Not a day goes by without another ransomware attack making headlines. President Biden made cybersecurity a number one national security issue. But, just how bad is it? And what can your organization do to prevent ransomware attacks and account takeovers?
Stan Bounev, CEO of VeriClouds, a credential verification startup based in Seattle, has noticed a massive uptick in the number of compromised credentials released on the dark web. “Since May, we have been recovering over 1 billion stolen credentials per month and it’s rising fast,” says Bounev. “We have accumulated over 25 billion credentials helping organizations check if their users’ and employees’ passwords have been compromised. It is amazing how many companies are victims of account takeover and have no idea about it.”
Most account takeover attacks start with using stolen passwords. Hackers do not care if you are a hospital or a public utility company. Their attacks are aimed at inflicting the most damage possible and stopping operations. These kinds of attacks have happened at Colonial Pipeline, JBS, and many others.
Many companies have already taken measures to secure their cloud and on-premises infrastructures. But is this sufficient to prevent a data breach? When cybersecurity firms such as FireEye and technology leaders such as Microsoft get hacked, it is time to consider taking extra measures. We looked at the SolarWinds litigation and different cases of data breaches to recommend seven strategies that will put your organization in a better position in case of a data breach.
7 cybersecurity strategies to prevent ransomware attacks and account takeovers
1. Perform a cybersecurity audit
In order to prevent ransomware attacks, start thinking like a hacker. Understand where your security vulnerabilities lie. Use this information to find the shortest path to protection.
There are two main kinds of vulnerabilities: compromised login credentials and IT infrastructure vulnerabilities. It is sometimes difficult for your internal team to admit having vulnerabilities, so it is always best to have an independent third party do a thorough security audit. Such an organization will use the latest threat intelligence to analyze your security deficiencies and put together an action plan.
If you are a public company, the SEC already has guidance on doing security audits, and it would be good to get prepared in case these security audits become mandatory by SEC rules in the future. If you are a private company, your customer base or insurers will start insisting that you have the full measure of cybersecurity and may ask you to get an audit.
The third-party security auditor will provide threat intelligence you may not have in your organization. Once you go through this exercise with the third-party firm, your team should be better prepared.
2. Ensure you have adequate cybersecurity software, resources, and trained personnel
Do you have sufficient cybersecurity professionals working for you? Just hiring one person as a Chief Information Security Officer (CISO) is typically not enough for large companies. Companies often need a team of trained staff. Who is going to do recovery if your factory in Mississippi gets hit but your CISO is based in New York?
Do you have incident responders handy? When you get attacked, there is no cyber-911. If you do not have trained incident responders engaged, you will not be prepared to respond to a bitcoin ransom demand.
Many smaller companies do not have the bandwidth to properly protect themselves from cybersecurity issues. For those companies, there are a number of managed security service providers (MSSPs) that can handle security for companies through security operations centers that provide round-the-clock service. These MSSPs can help you manage cloud issues, firewalls, intrusion detection, vulnerability scanning, and anti-viral and anti-malware services. Be sure to select a provider that has an understanding of your business and the security protections you require to maintain an acceptable security posture.
Cybersecurity resources are very scarce and most MSSPs are just snowed under a massive wave of ransomware attacks. You don’t want a situation where you get attacked and no one is there to help you, so securing your resources on standby is a priority.
More articles from AllBusiness.com:
It’s also important that your employees are trained and informed on important cybersecurity protective measures, especially against phishing emails.
Companies should install, use, and regularly update antivirus and antispyware software. Firewall security for your internet connection is key. Software updates and patches for your operating systems should be installed as they become available. Ultimately, your cybersecurity systems need to be tested for any potential weakness.
3. Make sure you have a recovery action plan in place
In event of a corporate-wide shut down by cyberattack, you need to have a recovery action plan in place.
Most corporations would not think twice about going through an office fire drill. Employee safety is always the No. 1 priority. So, how about a cybersecurity emergency?
Ask many CFOs and you’ll get an assurance that their accounting system is completely safe, and they have a full backup. So, ask the CFO for a fire drill. Shut down the system and see if the accounting system can recover using backed-up data. Hackers know that the fastest way to get paid is to attack the accounting system, so this is the primary target you need to protect and recover. Also, keep in mind that many experts recommend you to not pay a hacker’s ransom.
Your action recovery plan has to be thorough enough so that any interruption to your business lasts only hours at the most and not days or weeks. Having backups of your important business data and information is key.
4. Learn about threat intelligence
Do you know what the hackers know about your company and its employees? Does your team access the dark web to find out?
There are three kinds of threat intelligence:
- Ongoing attack detection. If your server is under a denial-of-service attack or ports scanned for vulnerabilities, there are firewalls and security software you can use.
- Data compromise. There are threat intelligence services that will let you know if your internal documents and data have been compromised and found as part of dark web data dumps.
- Compromised credentials. You must constantly monitor for compromised credentials. These are email addresses and passwords found on the web that were hacked, usually from third-party services. If you find your entire organization’s emails compromised, then you need to call incident responders and kick in your cybersecurity emergency plan.
Bounev’s company VeriClouds has collected over 25 billion stolen credentials from the dark web, and you can check if your organization’s emails have been compromised by going here. With 25 billion stolen credentials out there, eventually hackers will find those of your employees or customers and use them against you. Thus, you can often prevent an attack before it happens by taking appropriate measures such as changing passwords, installing multi-factor authentication, and more.
Do not over-rely on multi-factor authentication to prevent ransomware attacks and account takeovers. When a password is compromised, multi-factor authentication becomes single-factor authentication and hackers have methods to circumvent the remaining single authentication factor.
5. Understand account takeovers
Account takeover is a form of identity and theft fraud, where a fraudster successfully gains access to a user’s account password or credentials.
To understand how to prevent account takeovers, you first need to understand a hacker’s basic strategy.
With a large database of compromised email and password pairs, hackers usually try to log in to random third-party websites such as file storage or CRM services, knowing that often these may not have multi-factor authentication mandatory for their customers. They do this via a bot network of hundreds of highjacked PCs and log in credentials until they get a hit. With this automated system, hackers can sit back and wait for it to deliver a target. They do this because hackers know that quite often online users reuse passwords for multiple sites. Out of billions of leaked credentials, hackers are likely to find multiple credentials of your employees that could be used to breach your systems. Thus account takeover or credential stuffing attack is the bread and butter of a hacker’s tools.
In the business world, you would not hesitate to do a competitive analysis. In the same way, you need to understand what hackers know about you and how they could attack you. You will need software monitoring services to quickly inform you if your organization’s credentials have been compromised.
6. Know that stolen passwords reveal other potential issues
Just by looking at the number of your organization’s stolen passwords, hackers can deduce if you are an easy target or not. Hackers believe that if there are many leaked credentials out there, your other security measures are probably weak.
So, what kind of compromised passwords are out there?
The first—and the worst—are legacy passwords. These are account passwords of former employees from long ago that are still in use. An example is Solarwind123, originally made available to developers for trying out integration with their software. The company forgot about it and left it available online. For hackers, this was a good way to analyze the company and find a starting point for an attack.
If someone in your organization is appearing in multiple lists or suffering multiple breaches, then it may be that the person’s PC or smartphone is hacked or otherwise compromised.
CEOs are in fact the No. 1 target for hackers. They believe that if they hack the CEO, then they can send themselves money or order the CFO to wire money. So ensure that the CEO’s account and ID password are not compromised.
7. Obtain cybersecurity insurance
Cybersecurity insurance can cover your company’s liability and damages for a data breach and cyberattack. It helps a company cover the costs from a data breach, virus, or other form of malicious cyber activity. The key issues to address when obtaining such policies are:
- Scope of coverage
- Financial strength of the insurance carrier
- Exclusions from coverage
- The support, if any, that the insurer will provide after any cybersecurity incident
- Coverage for any ransomware payments that may need to be made
Prior to granting coverage, the insurer will investigate whether the company has reasonable cybersecurity protection measures in place. They may require penetration testing or their own cybersecurity audit.
Insurance policies often require that certain cyber information be kept up to date for a valid claim to be made. And cyber insurance policies also set forth procedures and timing for any tendered claims.
Collaborate to prevent ransomware attacks
Many companies would want to bury their head in the sand rather than face the realities of the uncertain cyber world that we live in.
Don’t be that company. You are not alone, and you cannot fight by yourself. Team up and collaborate with others. Even the government is now taking a proactive role in the cybersecurity of the nation so now is your chance is to fight back and keep your company safe.