Here’s important cyber security news from Bryce Austin of TCE Strategy about a dangerous email virus that can make your IT crumble:
“This month it is time to get a little further in the cybersecurity weeds than usual, because it’s important. The PGA was hit last week. A county in Alaska was hit the week before. Important companies doing good, important work are being hit. The attack is called Bitpaymer, and it comes on the heels of a banking trojan virus such as Emotet or Trickbot. The virus normally starts with a phishing scam, usually in the form of a malicious email. It ends with an infection that can’t be eliminated. The only way to ensure its removal it to start over. Every infected server, desktop, and laptop has to be rebuilt from the ground up. Then the data that you (hopefully) had offline backups of can be sanitized and put back on the fresh computers. Imagine doing that for hundreds or even thousands of computers, while your customers wait for you to get back in business. The recovery time is measured with a calendar, not a clock.
Prevention is the best medicine. Known paths to infection are as follows:
*Leaving port 3389 open to the Internet. If you don’t know what this means, it’s critical that your IT staff knows, and that they aren’t doing it. It’s sheer laziness. A VPN with multi-factor authentication is the only reasonable means to allow remote access into your environment.
*Clicking on a malicious email. This is easy to do. Cybersecurity awareness training, strong anti-spam filters and removing local admin rights from your users are the best means of prevention, but it’s unreasonable to think that you will get to a prevention level of 100%. It can’t be done.
*Not having strong antivirus software that detects both signature-based and behavioral-based viruses. There are many to choose from, and most of them are reasonably effective. They must be deployed on ALL computers. Not some. Not most. All of them.
*Allowing your IT staff to give their own everyday user accounts local admin or domain admin permissions. This is a Cardinal sin. If their account gets compromised, the whole domain will be decimated in an attack like this. Admin rights accounts need to be used when required, not when convenient. They need multi-factor authentication. No, Windows does not support this natively for on-premise installations. A 3rd party solution such as Duo (now owned by Cisco) is required.
*Not limiting file share rights that your users have. These should be limited severely. It’s easy to give all domain users access to all non-confidential file shares. The problem with that approach is that any compromised account can be used to encrypt every file in every file share that an account has access to. Cybercriminals will take advantage of the trust you have in your employees. Limit their access rights to the minimum required to do their job.
*Not having offline backups. It’s hard to hack a backup that isn’t on your network.
If the worst happens, it is important to have system rebuild procedures documented. Have relationships with hardware vendors that can quickly deliver new equipment. Have a hybrid server environment where you already have an established presence in a major cloud provider. You can begin rebuild procedures in a cloud environment within hours, rather than the days or weeks it takes to do so on-premise.
Until next month, stay safe!”
About Bryce Austin: