NEED SUPPORT? CALL (855) 422-8283

Virtual Armour
What is Cybersecurity Insurance (& Does Your Business Need It?)

What is Cybersecurity Insurance (& Does Your Business Need It?)

An unfortunate reality of the modern, connected business world is that it is no longer a question of if your organization will experience a cybersecurity incident, but when. In 2020, there was one new ransomware victim every ten seconds, while the average cost of a data breach the same year was $3.86 million.

Those eye-watering numbers have many organizations of all sizes and in all verticals, justifiably concerned. Improving your cybersecurity posture and ensuring you have an effective incident response plan in place can significantly reduce the amount of downtime your organization experiences should an incident occur, as well as minimize or even eliminate damages. However, to help offset the costs associated with cybersecurity incident recovery, more organizations than ever before are turning to cybersecurity insurance.

man calculating cost or cybersecurity risks and breaches

What is Cybersecurity Insurance?

Cybersecurity insurance (also called cyber liability insurance) is designed to cover the costs associated with cybercrime should your technological systems or customer data be targeted as part of a cybersecurity incident. While your exact coverage will vary depending on your insurance provider and other factors, cyber liability insurance typically covers legal costs and damages such as:

Cyber Liability Insurance vs Cybercrime Insurance: What is the Difference?

Some insurance providers also offer cybercrime insurance in addition to cyber liability insurance. This additional insurance is designed to help compensate your organization for funds lost during a cybersecurity incident such as a hack or social engineering attack, including notification costs, data restoration costs, and associated legal expenses.

What Typically Isn’t Covered

Like all forms of insurance, there are a few things cyber liability insurance typically doesn’t cover. While what is and is not covered will vary depending on your insurance provider and policy, typical exclusions include:

  • Potential future lost profits
  • Loss of value due to intellectual property theft
  • Betterment, which is the cost to improve your internal technology systems, including software or security upgrades, after an attack has occurred

Common Types of Cyber Liability Claims

When it comes to insurance claims, most cyberattacks fall into one of three categories: hacking, social engineering, and malware (including ransomware).

Hacking

Hacking (gaining unauthorized access to a computer system, usually by exploiting existing security vulnerabilities) is the most common type of attack that leads to an insurance claim. This is because if an attacker compromises your system or network, your company could be liable for a wide variety of costs related to the attack, including:

  • Third-party lawsuits
  • The costs associated with notifying affected parties and other stakeholders
  • Public relations and reputation management costs
  • Regulatory fines

Social Engineering

Social engineering attacks (including phishing scams) depend on an attacker tricking someone inside your company into helping them. Attackers trick unknowing individuals with access to your system into essentially opening the door for them, usually by impersonating a trusted individual (such as their boss or another superior or someone from accounting or the bank) and asking them to click a link, hand over their login credentials, or grant access to restricted areas of the network. The employee then unwittingly either lets the attacker into the network or downloads malware, which grants access or otherwise allows the attacker to wreak havoc.

Malware

Malware, short for malicious software, comes in a variety of forms and is an incredibly common type of cyberattack. Malware can be difficult to defend against because every program is different and uses different strategies to infiltrate your network. Ransomware is a very common form of malware designed to hijack your system and lock you and your employees out of the network. The attacker then demands a ransom in exchange for releasing or unlocking the system. However, not all attackers follow through on their end and may simply take the ransom money and leave the network locked.

photo of hooded man hacking with his computer

First-Party vs Third-Party Insurance

What type of cyber liability insurance your organization decides to purchase should be based on a variety of factors, including your needs as an organization and what entities you need to protect. Unfortunately, when it comes to cyberattacks, the business originally targeted is not the only party that may be impacted. As such, there are two different types of cyber liability insurance: first-party and third-party.

First-party insurance protects your company or organization and will cover the costs outlined in your policy associated with an attack. Any organization that handles electronic data should purchase a first-party policy to cover the various expenses that organizations face in the wake of a cybersecurity incident.

Third-party insurance is designed to protect organizations that offer professional services to other businesses that could be impacted in the event of an attack. This type of coverage is often compared to professional liability insurance in the sense that the third-party insurance can help safeguard your business in the event you are sued by another organization for errors you may have made that resulted in damages or losses to the company suing you.

For example, let’s say your organization is a law firm. Your law firm’s data security is compromised, and as a result, several of your clients have accused you of failing to prevent the data breach. In this instance, the third-party cyber-liability insurance would cover your legal fees, government penalties and fines, and any settlements or judgments related to these claims.

What is the Average Cost of Cybersecurity Insurance?

How much your cyber liability insurance plan costs will depend on a variety of factors, including the type of business you run and the level of cyber risk you are exposed to. However, a recent study by AdvisorSmith Solution Inc found that the average cost of a cyber liability policy in 2019 was $1500 per year for $1 million in coverage, as well as a $10,000 deductible.

How much your policy costs will also depend on:

  1. Your size and industry: The more employees you have, the greater your chances of falling for a successful phishing or other social engineering attack, which will drive up your insurance premiums. However, a larger factor is your industry. Different industries are classified as low, medium, or high risk, depending on the type and amount of data your organization stores.
  1. How much data you store, and how sensitive it is: Low-risk organizations, such as small local businesses with limited customer bases, will pay less for their coverage than higher-risk organizations such as retail stores that collect and store customer credit card numbers both instore and online through their website or eCommerce store. Organizations that store large amounts of highly sensitive personal data (such as social security numbers or dates of birth), such as hospitals or other healthcare facilities, will pay higher premiums.
  1. Your annual revenue: In the eyes of most insurance companies, the more money your business makes, the more likely a cybercriminal will target your organization. As such, organizations with higher revenue streams are more likely to pay higher premiums for cyber liability insurance.
  1. How robust your cybersecurity posture is: Most insurance companies reward organizations that take cybersecurity seriously and dedicate significant resources and people hours to safeguarding their digital assets. To help keep your insurance costs low, all organizations (particularly high-risk ones) should invest in robust cybersecurity measures, have sufficient security measures in place, and ensure their employees receive appropriate cybersecurity training.
  1. The terms of your policy: Your coverage limits and deductible also play a significant role in determining your insurance premiums. The more coverage you want, the higher your monthly insurance premiums will be. Your deductible refers to the amount of loss your business is responsible for in the event of an incident that is covered by your policy. Organizations that opt for a higher deductible (absorbing more of the initial costs themselves) typically pay lower premiums but are on the hook for more of the damages in the event of an incident. On the other hand, organizations that opt for a lower deductible will pay higher monthly premiums but will have more of their losses covered in the event of an incident. Organizations with robust security measures in place may opt for lower premiums and a higher deductible, while high-risk organizations that store lots of sensitive data may opt for higher premiums in exchange for a lower deductible.

Does My Business Need Cybersecurity Insurance?

If your organization handles electronic data, you should have at least a basic cyber liability insurance plan in place. Like all forms of insurance, cyber liability insurance is there to cover worst-case, what-if scenarios.

Handing over funds for cyber liability insurance every month may seem like an unnecessary expense, but a large-scale cybersecurity incident can be enough to bankrupt a small or even medium-sized organization and destroy your reputation. Having access to emergency funds to defray costs such as hiring an expert team to help you fend off an attack in progress and limit damages, replacing damaged equipment, paying fines, covering your legal costs, and managing your reputation after an incident could be the difference between your organization weathering the storm relatively unscathed or folding under the pressure.

Take a Proactive Approach

Investing in a robust yet flexible cybersecurity posture will do more than just help keep your premiums low; it can also help your organization fend off attacks in real-time and limit or even eliminate permanent damage to your infrastructure.

Investments such as employee cybersecurity training (both as ongoing training and part of your employee onboarding process) can also help safeguard your organization by giving your team the tools they need to spot suspicious activities (such as phishing scams) and sound the alarm before any damage can be done.

Selecting the Best Insurance Provider for Your Organization

With cybercrime on the rise, more insurance companies than ever are offering cyber liability insurance. As with any insurance policy, it often pays to shop around. Start by finding out if your existing insurance provider offers cyber liability insurance. If they do, you might be able to negotiate a break on your premiums or a better deductible in light of your existing relationship.

However, it also helps to shop around and see what other providers and policies are available. Since the cost of your insurance plan is typically determined in part by your industry or vertical, it can help to reach out to other organizations like yours for recommendations and advice. You may also want to consider consulting with your MSSP (Managed Security Services Provider) to see if they have any recommendations. MSSPs have extensive cybersecurity experience and work with a variety of organizations, so they may be able to help you determine what sort of policy is best for your organization’s unique needs.

For more information about the importance of cyber liability insurance, and cybersecurity in general, please contact our team today.

Guide to Creating an Effective Incident Response Plan

Guide to Creating an Effective Incident Response Plan

It’s always best to take a proactive, rather than a reactive, approach to almost any problem or potential problem. In a world where breaches and other cybersecurity threats and incidents have become commonplace, it is no longer a question of if your organization will be targeted, but when.

To best safeguard your organization’s digital assets and reputation, you need to develop a robust yet flexible incident response plan tailored to your company’s unique needs. A comprehensive plan allows you to respond to incidents quickly and effectively and is crucial for minimizing damage and recovering from an incident.

If you have experienced or are currently experiencing a security incident, please contact our team right away by calling (855) 422-8283 anytime 24/7/365. You should also consider reviewing our guide: Hacked? Here’s What to Know (and What to Do Next).

What is an Incident Response Plan?

At its core, an incident response plan is a set of instructions developed by your team (and likely with assistance from your managed security services provider) that tells your team how to detect, respond to, and recover from a security incident. Though most incident response plans tend to be technologically centered and focus on detecting and addressing problems such as malware, data theft, and service outages, a security incident can have a widespread impact on all of your organization’s usual activities. As such, a good incident response plan will not only provide instructions for your IT department but will also provide guidance and critical information to other departments and stakeholders, such as:

  • Human resources
  • Finance
  • Customer service
  • Employees
  • Your legal team
  • Your insurance provider
  • Regulators
  • Suppliers
  • Partners
  • Local Authorities

If not handled correctly, a security incident can also tarnish your reputation and damage your relationship with your clients, sometimes irreparably.

Create a strong response plan in order to keep downtime to a minimum

The 5 Phases of an Incident Response Plan

While NIST has drafted a guide outlining how to handle computer security incidents, these general guidelines only offer a starting point. For maximum efficacy, your organization’s incident response plan needs to be both specific and actionable and clearly specify who needs to do what and when. All key stakeholders need to be involved in the plan development process and kept up to date on any changes made to the plan. 

Though your plan will need to be tailored to meet your organization’s unique cybersecurity needs, all VirtualArmour Cybersecurity Incident Response Plans follow the same basic phase format: Hunt, Alert, Investigate, Remediate, Review, and Repeat.

Phase 1: Hunt & Alert

The only way you can respond to a threat is if you know it is there. All organizations should take a proactive, rather than a reactive, approach to their cybersecurity. This includes actively hunting for potential security threats and reviewing your security protocols frequently to ensure they are continuing to meet your organization’s needs. 

To hunt for security threats, you should be internally monitoring all company email addresses to look for signs of trouble such as phishing scams and invest in security tools that will alert you to any potentially suspicious activities. 

Should any suspicious activities be detected, you need to have a process in place to ensure your internal security team or MSSP is made aware of the issue so they can help you determine if the threat is credible. Should you discover a threat during this preliminary phase, you also need protocols in place to: 

  • Assess how serious the threat is
  • Determine whether a breach is imminent
  • Activate your security incident response plan (including alerting all internal and external stakeholders)
  • Allocate resources (including pulling employees away from regular tasks to deal with the threat)
  • Address the threat (ideally before any significant damage has been done)

Why You Should Consider Pen Testing

An excellent way to identify gaps in your security before they can be used against you is pen (penetration) testing. Pen testing involves hiring an ethical hacker to attack your network and other IT infrastructure and look for gaps in your defenses that could be exploited. 

As the hacker stress tests your cybersecurity, the hacker notes any flaws they managed to exploit to gain entry to your system so that you can address these shortcomings and shore up your defenses. Once the test is complete, the ethical hacker reviews their findings with you and offers recommendations to improve your security. Essentially, by hiring a good guy to look for deficiencies in your current security posture, you can address those issues before the bad guys discover and exploit them.

Phase 2: Investigate

During an incident, your top priority needs to be containing the threat and minimizing damage. Once the threat has been dealt with, you should review both the threat and your response to help ensure the same threat cannot be used against you again.

Phase 3: Remediate

Once you have contained and eliminated the threat, it is time to begin cleaning up the mess. Your recovery and remediation process should include notifying all appropriate external entities (including your customers, relevant regulators, and potentially impacted third parties such as suppliers). Impacted external entities should be told the nature of the incident (ransomware attack, DDoS attack, etc.) and the extent of the damage.

The remediation process also needs to involve gathering evidence so that it can be reviewed by your security team, your MSSP, and regulators, as well as law enforcement (if appropriate). Once you have all the evidence, you will need to perform a root cause analysis to determine the primordial problem and determine what steps need to be taken to address the primordial problem and ensure a similar incident can’t happen again. 

The remediation process may also involve:

  • Replacing damaged or compromised equipment
  • Restoring systems from backups
  • Addressing any vulnerabilities the attacker was able to exploit
  • Updating your security controls (changing passwords, installing security patches, etc.)

Phase 4: Review

If you are targeted, one of the best things you can do to best safeguard your organization going forward is to learn from what transpired. As part of your review process, make sure you gather all internal and external team members involved and discuss your response to the incident and identify any shortcomings or oversights that need to be addressed.

As part of this phase of the incident response plan, the VirtualArmour team will help you assess your current incident response plan and offer suggestions for improvements. 

Practice Makes Perfect: The Benefits of Tabletop Exercises

As part of your ongoing security training, you should consider running tabletop exercises with your security team as well as all internal and external team members that are involved in responding to security incidents. 

Tabletop exercises work like fire drills, presenting your team with a hypothetical security incident and allowing them to practice responding in a no-stakes environment. Not only do tabletop exercises give your team valuable practice before an incident occurs, but they also allow your organization to assess the efficacy of your current incident response plan so that any shortcomings or other problems can be addressed before an incident occurs.

Phase 5: Repeat

Just because your team managed to identify and effectively respond to a security incident doesn’t mean your organization is safe forever. Constant vigilance is required to ensure your team is always ready to respond to threats, regardless of what attackers throw at you.

Does My Organization Need an Incident Response Plan?

All organizations, regardless of size or vertical, need to have an incident response plan in place. 

When Should My Organization Begin Developing Our Incident Response Plan?

Because you will never know when disaster will strike, you should begin developing your incident response plan as soon as possible. If you aren’t sure where to begin, we suggest you get started by:

  1. Reviewing the NIST guidelines
  2. Create the living document your plan will reside in and meet with stakeholders to begin fleshing it out. This document should include:
    1. Your incident response mission statement: The job of this section is to outline why you need an incident response plan.
    2. Roles and responsibilities: Explicitly name who is involved in the incident response plan, why they are involved, and their role should an incident occur.
    3. Incidents you are likely to encounter: This section will outline what types of incidents your organization is likely to encounter (ransomware attacks, DDoS attacks, etc.) and how you will respond to them.
    4. Emergency contact details for all relevant parties: This includes both members of the incident response team and regulators. You may also want to consider including contact information for local law enforcement here as well. 

Assembling Your Team: Who Needs to Be Involved While Developing & Actioning Your Incident Response Plan

Who is involved in developing and actioning your incident response plan will vary depending on your organization’s specific needs. However, all organizations should include at least one person from each of the following stakeholder groups.

Your Executive Team

At least one C-suite executive (ideally your CTO) or a similarly ranked decision-maker should be included. This is not only vital to ensure your executive team is kept in the loop but can make it easier to secure resources quickly should an incident occur. 

Your IT Department

Your internal IT department will be integrally involved in any response, so it is vital that they are given a seat at the table. You need to make sure you have a good relationship with your networking team, database team, and developers, though whether you wish to include representatives from these sub-groups will depend on the size and structure of your organization. You should also strongly consider working with your MSSP during the development phase since they will be able to offer valuable insights and approaches you may not have considered.

You should also consider engaging with your hosting providers and service providers, though this may simply involve sharing your finalized plan with them and informing them of any changes, so they are up to date if an incident occurs.

Your Legal Team

Security incidents can become a legal nightmare, so your legal team or company lawyer must be included. During the incident response plan development process, you will need to make decisions regarding what is reported and to whom. Your incident responders should be chosen for their technical skills, not their legal skills, so your legal team must be intimately involved in the development process.

Human Resources

Many security incidents occur because of users (such as an employee falling for a phishing scam), so having a member of your human resources team at the table is critical. Your incident response team needs to be able to handle user-caused incidents delicately and respectfully and ensure your response plan complies with all relevant laws from a human resource perspective. HR can help ensure compliance and should be involved in the incident response plan development process. If an incident occurs, they should also be pulled in on an as-needed basis. 

Your Public Relations Team

Security incidents can quickly become public knowledge, whether you are ready to share the details or not. Like your HR team, your PR team should be kept in the loop during an incident, but their expertise is particularly invaluable during the remediation phase.

Looking for Guidance or Advice? VirtualArmour is Here to Help

Creating an incident response plan from scratch may seem like a daunting task. So much rides on having a robust plan in place that is flexible enough to be quickly updated to ensure your organizations’ evolving needs are met. Many small and medium-sized organizations do not have the bandwidth or expertise to develop a good incident response plan on their own. That is where MSSPs like VirtualArmour come in. 

Our team of security experts has extensive experience working with organizations of all sizes in a variety of verticals, including healthcare, financial services, retail, energy, and service providers. For more information about the importance of having a security incident response plan, or to being work on your own plan, please contact our team today.

search your hardware and processes to make sure your prepared for an incident

Suggested Reading

Cybersecurity is a complex and continually evolving field. To help keep your knowledge up to date, please visit our blog and consider reviewing these suggested educational articles and resources.

Knowledge is Power: Our Cybersecurity Predictions for 2021

5 Major Companies Were Recently Breached: Where Are They Now?

5 Major Companies Were Recently Breached: Where Are They Now?

2020 was a record-breaking year in the cybersecurity world, both when it comes to the amount of data lost in breaches as well as the eye-watering number of cyber attacks on companies, governments, and individuals. Ransomware attacks alone have risen 62% since 2019, and this trend doesn’t appear to be waning.

In this article, we will discuss five major companies that were attacked between 2019 and 2021, including the impact of those breaches and how these organizations responded.

If you have experienced, or are currently experiencing, a cybersecurity attack please contact our team immediately for assistance by calling (855) 422-8283 anytime 24/7/365 and consider reading our educational article Hacked? Here’s What to Know (and What to Do Next).

Capital One (2019) 

The Attack

The Capital One hack was first discovered on July 19th, 2019, but likely occurred at the end of March that same year and impacted credit card applications as far back as 2005. The attacker, Paige Thompson, was able to break into the Capital One server and access:

  • 140,000 social security numbers
  • 1 million Canadian social insurance numbers
  • 80,000 bank accounts
  • An undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information

This devastating attack impacted nearly 100 million Americans and an additional 6 million Canadians. In June of this year, the US Department of Justice announced that they were adding to the charges. Originally charged with one count each of wire fraud and computer crime and abuse, Ms. Thompson now faces six additional counts of computer fraud and abuse and one count of access device fraud.

Capital One’s Response

In an official statement to impacted customers on their website (last updated April 16, 2021, as of the writing of this article), CapitalOne lays out the damage done and the number of individuals impacted. They go on to stress that no login credentials were compromised.

The statement goes on to provide answers to some pressing questions in the Q&A section and offers practical advice about what Capital One cardholders can do to protect their accounts, including additional steps that individuals can take to protect themselves against fraud and identity theft. American cardholders can find additional information on this FAQ page.

The official FAQ page linked above goes on to mention that all affected Capital One customers will be provided with two years of free credit monitoring and credit protection. The FAQ states that impacted individuals should have received either an email or a letter outlining the enrollment process for this service, including an activation code.

The FAQ goes on to discuss what individuals should do if they received a possible scam email, call, or text related to the incident, which indicates scammers are piggybacking on this breach in an attempt to further victimize impacted individuals.

Capital One also agreed to pay an $80 million fine to US regulators over the incident.

Capital One did have a plan in place to recognize and respond to the breach (highlighting the importance of having an incident response plan). The incident was discovered via a vulnerability report, and once the incident was discovered, Captial One responded swiftly and worked hard to ensure impacted individuals were kept in the loop. Ms. Thompson was arrested a mere 12 days after the initial vulnerability report was released.

Facebook (2019) 

The Attack

The Facebook data breach was discovered in April 2019 when it came to light that two third-party Facebook app datasets had been exposed to the wider internet. This database (containing private information on 533 million accounts) was then leaked on the Dark web for free in April of 2021, increasing the rate of criminal exposure. 

The data exposed included phone numbers, DOB, locations, past locations, full names, and some email addresses tied to compromised accounts. In an official blog post, the company stated that “malicious actors” had scraped the data by exploiting a vulnerability in a now-retired feature that allowed users to find each other via phone number.

cybersecurity software that protects you and your business

Facebook’s Response

Facebook chose not to notify impacted individuals in 2019, and according to this NPR article published in April 2021, they still have no plans to do so. According to a company spokesperson, the company isn’t entirely sure which users would need to be notified and that the decision not to contact users stemmed at least in part from the fact that “the information that was leaked was publicly available and that it was not an issue that users could fix themselves.”

Though Facebook claims to have addressed the vulnerability that allowed attackers to access this data, that is cold comfort for Facebook users. “Scammers can do an enormous amount with a little information from us,” said CyberScout founder Adam Levin when interviewed by NPR. “It’s serious when phone numbers are out there. The danger when you have phone numbers, in particular, is a universal identifier.” Phone numbers are frequently used to connect users to their digital presence, including using them as additional identifiers via two-factor authentication text messages and phone calls. 

As a response to the incident, the US Federal Trade Commission fined Facebook $5 billion for violating an agreement the company had with the agency to protect user privacy. Facebook CEO Mark Zuckerberg will also be held personally liable by the FTC for any future privacy violations.

If you are concerned that your personal information may have been leaked during the breach, you can use the data tracking tool HaveIBeenPwned to learn whether your Facebook account or other digital accounts, including email, have been compromised.

SolarWinds (2020)

The Attack

Cybersecurity company FireEye first discovered the back in December 2020. The attackers, which are believed to be affiliated with the Russian government, used a supply chain attack to push malicious updates to FireEye’s popular network monitoring product. 

Impacted FireEye customers include

  • Multiple US government departments
  • 425 of the US Fortune 500 companies
  • The top ten US telecommunications companies
  • The top five US accounting firms
  • All branches of the US military
  • The Pentagon
  • The State Department
  • Hundreds of universities and colleges worldwide 

The total extent of the damage may never be known, but this attack continues to impact affected organizations. For example, in July 2021, attackers were able to gain access to the Microsoft Office 365 email accounts of 27 US Attorneys’ offices. The accounts were originally compromised during the SolarWinds attack.

FireEye’s Response

The larger attack was discovered when FireEye’s internal team of investigators was investigating the original, smaller, FireEye attack. During this investigation, the backdoor within the SolarWinds code was discovered, prompting the FireEye team to contact law enforcement. Though the SolarWinds attack was devastating, the fact that the attackers decided to use FireEye as a vector might have actually lessened the damage. According to Charles Carmackal, senior vice president and CTO of Mandiant, FireEye’s incident response arm, “one silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community, and security partners.” 

FireEye took the crucial step of publicly reporting the attack (instead of waiting for impacted customers to discover the issue), conducted a thorough review of the incident, and made sure to share all their information with law enforcement and the US government. As such, the extent of the attack was learned quickly, so impacted companies and government bodies could take appropriate steps. If FireEye had tried to hide the attack from their customers, the damage could have been even worse.

Keepnet Labs (2020)

The Attack

Keepnet Labs is a threat intelligence company that collects and organizes login credentials exposed during other data breaches. If a customer’s details are discovered, Keepnet Labs notifies impacted individuals and offers advice on steps they should take to best safeguard their data and minimize damage.

The Keepnet Labs incident is a little unusual in that it wasn’t actually Keepnet Labs user data that was exposed. Instead, Keepnet Labs had compiled a database of usernames and passwords that had been leaked during a variety of cybersecurity incidents between 2012 and 2019. Attackers were able to exploit a vulnerability in this Elastisearch database, which was (according to Keepnet) actually maintained by a contractor, not Keepnet Labs themselves. 

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Keepnet Labs’ Response

After discovering the vulnerability, Diachenko published a security report, which was picked up by a variety of cybersecurity news outlets and blogs which were covering the leak. However, Keepnet Labs felt that a number of these publications had made misleading statements and contacted several reporters to ask them to edit their articles. 

Graham Cluley, a popular security blogger, received one such email from Keepnet. Though he felt his representation of the facts was fair, he was willing to give Keepnet the chance to tell their side of the story. However, instead of an official statement or a chance to speak to a company spokesperson, he instead was contacted by Keepnet’s lawyers, who threatened him with legal action if he didn’t edit his article and remove the company’s name. 

This heavyhanded reaction was only one of several failings on the part of Keepnet to manage the fallout of the attack. It took almost three months for the company to release an official statement to set the record straight, and they refused to work with reporters and bloggers like Cluley to provide accurate facts. Though the security incident itself may tarnish Keepnet’s reputation, their poor handling of the aftermath is likely to cause far more damage.

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Microsoft Exchange (2021)

The Attack

The attack was first discovered on March 2, 2021, when Microsoft detected multiple zero-day exploits in their on-premises versions of Microsoft Exchange Server, which were being actively exploited by attackers. Over the following days, nearly 30,000 American organizations were attacked using these vulnerabilities, which allowed attackers to gain access to email accounts and install web shell malware to provide attackers with ongoing administrative access to the victim’s servers.

On the day the attack was first discovered, Microsoft announced that they suspected the culprit was a previously unidentified Chinese hacking group dubbed Hafnium. According to the Microsoft Threat Intelligence Center (MSTIC), this group is suspected to be based in China, state-sponsored, and focused on primarily targeting organizations based in the United States that depend on leased virtual private servers (VPSs).

The actual purpose of the attack is more nuanced. According to Garner analyst Peter Firstbrook, the attackers are really looking to test the defences of organizations and discover which organizations are lagging behind security-wise. Most organizations that use Microsoft Exchange Servers have moved away from on-premises models to the online Exchange, which means organizations still using on-premises solutions are likely to be late adopters or less security conscious, making them excellent targets.

It has also been speculated that the attacker’s real endgame is not the on-premises servers they are currently targeting but more of a fact-finding mission to help them set up future attacks on high-value targets with connections to those servers. This may include using these email servers to impersonate trusted individuals and use those email accounts to send phishing emails to sensitive targets such as the Defense Department. Much like the SolarWinds attack, the companies currently being attacked may not be the actual target.

cybersecurity on your laptop

Microsoft’s Response

Microsoft has released security updates addressing Exchange Server versions 2010, 2013, 2016, and 2019 to address the software vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). 

Microsoft has also gone out of their way to try and get everyone to pay attention to this attack, particularly since impacted individuals and organizations may be relying on IT generalists (instead of specialized admins) and may not understand what this attack could really mean. If impacted organizations don’t take action, it could have widespread and devastating consequences for the sensitive companies and organizations (such as the Defense Department) that they do business with. Should someone at the Defense Department or another government body fall for a phishing scam perpetrated using these compromised servers, it could compromise US national security. 

An unfortunate truth about the modern security landscape is that it is no longer a question of if your organization will be targeted but when. Security incidents such as the ones listed above can have widespread consequences for the organizations that have been targeted, as well as the organizations and individuals that do business with them. 

The best thing you can do to safeguard your organization and its digital assets is cultivate a robust yet flexible cybersecurity posture, which starts with an incident response plan.

For more information about cybersecurity, or to get started shoring up your defences, please contact our team today.

Additional Reading

Knowledge is Power: Our Cybersecurity Predictions for 2021

The Risks of Public WiFi (& How to Protect Yourself)

The Risks of Public WiFi (& How to Protect Yourself)

In a constantly connected world, free WiFi can seem like an oasis in the desert, allowing you to ration your data and safeguarding you from eye-watering overage fees.

Unfortunately, public WiFi is inherently less safe than personal, private networks such as your home internet or the office network. 

Public WiFi Leaves You Vulnerable 

Public WiFi is inherently risky: after all, you have no idea who else is on this network and what they are up to. While businesses such as stores and organizations like your municipality or public library may think they are offering a helpful public service or a valued customer perk, you can’t be sure that they take security as seriously as you do. 

Person using public wifi securely

Common Public WiFi Cyberattacks

If you are the victim of a cyberattack, please contact our team immediately and consider reading our educational article Hacked? Here’s What to Know (& What to Do Next).

Man-in-the-Middle Attacks

Man-in-the-Middle (MitM) attacks are one of the most common public WiFi cyberattacks and are, at their core, a form of digital eavesdropping. Essentially, when a device such as your phone, tablet, or laptop connects to the internet via a public WiFi network, data is sent between point A (your device) and point B (the website you are visiting or the server that hosts the app you are using). Man-in-the-Middle attacks allow cybercriminals to camp out between these two points and intercept your traffic, which they can then either read or manipulate. 

Man-in-the-Middle attacks take a number of forms, including interfering with legitimate networks, creating fake networks that the attacker controls, or rerouting internet traffic to phishing or other malicious sites. Compromised traffic is stripped of any encryption protections, which allows the attacker to steal information or change the information you are transmitting. 

Attackers don’t want you to realize they are manipulating your traffic, so it can be difficult to realize an attack has occurred until you discover your email address is being used to send spam, your bank account is empty, or you uncover other evidence of nefarious activity. As such, users must take steps to avoid falling victim to these attacks. 

While using multi-factor authentication can make it more difficult for attackers to gain unauthorized access to your accounts, your username and password can still be compromised. As such, if you absolutely cannot wait to log in to your bank account or conduct other sensitive business, opting for a cellular connection or using your phone as a personal hotspot for your laptop is a better option.

Malware & Malicious Hotspots

While most developers do their best to ensure the programs they create are secure, sometimes mistakes happen, and programs, apps, and websites can inadvertently be left with security holes or other weaknesses. Attackers use these vulnerabilities to sneak malware (malicious software) onto your device. 

Another common technique involves setting up fake hotspots full of malware and making them look like legitimate networks; an attack sometimes referred to as a honeypot. These networks usually adopt reputable names in order to trick victims into connecting. 

For example, let’s say you decide to visit a coffee shop called Kim’s Cafe. You open your phone and, without thinking, select the “Kim’s Cafe” WiFi network. How do you know that network is actually owned by Kim’s Cafe? While some businesses that offer complementary public WiFi post the network name prominently (to help ensure visitors aren’t connecting to suspicious networks), not all businesses do. You can ask a staff member for the name and password for the guest network, but that doesn’t guarantee their network is secure. When in doubt, go without or use your cellular data, don’t just select a network that appears legitimate and hope for the best. 

Person using phone and laptop on public wifi

Tips for Staying Safe on Public WiFi

When it comes to public WiFi, caution is the name of the game. The best way to stay safe on a public WiFi network is to not use the public WiFi network. However, we also understand that this can be easier said than done. 

If you do have to use public WiFi, you should start by asking yourself a single question: If someone was reading over my shoulder right now, how would I feel about it? If the thought of some stranger reading your screen makes you anxious or angry, you should probably hold off until you can connect to a secure network. 

To help you get started, here are links to guides on how to manage your security settings on these commonly used web browsers:

Leave Your PII At Home

If you need to use public WiFi, limit your activities as much as possible and avoid visiting any sites or using Apps that involve handing over your personally identifying information (PII), such as banking details, usernames, and passwords, or medical information. You wouldn’t carry a sign around with your personal information splashed all over it, so why would you risk revealing this highly sensitive data on a public WiFi network?

If you have to use a public network, stay clear of apps and websites that require you to log in. Some websites and apps require you to enter things like your full name, phone number, and other identifying information when you create an account, so even if you don’t remember providing that information when you registered, you may inadvertently be exposing that information if an attacker intercepts your internet traffic. 

Consider a VPN

If you spend a lot of time away from your desk and absolutely need to stay connected (say you are traveling for work and don’t have unlimited data), you might want to consider a VPN. A VPN allows you to create a secure connection between your device and another network (such as your work network) over the internet, shielding your browsing activity and keeping you off of public WiFi networks. 

To help safeguard sensitive company data and other digital assets, many employers provide their employees with VPNs to ensure they are always using a secure connection while accessing company data. After all, you have no idea if your employee’s home network, local cafe WiFi, or complimentary hotel network meet your security standards. 

No VPN? Look for the Lock

If you don’t have a VPN, there are still steps you can take to help safeguard your data while using public WiFi. SSL connections add a layer of encryption to your network traffic, which can help keep you safe on public WiFi. When using the internet, make sure you enable the “Always Use HTTPS” option on your browser or any websites you frequently visit that require you to enter any credentials and never enter credentials into unsecured websites. 

Disable AirDrop & File Sharing

If you absolutely have to use a public WiFi network, you should turn off any features on your device that enable frictionless file sharing.

Learn how to manage your file-sharing settings on Windows 10 and on a Mac.

Leave WiFi & Bluetooth Turned Off

Leaving your WiFi and Bluetooth settings turned off when not in use can help prevent your device from connecting to unknown networks or other devices without your explicit consent. 

Actually Read the Terms & Conditions

We know that no one actually likes wading through pages of dry technical text, but before you connect to any public WiFi network, make sure you know what you are signing up for. Look for information on what data the network collects, how it is used, and how it is stored, and keep an eye out for any red flags before you click the Accept button. 

Avoid Nosey Networks

Be wary of any public WiFi networks that require you to enter personal information, such as your email address or phone number. If you absolutely have to connect to a network that requires a lot of personal information, make sure you trust the organization that owns the network and consider creating a separate email account specifically for situations like this. 

While asking for some personal information doesn’t automatically mean that the network owner is untrustworthy, stores and restaurants in particular tend to gather this information so they can better track you across multiple WiFi hotspots and tailor their marketing efforts, not to improve security or benefit users. As such, it is up to you to decide if you are willing to give up your private information in exchange for some free WiFi. 

Find Out if Your Cable or Cell Phone Company Offers Complimentary Public WiFi

Some cell phone providers and cable companies manage complimentary WiFi hotspots for their customers, so if you spend a lot of time searching for free WiFi you may want to see if your service provider offers this perk. If you are connecting to free public WiFi through a service you are already signed up for, then you don’t have to hand over any more personal information than you already have. 

Log Out When You Are Finished (Even At Home)

Logging out of all your accounts when you are done may seem like a pain, but it can help safeguard your personal data when your device leaves your home or office. By logging out when you are finished, you can rest assured that you aren’t inadvertently exposing your sensitive data when you grab a coffee or head to the mall.

Look for Password Protected Networks

When it comes to public WiFi networks, passwords are your friend. While adding a password won’t guarantee airtight security, it does help limit who has access to the network and for how long (assuming the organization that owns the network rotates their password frequently). This bare minimum level of security does help, but you should still avoid visiting websites or using apps that contain sensitive information such as PII or private work files. 

Invest in an Unlimited Data Plan

At the end of the day, the best way to stay safe on public WiFi is simply to avoid connecting to public WiFi networks in the first place. If you anticipate having to do a lot of browsing away from your home or work network, you may want to consider investing in an unlimited data plan.

Though the best course of action is to avoid public WiFi networks altogether, there are steps you can take to safeguard your device and personal data if you need to connect. For more information on keeping yourself, your business, or your remote employees safe, please contact our team today.

Everything You Need to Know About WiFi 802.11ax (AKA WiFi 6)

Everything You Need to Know About WiFi 802.11ax (AKA WiFi 6)

Over the last year, there has been a lot of chatter surrounding WiFi 6 (also referred to by its IEEE standard name 802.11ax). But what exactly is WiFi 6? In this educational article, we will discuss what makes WiFi 6 different from its predecessors, WiFi 4 and WiFi 5, so you can get the information you need to make informed decisions about upgrading your WiFi network.

What is WiFi 6?

In 2020, the FCC announced that it would be expanding access to the broadband spectrum for unlicensed traffic. This means that routers are now able to broadcast their signals in the 6GHz range, as well as the 2.4GHz and 5GHz ranges originally designated for unlicensed traffic. Much like widening a road to accommodate increased traffic, this decision means there is now more WiFi to go around.

This is critical as the number of devices in each home and business continues to rise. The days of a single device per employee and a shared household computer are long gone; according to Statista, the average American household was home to 10.37 connected devices in 2020, and that number is likely only going to continue to increase. Many employees are now equipped with a laptop and a company phone, and with the continued rise of IoT devices in both homes and workplaces, the demand for bandwidth will only increase. 

What are the Benefits of WiFi 6?

WiFi 6 offers a wide range of benefits, including:

Enhanced Security Features

WiFi 6 offers enhanced encryption and other significant security enhancements while simultaneously eliminating some of the weaknesses of older WiFi technologies such as pre-shared keys. This is great news for security-conscious hotspot providers as well as facility managers and visitors. 

All WiFi 6 devices are designed to handle WPA3 encryption, which offers features like robust password protection and 256-bit encryption algorithms, both of which make it harder for cybercriminals to hack into your network

Faster Speeds

WiFi 6 promises speeds up to 30% faster than WiFi 5, which means your employees can spend more time working and less time waiting for web pages and internet-based programs to load. 

Increased Range

In situations when you are relying on a single router, WiFi 5 and WiFi 6 offer approximately the same range because WiFi range is dictated by the radio frequencies the APs can access (5GHz and 2.4GHz). However, if you switch to a WiFi 6 mesh system, you can increase coverage by placing the APs farther apart and use WiFi 6’s faster speeds to make up for the increased distances. Being able to place APs farther apart can be incredibly beneficial in situations where physical cabling is either inconvenient or impossible to lay. 

Though the increased distance between the APs will cause a small decrease in network speed and performance, this decrease is so minuscule you and your team likely won’t notice a difference.

Reduced Latency

Latency (the amount of time it takes for something to load) remains a large problem for many WiFi users. How fast and reliable your WiFi is depends on a variety of factors, including the signal strength of your connection and how many other devices are on the network. By expanding bandwidth access, your network will now be able to support more devices than before, allowing all WiFi traffic to move faster and increasing network reliability. 

WiFi 6 achieves this using OFDMA (Orthogonal Frequency Division Multiple Access), which is an extension of OFDM (Orthogonal Frequency Division Multiplexing) architecture (which is used by WiFi 4 and wiFi 5). While OFDM relies on a single-queue style system, which requires each device to patiently wait its turn to receive data, OFDMA allows the router to transmit data to more than one device at a time, dramatically reducing or even eliminating the need to queue. 

It does this by splitting traffic into smaller packets, so each device can receive a small amount of the data it is waiting for and pass that information on to the end-user while it is waiting for the rest of its packets. This functionality is great for high-traffic environments such as stadiums, conference centers, and large retail environments where employees, visitors, and customers are going to need WiFi access. 

Increased Power

Connecting to a WiFi network requires a proportionally significant amount of power, particularly if a device is moving in and out of WiFi range. Wider ranges, and the ability to comfortably support more devices, means that devices will need to expend less energy maintaining a reliable WiFi connection, which means your devices will be able to go for longer between charges. 

WiFi 6 accomplishes this using target wake times (TWTs, also called wake time targets), which allow the APs to communicate with devices and let them know how long they will be left waiting between transmissions. By providing devices with this information, the devices can “sleep” between transmissions, only waking up when the device needs to connect again. These short bursts of downtime significantly reduce how much power the battery needs to expend to maintain a WiFi connection, which can extend the battery life of laptops, smartphones, tablets, and other WiFi-connected devices on your network. 

Better Throughput & Reduced Congestion

When there are more devices on your WiFi network than the network can comfortably serve, WiFi performance suffers, and some devices may lose connection entirely. Because WiFi 6 uses OFDMA, it has better MIMO (multiple in/multiple out). 

Using multiple antennas, each AP is able to talk to several devices simultaneously, while WiFi 5 networks can only respond to one device at a time, creating bottlenecks and slowing down the connection of every device on the network. Being able to respond to multiple devices at once reduces the amount of time each device needs to wait for its turn, increasing speeds for everyone.

Another advantage of WiFi 6 over its predecessors is BSS (basic service set) “colors”. These colors, labeled 0 through 7, are incredibly useful when multiple APs near one another are transmitting on the same channel. While older WiFi deployments typically assigned multiple APs to the same transmission channels (a necessary approach given the limited amount of bandwidth available), causing traffic jams and slowing down everyone’s connections. To make matters worse, devices weren’t able to effectively communicate or negotiate with each other to maximize channel resources, increasing congestion further. 

Using the color-coded system, APs can assess signals from each color and determine whether they can use the spectrum at the same time as another device without causing interference by selecting a color that isn’t currently in use. 

It’s like if a grocery store had seven checkout lanes open instead of one: The old WiFi standards required all shoppers to cram into a single checkout lane, but the shoppers can talk to one another, so sometimes two or more shoppers will try to purchase their items at the same time, causing a traffic jam while the cashier sorts everything out. The color-coded system allows each shopper to assess which of the seven checkout lanes has the shortest line (or ideally no line at all) and line up there, improving efficiency and getting everyone out of the store faster. 

WiFi 6 offers a wide range of benefits from both a security and usability perspective. Are you considering upgrading to WiFi 6? Our experts have experience with a wide range of technologies, verticals, and industries and work with organizations of all sizes to support their IT and networking needs.

For more information about WiFi 6, or to get started planning your upgrade, please contact our team

Identifying a Breach: Finding Indicators of Compromise (IOC)

Identifying a Breach: Finding Indicators of Compromise (IOC)

Cybersecurity is more important than ever before: According to Government Technology, though 2020 saw an overall decline in the number of breach events, the number of breached records grew dramatically, and the number of ransomware attacks doubled between 2019 and 2020.

These troubling trends demonstrate why a robust yet adaptable cybersecurity stance is critical for all organizations, regardless of size or vertical. But how do you know if your organization has experienced a breach? In this article, we will discuss common types of cybersecurity breaches, and red flags you should look for that may indicate a breach has occurred.

If you have experienced, or are currently experiencing, a cybersecurity breach, please call our team immediately and consider reviewing our guide: Hacked? Here’s What to Know (& What to Do Next).

What Constitutes a Breach?

A security breach is like a break-in, but instead of breaking into your house or business, they break into your digital systems to steal personal information or sensitive documents or damage your network. However, there are steps you can take to best safeguard your digital assets, which include:

  1. Creating a cybersecurity incident response plan, reviewing it regularly, and updating it as necessary. Having a plan in place is critical because it allows you to respond quickly and lays out, in advance, who needs to do what should an incident occur.
  2. Investing in employee cybersecurity training. Even the best cybersecurity incident response plan is effectively useless if your team doesn’t understand why security is important, what role they play in it, and how to respond should an incident occur. All new hires should undergo training, and all employees from the CEO down should receive regular refresher training. 
  3. Regularly monitoring your network for suspicious activities. These suspicious activities, called IOCs or indicators of compromise, will be discussed in depth later in this article. 

Breaches Have Wide Reaching Consequences

Breaches cause more than headaches: to address the situation, you will likely need to pull critical personnel from other projects, hindering productivity and severely impacting your daily business activities. Depending on what data is stolen or what systems are compromised, you may also suffer financial damages in the form of regulatory fines or even lawsuits.

A poorly handled breach can cause permanent damage to your organization’s reputation, damaging consumer trust. 

Recent large-scale breaches include the Yahoo breach of 2014, the Equifax breach of 2017, and the Facebook security breach of 2019. Facebook is currently facing a class-action lawsuit, while the FTC and Equifax reached a global settlement that includes as much as $425 million to help individuals impacted by the breach. Yahoo faces paying for a settlement fund of $117,500,000 to affected individuals in the form of two years of credit monitoring, or in the case of individuals who already have credit monitoring in place, a cash payment. 

Common Types of Cybersecurity Breaches

Malware (Including Ransomware, Viruses, & Spyware)

Many cybercriminals rely on malware (malicious software) to infiltrate protected networks. The malware is often delivered via email or by tricking unsuspecting employees into downloading corrupted files from compromised or malicious websites. 

For example, an employee receives an email with an attachment, which infects your network when the attached file is opened or visits a compromised site and downloads the file directly. Once one computer is infected, the malware will likely spread to other areas of your network, sending sensitive data back to the attacker, laying the groundwork for a larger attack, or damaging your digital infrastructure. 

Phishing Attacks

Phishing attacks are designed to trick potential victims into believing they are talking with someone they trust (such as a colleague, their bank, or another trusted individual or institution) in order to hand over sensitive information (such as credit card numbers, usernames, passwords, etc.), grant the sender access to restricted areas of the network, or trick the target into downloading malware. 

For example, an employee might receive an email from someone pretending to work in your IT department asking them to reset their username and password, or from “their boss” requesting confidential files, or from “your company’s bank” warning that they have detected suspicious activity on a company credit card or in a company bank account, and requesting the recipient click on a link in the email to login and review the flagged transactions.

 In all three scenarios, criminals are acting as trusted individuals or individuals working on behalf of trusted institutions in order to trick unsuspecting email recipients. 

We discuss phishing attacks, and what you can do to avoid them, in our in-depth article: Don’t Let Phishing Scams Catch You Unaware

DDoS (Distributed Denial of Service) Attacks

DDoS attacks are designed to crash websites, preventing legitimate users from visiting them. Attackers do this by flooding websites with traffic, either by working with other attackers or by programming bots (software programs programmed to perform repetitive tasks) to hammer the server hosting the website with requests. 

DDoS attacks are considered security breaches because they can overwhelm your organization’s security defenses and severely curtail your ability to conduct business. Common targets include financial institutions or government bodies, and motivations range from activism to revenge to extortion. 

To learn more about hackers, who they are, and why they do what they do, please consider reading our article: The Modern Hacker: Who They Are, Where They Live, & What They’re After.

What are Indicators of Compromise (IOC)?

IOCs are pieces of forensic data, such as system log entries or files, that identify potentially malicious activity on a network or system. Like suspicious ink-stained fingers or an errant muddy footprint in a Sherlock Holmes book, IOCs are clues that help security and IT professionals detect data breaches, malware infections, or other suspicious activities. 

By looking for IOCs regularly, organizations can detect breaches as soon as possible and respond swiftly, limiting or even preventing damages by stopping attacks during their earliest stages. 

However, IOCs are not always obvious or easy to detect: they can be as obvious as an unexpected login or as complex as snippets of malicious code. Cybersecurity and IT analysts often look at a range of IOCs when trying to determine if a breach occurred, looking at how different IOCs fit together to reveal the whole picture. 

IOCs vs IOAs

IOAs (indicators of attack) are similar to IOCS, but instead of focusing on the forensic analysis side of a compromise that has already occurred, these clues aim to identify attacker activity while the breach is in progress. 

A proactive approach to security relies on both IOCs and IOAs to uncover threats or potential threats in as close to real-time as possible.

Common IOCs and IOAs

There are many IOCs and IOAs that IT and security analysts look for, but some of the most common include:

  1. Unusual outbound network traffic. This could indicate someone is moving sensitive files off the network.
  1. Anomalies in privileged user access accounts. A common tactic used by attackers is to either escalate privileges on accounts they have already compromised or use compromised accounts as gateways to more privileged accounts. By monitoring accounts with access to sensitive areas of your network, analysts can look out for signs of insider attacks or account takeover attacks.
  1. Geographic irregularities. If an employee logs out of their account from an IP address in Chicago, then immediately logs back in from New York, that is a huge red flag. Analysts also look for traffic between countries that your organization doesn’t have business dealings with.
  1. General login irregularities. Multiple failed login attempts or failed login attempts for accounts that don’t exist are both huge red flags. Analysts also look for irregular login patterns, such as employees logging in well after work hours and attempting to access files they don’t have authorization for, which likely indicate the account credentials have been compromised.
  1. Unusually high database read volume traffic. If an employee is attempting to download and read your entire personnel or credit card database, that likely means an attacker is attempting to access those sensitive files.
  1. A large number of requests for the same file. Breaches rely on trial and error a lot, so a large number of repeated requests for the same file (such as the credit card database we mentioned earlier) may indicate an attacker is testing out a variety of strategies in an attempt to gain access.
  1. Suspicious configuration changes. Changing configurations on files, servers, and devices may indicate an attacker is attempting to set up a network backdoor or adding vulnerabilities to aid a later malware attack.
  1. Flooding a specific site or location with traffic. Many attackers rely on bots for a variety of tasks and may recruit compromised devices on your network to do their dirty work. A high level of traffic from a number of devices targeting a specific IP address may indicate those devices have been compromised. 
  1. Suspiciously timed web traffic. Even the fastest typers can only type so fast, so if logs indicate that someone is trying thousands of password and username combinations a second, chances are an attacker is attempting to break into your network using a brute force attack

These are just some of the most common IOAs and IOCs that security and IT analysts use to look for signs of suspicious activity.

By monitoring your infrastructure and firewalls 24/7/365 for signs of a potential breach and keeping a watchful eye on your endpoints, you can gather the information you need quickly so you can respond to potential incidents as soon as possible. To help keep your network secure, VirtualArmour offers a variety of managed and consulting services and has extensive experience working with organizations in a variety of industries, including, but not limited to, healthcare, finance, retail, and energy as well as service providers

To learn more about how our experienced security analysts use IOCs, or to get started improving your security posture, please contact our team today

Recommended Reading

Identifying IOCs is just one small aspect of cybersecurity. To learn more about cybersecurity, why it’s important, and what steps your organization should be taking, please consider reviewing the educational articles listed below. 

Managed Services Security Providers (MSSPs)

What is a Managed Services Security Provider (MSSP)?

Leveraging Your MSSP in an “IT Light” Environment

Cybersecurity Basics

Terms & Phrases Used in the Managed IT & Cybersecurity Industries

The SMBs Guide to Getting Started with Cybersecurity

Cybersecurity Spring Cleaning: It’s Time to Review Your Security Practices

Building a Cybersecurity Incident Response Program

Beyond SIEM: Why Your Security Posture Needs to SOAR

Identity Management is Just Cybersecurity Best Practices With a Fancy (& Expensive) Name

Creating an Agile Workplace: How to Prepare for the Unexpected

Cyber Hygiene 101: Basic Steps to Keep Your Company Secure

The Ultimate Guide to Managed Threat Intelligence (2020 Edition)

What is Information Security (& How Does it Impact Your Business?)

5 Old-School Hack Techniques That Still Work (& How to Protect Your Data)

Keeping Your Network Secure in a “Bring Your Own Device” World

Basic Website Precautions: Keep Intruders Out With These Fundamental Security Best Practices

Compliance

Security vs Compliance: What Are Their Differences?

US Companies Could Get Badly Burned by GDPR – Here’s How Not To 

The Challenge to Remain PCI & NIST Compliant During the Shift to Remote Work

Common Types of Cyberattacks

Don’t Let Phishing Scams Catch You Unaware

Cryptojacking: Because Every Currency Needs to Be Protected 

In a Remote World, Social Engineering is Even More Dangerous

How Fear Motivates People to Click on SPAM

Ransomware is Only Getting Worse: Is Your Organization Prepared to Confront it?

Everything You Need to Know About Ransomware (2019 Edition)

DNS Spoofing: What It Is & How to Protect Yourself

About Cybercriminals & Cybercrime

Hacked? Here’s What to Know (& What to Do Next)

The Modern Hacker: Who They Are, Where They Live, & What They’re After

Hackers Are Increasingly Targeting People Through Their Phones 

Airports are a Hacker’s Best Friend (& Other Ways Users Expose Themselves to Risk)

2021 Cybersecurity Trends

Our Predictions for the 2021 Cybersecurity Environment

Cybersecurity by Vertical & Industry

Cybersecurity Basics Every College & University Needs to Have in Place

The Ultimate Guide to Cybersecurity in the Healthcare Industry

How the Financial Industry Can Strengthen Their CybersecurityCybersecurity for the Manufacturing Industry, What You Need to Know Now