker may be able to trick users of a specific web application into doing what the attacker wants without the attacker having to bother trying to determine a username or password. 

This works because the attacker has already queued up the action they wish to perform (such as transferring funds) and because the credentials are saved when the unsuspecting user clicks the link, they are automatically logged in (because their credentials are saved), and the application will go ahead and complete the action before the user is even aware of what happened.

This can be particularly devastating on admin accounts and can compromise the entire web application. 

SQL Injections

SQL injections work by extracting data, such as customer information or financial data, from a system as the data is sent to and from your database server. If this route is not secure, attackers can insert SQL scripts into the infrastructure and scan all data queries before they even reach the server. 

This attack works like a postal delivery worker opening and reading all of your mail and copying down any private information they discover before delivering your letters and parcels. 

Exploiting XSS Flaws

Harmful XSS-based scripts are small programs that can be used to either access confidential information or redirect legitimate users to fraudulent websites. 

Though this attack is most commonly used by attackers looking to capture usernames and passwords or trick users into entering their credit card number or other sensitive information into a fraudulent website (such as one that is designed to look almost exactly like your bank’s website), this technique can also be used by organizations to carry out fraudulent business operations.

Insecure Cryptography

Cryptography algorithms typically rely on random number generators, but not all random number generators are made equal, and some random number generators may produce easily guessable numbers which attackers can use to their advantage.  

Virtual Machine Vulnerabilities

Multiple virtual machines can be run on top of hypervisors in physical servers. However, if there is a vulnerability in the hypervisor, attackers may be able to infiltrate the system remotely and gain access to all virtual machines hosted on a physical server. Though this type of attack is rare, it is still possible, and organizations that use virtual machines should take appropriate steps to safeguard their infrastructure. 

Supply Chain Weaknesses

One of the benefits of cloud hosting is resource distribution, but unfortunately, this can also be a source of vulnerabilities. If not all organizations in the cloud supply chain are as studious as your organization about security, they could leave the entire chain vulnerable.

Insecure APIs

APIs (application user interfaces) are designed to help streamline cloud computing processes, but they can allow attackers to easily infiltrate your cloud infrastructure if they aren’t secured properly. 

Reusable components are incredibly popular, which can make it difficult to safeguard your organization against this type of attack. In an attempt to gain unauthorized access, an attacker can simply try basic access attempts repeatedly until they find a single vulnerability that allows them into the system.

Steps You Can Take to Protect Your Organization & Your Website

In the modern era, it is an unfortunate truth that it isn’t so much if your organization will experience a cybersecurity incident, but when. Luckily, there are steps you can take to safeguard your website and your organization as a whole. 

Website Best Practices 

One of the best things you can do to safeguard your website is to make sure you are following website security best practices

For Static Sites

If you have a static site, you should ensure that you have an SSL certificate and keep your software up to date. You should also keep an eye on your website using uptime monitoring programs so that you are altered any time your site undergoes an unexpected content change. 

By keeping an eye on your website, you can quickly learn if an incident has occurred, allowing you to mitigate or even prevent damage if your website is defaced or otherwise compromised.

For WordPress or Other Database Websites (Like Those Impacted by the GoDaddy Attack)

There are a few things you can do to better safeguard your WordPress website. This includes implementing a robust username and password policy and adding multi-factor authentication. If you need to store passwords on your website for any reason, you should ensure that all passwords are encrypted, and you may want to consider using OAuth or another third-party identity management site.  

You should also consider implementing rate limiting or limiting user logins based on the number of failed login attempts. This can help safeguard your website from brute-force attacks. You should also strongly consider changing your admin username from the default “Admin” to something harder to guess.

Rate limiting can help safeguard your website from botnets involved in brute force attacks. Rate limiting allows users almost unlimited login attempts but artificially installs a delay between each attempt. Even a seemingly insignificant delay of a second or two can slow down a brute force attack, buying your organization more time for someone to notice something is amiss and take appropriate action. 

You should also seriously consider changing your login path from the default URL. WordPress is the most commonly used content management system on Earth, and many WordPress websites continue to use the /wp-admin/ login path. As such, attackers may use this knowledge to quickly locate and access your login page. By making the login page harder to find, you can help dissuade attackers or at least buy your team more time to respond.

Interview Your Hosting Provider & Review Your SLA Carefully

The GoDaddy security incident has demonstrated how much a website’s security depends on the security of its hosting provider. Though life, and cybersecurity, in particular, offer no guarantees, here are a few questions you should ask your hosting provider in light of this recent attack.

  1. Ask your hosting provider how they monitor their network. Suspicious activities can’t be stopped if they aren’t detected, so you want to make sure your hosting provider is carefully monitoring their internal network by asking them how their network is monitored, who is responsible for monitoring, and what sort of red flags they are actively looking for.
  2. Ask about their antivirus and malware scanning and removal processes. Malware continues to be a threat, so you need to know what sort of malware protection your host offers and what steps they take to secure your website. You should also ask if their support team is scanning your account and request a copy of these internal reports. You also need to be clear on what will happen if your account is infected and what steps your hosting provider will take to help you identify and remove malware on your website.
  3. Don’t forget SSL, firewalls, and DDoS prevention. You should also ask your provider what sort of protocols they have in place to prevent cyberattacks like the one experienced by GoDaddy. You should also find out if your hosting provider offers SSL certificates or if that is something your team will need to handle. Most providers don’t handle SSL certificate implementation, but they do need to provide you with the certificate so your team can implement it. 

You should be able to find at least some of this information in your SLA (service level agreement), but if the answers to any of these questions are missing, you should reach out to your contact at your hosting provider for more information.

You should also lock down your folders and subdirectories to make it more difficult for unauthorized users to access exploits or vulnerabilities associated with back-end software and upload files containing malware. You should also consider adding bot filters and maintaining an active blacklist to help you filter out bots and prevent brute-force attacks. 

Create an Incident Response Plan & Invest in Cybersecurity Training for All Employees

When it comes to cybersecurity, it is always best to be proactive instead of reactive. A robust incident response plan in place will allow you to respond to attacks quickly and effectively while helping limit damage and make your recovery smoother.

For more information, please consider reading our educational guide on creating an effective incident response plan

Beware of Possible Phishing Scams

In their statement, GoDaddy specified that customers whose email addresses were exposed are now more likely than ever to be targeted by phishing attacks. However, all organizations should ensure their employees know what sort of red flags to look for when it comes to phishing scams. To help improve your employee cybersecurity training and educate your team, please consider reviewing our educational article Don’t Let Phishing Scams Catch You Unaware.

Whether your organization has been directly impacted by the GoDaddy security incident or not, now is an excellent time to review your website’s cybersecurity best practices. For more information, or to start improving your cybersecurity stance, please contact our team today.

Suggested Reading 

Cybersecurity is a complex and continually evolving field, so keeping up to date is critical for safeguarding both your website and your broader organization. 

To help you stay up to date on the latest in cybersecurity news and trends, please consider visiting our Articles and Resources page and reviewing these educational articles.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

What Your Vulnerability Scan Report is Telling You (& What It’s Not)

What Your Vulnerability Scan Report is Telling You (& What It’s Not)

Cyber attacks, and ransomware attacks, in particular, are on the rise, and this troubling trend is likely to continue. Having an effective incident response plan in place is vital for protecting your organization and its digital assets, but even the best plan is only as good as the facts that inform it.

To create a solid incident response plan, you need specific, actionable information about your current cybersecurity posture. A vulnerability scan gives your cybersecurity team invaluable insight into your current cybersecurity posture’s weaknesses or deficiencies so those cracks in your armor can be addressed before cybercriminals are able to use them against you. 

photo of a magnifying glass scanning data

What is a Vulnerability Scan?

A vulnerability scan involves having trained cybersecurity experts evaluate your IT infrastructure for software and firmware vulnerabilities, as well as evaluate all devices that connect to your network for configuration issues that pose security gaps. Using this valuable information, your cybersecurity team or partner can develop strategies and solutions to address these shortcomings before cybercriminals are able to leverage them and sneak past your defenses.

Whether you opt for a one-time engagement scan or ongoing vulnerability scanning as part of a larger suite of managed services (such as managed SIEM), a vulnerability scan is a critical component of any robust cybersecurity posture. 

What Should All SMBs Look for in their Vulnerability Scans?

What weaknesses your vulnerability scan will look for will vary slightly between organizations, but all comprehensive scans should assess your systems for: 

Vulnerable Software

Software vulnerabilities are the most common vulnerability discovered. This type of scan involves checking for known weaknesses in all the third-party hardware and software your system relies on. These known weaknesses are discovered by security researchers and typically only pose an issue in select versions of particular technologies. 

When software engineers employed by software companies discover a vulnerability or other issue in their code, they create security patches (small corrective snippets of code) to address the issue. However, you can only take advantage of the security patch if you download it, which is one of the many security reasons you should be keeping your software up to date. Cybercriminals frequently try to exploit known vulnerabilities in recently patched software in the hope that not all organizations are as studious as yours about keeping their software up to date.

Web Application Vulnerabilities

Another common type of vulnerability cybercriminals often seek to exploit are security gaps in web applications, which can be used to gain unauthorized access to sensitive data, compromise your web server, or attack web application users. 

Whether you are using third-party applications designed by other companies or proprietary in-house applications, make sure any vulnerability scan you commission includes web application vulnerability scanning. 

Common Misconfigurations & Mistakes

Sometimes the issue isn’t the software or the hardware, but the people using it or configuring it. Incorrectly configured software can inadvertently leave your entire system vulnerable, and you may not even realize it. 

Not following established security best practices can also leave your network vulnerable. After all, investing in a high-quality, unbreakable lock is only useful if you don’t leave the key under the mat (or your password written on a sticky note under your keyboard). 

Make sure you have security best practices in place and that those practices are effectively communicated to all network users. Investing in employee cybersecurity training can not only help curtail network vulnerabilities but can also help secure your network in other ways by making it less likely employees will fall for phishing scams (or other social engineering based attacks). Security-minded employees are also better able to identify potentially suspicious activities (such as strange network traffic), so they can alert your security team. 

Encryption Configuration Weaknesses

A good vulnerability scan will also assess the encryption configurations used to safeguard data in transit between your users and your servers. 

When looking for encryption configuration weaknesses, make sure your scan is looking for issues with SSL/TLS (secure sockets layer/transport layer security) implementations, such as weak encryption ciphers (easy to guess passwords), SSL certificate misconfigurations, and the unintentional use of unencrypted services such as FTP (file transport protocol). 

Attack Surface Reduction

An effective strategy for improving your cybersecurity posture is to limit your attack surface area. You should only publicly expose core services or systems if you absolutely have to, and those exposed surfaces should be continuously monitored for suspicious activities. When choosing a vulnerability scanner, make sure you select one that assesses your attack surface area for issues such as unprotected ports and services that are exposed to the wider internet. Examples of vulnerable attack surfaces include exposed databases, exposed administrative interfaces, and sensitive services such as SMB (server message block). 

Information Leaks

Information leaks involve exposing information to end users when that data should remain private. 

In addition to assessing your system, the final report of your vulnerability scan should include both the weaknesses discovered (in plain, accessible language so that even non-technical team members are able to understand what was discovered) as well as concrete, actionable recommendations for remedying the situation. When it comes to cybersecurity, information is only useful if it can be easily understood and actioned upon. That’s why it is vital you choose a cybersecurity partner whose goal is to educate and inform your team and help you improve your cybersecurity posture.

Not all vulnerability scans will include checks in all of the above categories, and the quality and number of checks a scan includes will vary between organizations. As such, it is critical to do your research before conducting a scan, particularly if you are opting for a paid option, to ensure the scan will meet your needs.

Free vs Paid Vulnerability Scanning

User Beware: “Free” Doesn’t Always Actually Mean Free

Also, the term “free” can vary from scanner to scanner, with some offering a free trial, a free version for non-commercial use only, or limited functionality at the free tier. As such, make sure you are clear about what the free version does and does not include before you sign up and do your research to ensure the free scan will actually give you the information you need in a format you can actually use to improve your security posture. 

a fremium button on a keyboard indicating how often the model is used.

Just Because You Aren’t Paying with Money Doesn’t Mean There Isn’t a Cost

When it comes to many “free” vulnerability scans, you may not be paying with money, but there is still a cost. These tools are often limited in scope, so you likely aren’t getting the whole picture. This can lead to a false sense of security as you metaphorically check that the front door is locked while leaving the back door wide open. 

As you will soon see, these tools are also frequently not very user friendly (at least for individuals who aren’t already technology experts), which can mean either hiring a tech expert just to perform your free scan or setting time and personnel aside to learn how to use this product, pulling them away from critical tasks. Free software is typically developed on an extremely limited budget, and UX design is often an “extra” that is left out, making it difficult for even the most technically inclined to get useful information out of these tools. 

Free vulnerability scans are also not carried out by teams of experts and are frequently just tools you can use to assess select aspects of your infrastructure on your own, so even the most comprehensive versions will still require your team to take the information they have gathered and turn it into actionable suggestions. 

Paid options are almost always more user-friendly and typically come with ongoing support and guidance. They are more likely to offer a polished, easy-to-understand report detailing what vulnerabilities were discovered, as well as actionable advice on how to address these issues and improve your security posture. 

Top 4 Free Vulnerability Scanning Tools (& What They Can Tell You)

While paid vulnerability scan options typically yield more detailed and in-depth information (and cover a wider range of checks), free scanning tools can help small organizations on a tight budget assess specific areas of their networks (such as their web applications or security patches).

However, these scanning tools tend to be limited in scope, so you may need to run several in order to piece together a full list of all vulnerabilities on your network.

Burp Suite (Owned by PortSwigger)

Burp Suite is a popular web vulnerability scanner used by a variety of organizations and offers a free version (referred to as their Community Edition). However, this free version has limited functionality and does not include automation capabilities. This version contains essential manual tools and is mostly aimed at researchers and hobbyists. 

Burp Suite is Java-based and can be used to check for SQL injections, cross-site scripting (XSS), and other web vulnerabilities, as well as for security auditing and compliance purposes.

Nmap

Nmap bills itself as a pen-testing tool but works more as a port scanner. Nmap scans your network and flags ports that are vulnerable, which can aid in pen-testing. In addition to port scanning, Nmap can also look for other vulnerabilities in your systems and networks, monitor host uptime, service uptime, and map network attacks when they occur. By pointing out potential weaknesses, it has its strengths as an auditing tool, but it isn’t able to actually show users how the vulnerabilities it discovers could be penetrated.

Nmap is an open-source tool aimed at ethical hackers looking for network weaknesses. Like all open-source software, Nmap is free, but like other open-source programs, it isn’t particularly easy to use unless you are already familiar with using open-source software. 

Wireshark

Wireshark is a well-known open-source network protocol analyzer designed to help with select network vulnerability scanning tasks. It relies on packet sniffing to understand your network traffic patterns, which is useful for network administrators looking to design effective countermeasures. 

By detecting suspicious network traffic, Wireshark can help you discover errors and detect if an attack is underway, categorize the attack, and help you implement rules to protect your network. However, like other open-source options, it isn’t particularly easy to use for the non-technically inclined and will need to be carefully managed and configured in order to meet your organization’s needs.

OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a free, open-source platform offering a variety of vulnerability management services. Designed as an all-in-one scanner and maintained by Greenbone Networks, it is designed to perform over 50,000 vulnerability tests and is updated daily.

OpenVAS is designed to run in a Linux-based environment and is aimed at experienced open-source users looking to perform pen-tests or targeted scans. However, like the other open-source tools in this list, it isn’t particularly easy to use for the non-technically savvy, and installing and using this tool poses a significant learning curve. Because it is so difficult to install and learn to use correctly, it can take a lot of time to get up and running smoothly, which can eat up employee time and pull them away from other tasks. 

What Information Does Your VirtualArmour Vulnerability Scan Contain?

VirtualArmour offers both one-time vulnerability scanning engagements (vulnerability assessment) and ongoing managed security scanning (vulnerability scanning premium).

One-Time Scan: Vulnerability Assessment

Our one-time vulnerability assessments include both an external scan and a certificate scan and can be useful for auditing purposes or to prove compliance.

Ongoing Vulnerability Scanning: Vulnerability Scanning Premium

Our ongoing vulnerability scanning solution (Vulnerability Scanning Premium) is designed to expose and notify you of potential security gaps in your environment before they can be exploited by cybercriminals. As part of this process, our team of experts will identify:

  1. Software and firmware vulnerabilities
  2. Weak security policies and configurations
  3. Outdated software and operating systems that could be used to penetrate your endpoints and infrastructure 

Our team will also scan and audit your publicly exposed resources (such as file servers and web applications) with the goal of minimizing your attack surface as much as possible. 

Vulnerability Scanning Premium can also be integrated with our managed SIEM option, offering more comprehensive data and additional context for alerts. 

Vulnerability Scanning Premium also includes: 

  • Custom vulnerability severity levels
  • Defined processes and escalation procedures
  • A record of all vulnerabilities detected across your environment, both on-premises and in the cloud
  • Threat intelligence feeds
  • SIEM platform enrichment using vulnerability analytics

This premium option also offers both periodic and on-demand reports, so you always know exactly what is going on, improving your organizational agility by making it easy to respond to issues as they come to light. All asset vulnerabilities are correlated with network configuration and traffic data, allowing us to identify active attack paths across your network. This vital information is used to simulate threat vectors and predict how a theoretical attack could potentially spread across your network. This can help you adjust your incident response plan as necessary and help you take a proactive rather than reactive approach.

In addition to these security benefits, continuous vulnerability scanning can help ensure your organization is complying with relevant legislation, helping you avoid the costly fines associated with noncompliance. Our team of security engineers will continuously analyze the results of your vulnerability scans and use this information to craft concrete, actionable recommendations designed to improve your overall security posture across your organization’s infrastructure, from core to cloud.

For more information about the importance of vulnerability scanning, or to learn more about our vulnerability scanning options, please contact our team today

Suggested Reading

Cybersecurity is a complex and continually evolving field. To help keep your knowledge up to date, please visit our articles and resources page and consider reviewing these suggested educational articles and resources.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

What Your Business Can Learn From Netflix About Credential Sharing

What Your Business Can Learn From Netflix About Credential Sharing

Credential sharing, the practice of using someone else’s digital identity to gain access to a platform or product, has become commonplace, particularly when it comes to video streaming services. While credential sharing brings with it obvious user-end security issues for organizations of all sizes in all verticals, it also poses a serious problem for organizations that depend on the revenue generated from paid user accounts. 

When most of us think of credential sharing, we likely think of people sharing a Netflix account with friends or family members as a favor or in order to split the cost of one account between two or more people. However, credential sharing can also take a more transactional form, such as sharing credentials in exchange for payment or sharing credentials with third-party resellers in exchange for a fee.

At its core, credential sharing is a form of theft. When two or more users share access to a paid account designed for single-user use, businesses lose out on the revenue they would have earned if each actual user paid for their own account.

woman watching netflix on her ipad

Security Issues & Threats to Bottom Lines: Credential Sharing is Problematic from Both Perspectives

Credential sharing poses issues both for the companies creating the product that is being illegally shared between users and for organizations whose employees are sharing internal login credentials among themselves. In this article, we will discuss the problems credential sharing poses from both of these perspectives and discuss strategies organizations can use to discourage this problematic issue. 

How Common is Credential Sharing?

Credential sharing is incredibly common, particularly when it comes to video streaming platforms. A survey found that 22% of US residents (46 million people) are using credentials borrowed, purchased, or stolen from someone outside their household to access video content without paying for it.

The Security Implications of Credential Sharing

Obviously, credential sharing is a serious problem for organizations like Netflix and Hulu, which rely on paid user accounts to generate revenue. However, credential sharing also poses a serious security risk for individuals and organizations that engage in this risky behavior. A recent survey of 1507 American adults found that 34% said they shared passwords or accounts with their coworkers, allowing us to extrapolate that as many as 30 million of the 95 million American knowledge workers may be engaged in credential sharing. Considering 81% of cyber incidents used stolen or weak passwords to gain unauthorized access to systems, this high rate of credential sharing is alarming.

This security issue is further compounded by the fact that the same study of 1507 Americans revealed that 22% of surveyed individuals admitted to reusing passwords across multiple accounts, while only 12% used password managers to safely store and manage their passwords. Reusing passwords is a serious security risk, essentially providing cybercriminals with access to multiple accounts on different platforms if they are able to guess or steal a user’s password from a single, less secure platform. 

Credential Sharing Leaves Your Organization Vulnerable to Credential Stuffing Attacks

Re-using passwords also makes users vulnerable to credential stuffing attacks: when cybercriminals use username and password combinations obtained during a previous breach to attempt to login to a targeted account. This means that if one of your accounts (say, your email) is compromised, any other account that uses that same username and password combination is now vulnerable.

Steps Organizations Can Take to Prevent Credential Sharing

Fortunately, there are steps organizations can take to prevent credential sharing, whether they are concerned about employees sharing accounts amongst themselves or paying users sharing their credentials with unauthorized, non-paying, third parties.

Preventing Credential Sharing Amongst Employees

Credential sharing among employees poses a serious security risk and should be heavily discouraged. Employee education, consequences for credential sharing, and making credential sharing less enticing are all critical for curtailing this risky behavior. 

Ensure Employees Understand the Risks

The first step to stymying credential sharing between employees is to explain why credential sharing, which many view as “harmless”, is a serious issue. When employees understand the reasoning behind rules, they are much more likely to see why those rules are necessary, improving adherence. It helps to include specific examples where credential sharing caused cybersecurity incidents and discuss the fallout of those incidents. By highlighting the serious consequences of credential sharing, you can help employees better weigh the temporary convenience of credential sharing against the serious potential cost.

The risks of credential sharing should be discussed as part of your employee onboarding process and during regular cybersecurity refresher training. Regular reminders, such as a message that reminds users about the risks of credential sharing whenever they log in, can also help ensure this message sticks.

Implement Consequences for Credential Sharing

Rules are only effective if there are consequences for breaking them. Many businesses continue to foster a culture where password sharing and other “harmless” rule-breaking earns employees a gentle reprimand at best. Credential sharing is not a victimless crime; Instead, it is a serious threat to your IT security and your business.

Ensure you have a clear disciplinary procedure for dealing with employees who engage in credential sharing and ensure that this procedure is clearly communicated to all employees. You should also include consequences for employees who witness credential sharing and do not report it, as well as a clear, easy-to-navigate procedure for reporting instances of credential sharing. 

Improve Your Access Processes

Most employees don’t share credentials because they want to harm your organization; they do it because it is convenient. The most effective way you can reduce credential sharing within your organization is by identifying why employees are sharing credentials, adjusting your processes to address those root causes, and making it easier for employees to follow the rules without compromising efficiency.

How you address this issue will depend on the root cause of credential sharing within your organization. This may include:

  1. Reviewing your onboarding process: If new hires are waiting too long to be issued credentials, their managers or co-workers may be sharing credentials so that the new hire can actually perform their tasks.
  2. Improving your approval time rates: If employees are waiting too long to be granted access to files or servers they need to do their jobs, managers may be tempted to share credentials to avoid work delays. 
  3. Are managers sharing passwords because they need their subordinates to tackle some of their workload? If so, you might want to explore officially re-allocating some of your manager’s tasks to appropriate subordinates (and issues login credentials for those subordinates) or adding new members to that team to better even out everyone’s workload.

Disable Concurrent Logins

Disabling simultaneous logins is an easy way to discourage credential sharing since it ensures any user who shares their login information cannot log in while another user is using those credentials. While this strategy alone won’t prevent credential sharing, it does make it a less practical and attractive option, potentially negating any temporary productivity benefits. 

Enabling this feature without prior notice is also a great way to pinpoint which employees are currently engaging in credential sharing behavior since users are likely to complain when they discover they cannot log in or are repeatedly booted from the system.

Don’t Forget About Third-Party Users

If you use third-party organizations to supplement your team, you should also be taking steps to limit credential sharing on that front. Though you likely have less oversight over these users and how they act, you need to ensure controls are in place to ensure offsite third-party users aren’t engaged in credential sharing behaviors. 

Ideally, this would include time restrictions and tracking on third-party users that alert you to any potential credential sharing behaviors. This is particularly critical from a legal and compliance perspective since you will need to show that any contractors accessing your data are following your internal procedures correctly.

Monitor Your Network for Suspicious Activities

Tracking behavior that may indicate users are engaged in credential sharing can help you determine how widespread this practice is while also hardening your systems against cyberattacks.

Many cybercriminals rely on stolen credentials to gain unauthorized access to sensitive systems. By taking steps to curtail credential sharing, such as disabling concurrent logins or sending users an alert when another user attempts to log in using their credentials, you are also taking steps to improve your cybersecurity posture as a whole. Preventing concurrent logins can help keep cybercriminals out, while alerts can let employees know if their credentials have been stolen or compromised so they can alert your IT and security teams so they can take appropriate action.

father sharing his netflix account with his 2 daugthers

Preventing Credential Sharing Between Paying and Non-Paying Users

When it comes to preventing credential sharing among your user base, there are many lessons to learn from streaming services such as Netflix, Hulu, and Spotify.

Make Your Accounts More Personalized & Ownable

While Netflix and Hulu have to deal with rampant credential sharing, Spotify does not. The reason so many people share Netflix accounts is that Netflix allows different users to create different profiles. While this is supposed to ensure your spouse or children aren’t inadvertently messing up your recommendations lists, it also makes it easier for users to engage in credential sharing without consequences.

On the other hand, Spotify does not allow users to create separate profiles within a single account. While different household members can get a discount by purchasing multiple accounts under one payment umbrella, sharing individual accounts messes with users’ personalized recommendations and playlists. 

How you go about tailoring your product to individual users depends on the product, but some strategies you may want to consider include:

  1. Limiting the number of files a user can save (so no one wants to give up precious save slots)
  2. Limiting the number of times a file can be downloaded
  3. Personalizing the user’s experience based on previous behaviors (for example, e-learning software that tailors courses based on a user’s past quiz performance, interests, or previously accessed courses).

Implement Single-Sign-On Technology

Single-sign-on technology involves replacing user-generated usernames and passwords in favor of social media account logins from popular platforms such as Facebook, Microsoft, LinkedIn, or Facebook. This makes the login process more convenient for users (who need to remember one less username and password combination) and discourages credential sharing. 

People don’t want their friends and co-workers poking around on their personal social media accounts, which are chocked full of sensitive personal information and, in the case of Google, credit card access in the form of Google Pay.

Insist on Two-Factor Authentication

Two-Factor authentication, also called multi-factor authentication or MFA, requires users to enter two different pieces of information to verify their identity. Most systems pair a strong password with a second factor such as a text message sent to a pre-registered phone number or a hardware element. For example, if an employee tries to login to their account on your product, they would need to enter both their username and password, as well as a one-time code sent to their phone.

Mandating two-factor authentication both improves user security and makes it incredibly inconvenient to engage in credential sharing behaviors, since the unauthorized user would either need the account owner’s phone or have the account owner send them the one time code, most of which are only valid for thirty seconds to a minute at most. 

Block Simultaneous Logins

Everything we do online is tied to our IP addresses. An IP address is a unique piece of information used to identify a device on the internet or a local network. Since people (and their devices) can’t physically be in two places at once, there is little reason for anyone to log in from two different IP addresses simultaneously.

Using IP addresses, companies can block simultaneous usage on their accounts from two different IP addresses. So if one user logs in on computer A, then computer B (which is using the same credentials) is automatically logged out so that only one device using a single set of credentials can access the product at a time. This approach makes credential sharing inconvenient and frustrating since both users are continually being logged out by one another and can’t be using the same product simultaneously. 

Pay Users for Referrals

While it won’t single-handedly stop credential sharing, paying users for referrals can help discourage this practice by making referrals a more attractive option. Paying for referrals re-frames credential sharing as a money-losing endeavor. Ordinary credential sharing is a net-neutral financial option for paid users: after all, it isn’t like they are paying extra to let their friend, family member, or co-worker use their credentials. When you add a referral bonus, credential sharing is re-framed as a loss. 

Offering existing users a percentage of each sale, a flat rate fee, or a discount when they refer a friend incentivizes existing users to get their friends, family members, or co-workers to pay for their own accounts rather than engage in credential sharing behaviors.

Credential sharing is harmful and needs to be discouraged, whether you are concerned about paid users sharing their accounts with unauthorized, non-revenue generating users or worried about how co-workers sharing accounts impacts your organization’s security. For more information about the security, financial, and other harms credential sharing can cause, or tips on reducing or eliminating credential sharing, please contact our team today.

Suggested Reading

Cybersecurity is a complex and continually evolving field. To help your team stay up to date on the latest developments and best practices, please visit our articles and resources page and consider reviewing these suggested educational articles and resources.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)

The Growing Trend of “Hacktivism”, & What it Means for Businesses

The Growing Trend of “Hacktivism”, & What it Means for Businesses

When most people think of a hacker, they think of a loner hiding in a dark basement, destroying computer systems and other digital resources for personal financial gain, or a sophisticated computer whiz employed by a foreign government up to no good. 

However, in recent years, a growing number of hackers have been putting their skills to use for a different reason: activism. This trend, dubbed “hacktivism”, is on the rise and can have serious consequences for businesses of all sizes in all verticals and industries. 

computer with hacktivism on the front screen

What is Hacktivism?

Information security researcher Dorothy Denning defines hacktivism as “the marriage of hacking and activism”, more specifically, using computers to achieve a political agenda through legally ambiguous means. As a general rule, hacktivism aims to obstruct normal computer and business activities in some way but, unlike other forms of hacking, does not necessarily aim to cause permanent injury or significant financial loss and is rarely motivated by financial gain. 

Hacktivism Can Be a Force for Good….

When most readers think of hacktivism, they think of large-scale political movements and revolutions such as the Arab Spring, which depended at least in part on technology and hacktivism. 

In 2011, when young protesters took to the streets in cities across the Middle East to rally against oppressive governments, some who had held power for decades, they were emboldened and assisted by technology. In the eyes of some, WikiLeaks and Anonymous played a key role in creating the social conditions that allowed the Arab Spring to happen by posting damning secret government documents online before the protests began. 

A specific example of this hacktivism was the uprising in Tunisia, which was initially largely ignored by the foreign media. When members of Anonymous realized the significance of the uprising, they partnered with Tunisian dissidents to help them share videos of what was really going on on the ground with the outside world. They also created a “care packet” (available in English, Arabic, and French) that offered dissidents advice on how to conceal their identities on the internet to avoid detection by the former Tunisian regime’s cyberpolice.

Though most believe the Arab Spring to be a positive and necessary step, the hacktivism that accompanied it, particularly the act of disclosing confidential documents and personnel files indiscriminately, could endanger lives. Anonymous and similar hacktivist organizations do not always carefully vet what information they release, which could inadvertently expose innocent individuals to cybersecurity threats.

… But it Frequently Harms Innocent Organizations & Individuals

The goal of most hacktivists is to draw attention to a particular cause using virtual political activism. This can be a noble goal, as demonstrated during the Tunisian uprising, but not all hacktivists are so altruistic. Unfortunately, many hacktivists are also not particularly concerned about avoiding collateral damage while carrying out their activist activities, and innocent parties can be caught in the crossfire. 

For example, while protesting the recent police actions on the Bay Area Rapid Transit (BART) system in San Francisco, a hacktivist posted the full names, addresses, and cell phone numbers of cover 2000 MyBART subscribers (ordinary transit users) online, increasing their chances of being targeted by identity thieves and other criminals. 

In a recent article by PC World, a former member of Anonymous called “SparkyBlaze” admitted that he was “fed up with [Anonymous] putting people’s data online and then claiming to be the big heroes.” He also stated that “Getting files and giving them to WikiLeaks, that sort of thing does hurt governments. But putting user names and passwords on a Pastebin doesn’t [affect governments], and posting the info of the people you fight for is just wrong.”

While some hacktivist organizations, like other activist organizations, might be doing real good, too many are using the guise of activism to cause significant harm to innocent organizations and individuals. 

As one article published in the Journal of Human Rights Practice puts it, unlike more familiar forms of activism, hacktivism can often be anonymous, allowing it to operate with a kind of impunity afforded by technology. As such, hacktivists are accountable to no one, not even organizations, groups, and individuals they aim to help, which is deeply problematic

Many hacktivist organizations, including Anonymous and WikiLeaks, engage in highly questionable activities, which they are able to do because of the anonymous nature of hacktivism. Since there is no way to hold individuals accountable, they are incredibly dangerous, both for the problematic organizations and governments they target and for the rest of us. 

large crowd protesting

A Brief History of Hacktivism: Six Infamous Events

While hacking has been around since the 1950s, hacktivism as a concept didn’t really emerge until 1989, when the first “hacktivist” action (referred to as Worms Against Nuclear Killers) took place. 

Worms Against Nuclear Killers (1989)

The 1989 attack, which many believe to be the work of Melbourne-based hackers “Electron” and “Pheonix”, used a malware worm to infiltrate computers at both NASA and the US Energy Department. The worm altered the login screen of infected computers to display the message ”Worms Against Nuclear Killers” and was fueled by rising anti-nuclear sentiment. A second worm, called OILZ, was also deployed and contained bugs designed to prevent access to accounts and files by changing passwords. The goal of this attack was to attempt to shut down the DECnet computer network in the days before a NASA launch, causing disruption and costing roughly half a million dollars in damages and lost time.

Hacktivism has only grown in both scope and influence. Other influential campaigns include:

Hacktivismo Declaration (2001)

Hactivismo, an offshoot of the hacker group Cult of the Dead Cow (cDc), emerged when they released their declaration that aimed to elevate freedom of speech. During this event, the group explicitly attempted to both engage in civil disobedience and explain their reasoning behind their actions. 

The declaration released by Hactivismo cited two United Nations’ documents: the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights, and included an FAQ that stated that the main purpose of their actions was to “cite some internationally recognized documents that equate access of information with human and political rights”.

As a result of their declaration, this group aimed to create both moral and legal grounds for future hacktivists to launch their campaigns. The group went on to release a web browser, called Peekabooty, that prevents censorship from nation-sates that deny or restrict internet access. 

Project Chanology (2008)

When a video of actor Tom Cruise voicing his affiliation with the Church of Scientology appeared on YouTube, the church forced the video hosting platform to remove it. In response to the censorship, Anonymous launched a DDoS (Distributed Denial of Service) attack against the Church of Scientology website, which was also defaced. A series of prank calls and black faxes followed the DDoS attack, and Anonymous also distributed private church documents stolen from Scientology computers during a doxxing attack

The hacktivist actions were also paired with in-person protests across the country where protesters donned the now infamous Guy Fawks masks associated with Anonymous

US Executive Branch Attack (2013)

Presumably believed to be associated with Syrian President Bashar al-Assad, the Syrian Electronic Army (SEA) has carried out a number of attacks using both spear-phishing and DDoS attacks designed to compromise and deface government, media, and privately-held organizational websites. 

The group successfully released a fake tweet claiming that an explosion at the White House had injured the President. After the tweet went live, the Dow briefly plunged 140 points. In 2016, the FBI charged two SEA-affiliated individuals with the attack.

Clinton Emails Leak (2016)

This attack, a joint venture between WikiLeaks and Russia’s foreign military intelligence directorate Glavnoye Razvedyvatel’noye Upravleniye (GRU), focused on emails between then-presidential candidate Hilary Clinton and her campaign manager. The emails were illegally obtained by GRU and released by WikiLeaks, and the goal was to discredit Ms. Clinton in order to further the campaign of her opponent Donald Trump.

Hackers used spear-phishing emails to steal credentials from DNC members and gain unauthorized access to the emails. The campaign significantly impacted the Clinton campaign and may have contributed to her loss. Following the leak, the US Department of Justice indicted 12 Russian hackers for the incident.

Black Lives Matter Movement (2020)

While the BLM (Black Lives Matter) movement reaches beyond the realm of hacktivism, the group Anonymous did throw their weight behind this movement protesting police corruption following the death of George Floyd. The group had also voiced similar condemnations in the past following the murders of Michael Brown and 12-year-old Tamir Rice.

In support of the social-justice-focused BLM movement, Anonymous released a video on Twitter that specifically criticized the Minneapolis police department in the wake of the shooting. As a result of the video, Anonymous’ Twitter account gained 3.5 million new followers in the following days, and the campaign has been linked to a series of DDoS attacks that briefly shut down the Minneapolis police department website, its parent website, and the Buffalo, New York government website over the course of a single weekend.

How Hacktivism Harms Businesses

While some hacktivist activities, such as creating open-source software that allows people in China to circumvent government censorship, are arguably good, we have seen that hacktivism also has a dark side. 

Hackers of all stripes, including some hacktivists, often use open-source hacking tools to penetrate networks with the goal of paralyzing or destroying legitimate businesses. This can be done for a variety of reasons, including retaliatory action in the case of George Hotz.

Sony vs Hotz

In 2010, then-teenage researcher George Hotz (now President at comma.ai) was able to reverse-engineer the Sony private key and published it online. This allowed almost anyone with an internet connection to rewrite Sony’s firmware and classify themselves as a developer on the Sony network, gaining free access to all of Sony’s online games. This action adheres to the philosophy that many hacktivists and other hackers share, which deems that all information, even proprietary information, should be free. 

In response to his actions, Sony sued Hotz, which attracted the attention of hacktivists. The company was targeted by several DDoS attacks and a data breach, which exposed the credit card numbers of 12 million innocent customers, as well as 75,000 “music codes” and 3.5 million “music coupons”, resulting in massive financial losses for the company. All and all, Sony estimates they lost about $173 million, including the cost of increased customer support, incentives to woo customers back, legal costs, loss of sales, and the costs to improve their cybersecurity systems. 

Ultimately, regardless of the goal of the hacktivist organization, gaining unauthorized access to a company’s network or other digital assets is wrong, and companies need to take steps to ensure their cybersecurity posture is robust enough to thwart attacks and avoid or at least minimize damage. 

Is your organization prepared? For more information, or to start crafting your incident response plan, please contact our team today.

Suggested Reading

Cybersecurity is complicated, and the field continues to evolve to respond to new threats, and keeping up to date is critical for safeguarding your organization and its digital assets. To help you expand your knowledge and stay up to date, please consider visiting our blog and reviewing these suggested educational articles and resources.

Cybersecurity Basics For All Organizations

Cybersecurity Basics By Industry

Minimizing Your Risks

Common Threats (and How to Avoid Them)