February 2024 News & Tips | Microsoft, HP Breaches & More

Welcome back to the monthly TCE Strategy newsletter! From Microsoft and HP breaches to a murder suspect being released from custody, we have a lot to talk about in the world of cybersecurity. Let’s see how they can help us make better decisions about what is Secure Enough for us, the companies we work for, and our families.

Month's Cyber News in Review

When Nation-State attacks target private companies.

A very high-profile hack took place last month where Microsoft executives had their email hacked by a group called Midnight Blizzard , which is widely reported to be a part of (or at least sponsored by) the Russian government. The wild thing here is how it happened. Apparently a “legacy non-production test account” was hacked because it used the same password that was exposed as part of an earlier breach (this is a common tactic called a “password spraying ” attack, and it is why changing default passwords and using a password keeper to ensure that you have different passwords for different things are so important). This account did not have multi-factor authentication enabled, and through other technical issues, that account led to access to production systems, including the emails of company executives. Wow… The breach demonstrated many breakdowns in cybersecurity best practices, and Microsoft’s list of things that other companies can do to protect themselves included?buying more Microsoft products . That feels almost as brazen as when Equifax offered its own identity-protection service as a means for people to protect themselves from Equifax’s own breach.

Ransomware hits keep on coming.

There have been a few stories about the frequency of ransomware attacks slowing down, but even more seem to state that they are on the rise. Researching data about these attacks is interesting, but the basics on these attacks have not changed:

• Cybercriminal gets a hook into a network via a malicious email, a malicious website, an external vulnerability that allows them in, social-engineering (where the cybercriminal convinces someone at the company to give them access under false pretenses) or an accomplice that already has access to the network (a malicious insider).
• Cybercriminal finds exploitable vulnerabilities inside the network to gain “domain administrator” privileges.
• Cybercriminal finds data backups and destroys them.
• Cybercriminal encrypts production data, and normally steals data so that they have a copy to use as another means of extorting money from the victim company.
• Cybercriminal demands money to unencrypt the data so that the company can resume business.

MGM and Caesars were famously hit last year, and Clorox likely was as well (whatever they were hit with caused a $356 million loss in sales). More recently, Schneider Electric was hit by the “Cactus ” ransomware gang. These breaches are not going to stop until it becomes economically unproductive for cybercriminal gangs to do so. The cost of getting into a network has to be higher than the ransom payoff, and that will not occur until companies have a much higher baseline for their overall cybersecurity posture.

Backup procedures are really, really important.

Many engineers work hard on various projects making things work. Unless the engineer is working on something like a bridge or an airplane, far fewer work hard to understand how things may fail. I used to have a 1995 BMW convertible, and while it was a fantastic car, the computer that ran the convertible top had only one failure state: just stop working. If one of the 6 sensors that fed it data about the position of the top gave it a result it didn’t understand, it just stopped working. If the calibration of the motor drifted over time, it just stopped working. There were no error lights or codes or anything else. I asked a friend of mine who is a professional mechanic about his thoughts on 1990’s BMW convertibles, and he instantly said “I love them.” I asked why. He said “because we make so much money off of diagnosing them when they break.”

For a car’s convertible top, this story is annoying but not overly surprising. It’s, well, a convertible top. The car isn’t likely to have an accident if it doesn’t work. The person that buys the car new isn’t likely to experience issues with it for several years so it won’t hurt new car sales. If/When the top does stop working, there is a procedure in the car’s manual (albeit a complicated and annoying procedure that involves taking the back seat out of the car) where the owner can disengage the convertible top’s motors and manually close it so that the car is drivable. Imagine if that same scenario played out with the car’s brakes, though. Brakes can’t just stop working. That’s an obvious life safety issue, and car manufacturers build far more redundancy and warnings into a car’s brake system than into a convertible top.

The same should be said for any process that releases people from prison. That’s a potential life safety issue as well. There need to be redundancies and warnings that come up before someone is let out of prison. Those redundancies were not in place in Fulton County, Georgia when a murder suspect named Zion River Shaka was mistakenly released from custody after the county experienced a “widespread system outage” from a “cybersecurity incident.” Shaka was transferred from the Fulton County Jail and sent to the Clayton County Sheriff's Office for a scheduled hearing, after which Shaka was to be returned to the Fulton County Jail. Instead, he was mistakenly released after the hearing. Obviously the computer systems used to keep track of which inmate was supposed to go where were not working as they should because of the “cybersecurity incident”, and manual procedures either did not exist or were not properly followed. As a result, Shaka was released from custody. The computer systems were down so phone calls were used to communicate instead, and when an officer from Clayton County called Fulton County to ask about returning Shaka, he was told “Shaka was not theirs.”

When a computer system is used to perform critical tasks, there needs to be a backup system to ensure that those tasks can either continue without the computers, or that the tasks can come to a graceful (read: safe) stop. This is true for more than just computer systems: locomotive train brakes were invented in 1869 that fail in the “on” position instead of off . Brakes on large trucks work the same way . We need processes and procedures on how important tasks can be performed without complex computer systems, even if the way they are performed is slower or less efficient. Somehow Fulton County lost track of their inmate because their computers were down. That counts as a critical process breakdown in my book.

Until next month, stay safe!

Upcoming & Recent Events

Here is a list of the cities that I will be in over the next few months. Please reach out if you have an event in mind!

February 28, Clearwater, FL

March 7-10, Albuquerque, NM

March 13, Gleneden Beach, OR

March 27-29, Springfield, IL

April 3, Reno, NV

April 9, Des Moines, IA

April 18, Wichita, KS

May 8, Des Moines, IA

May 27-31, Las Vegas, NV

July 3, Brainerd, MN

August 3-6, Denver, CO

September 11, Tallahassee, FL

Cybersecurity Tip of the Month

Phishing Attack Awareness ?

Phishing attacks use social engineering to persuade people to hand over personal information such as passwords or financial information, or to click links or attachments that download malicious files. They remain a huge threat to individuals and businesses. To avoid falling victim to these attacks, it is important?to be aware of the tactics used by cybercriminals in phishing attempts and to verify the sender's identity and the legitimacy of the content before clicking on any links or downloading attachments in emails, messages, or even social media posts. Here's how:

1) Inspect the Sender's Email Address: Scammers often use deceptive email addresses that mimic legitimate ones. Check the sender's email address carefully for any irregularities or misspellings. Legitimate organizations typically use official domain names.

2) Hover Over Links: Hover your mouse cursor over links in emails to preview the URL before clicking. If the link address seems suspicious or doesn't match the purported destination, don't click on it.

3) Look for Red Flags: Be wary of emails or messages that create a sense of urgency, demand immediate action, or offer unexpected rewards. These are common tactics used by scammers to manipulate victims into responding without thinking.

4) Avoid Sharing Personal Information: Legitimate organizations will never ask you to provide sensitive information like passwords, Social Security numbers, or financial details via email. Refrain from sharing such information unless you're certain of the recipient's authenticity.

5) Double-Check with Official Sources: If you receive an email claiming to be from a reputable company or organization but you're unsure of its authenticity, contact the company directly through their official website or customer service channels to verify the communication.

6) Update Your Security Software: Keep your antivirus software up to date to help detect and prevent phishing attempts before they can cause harm.

7) Practice Phishing Awareness: Lastly, these quizzes test your phishing awareness with examples of both legitimate and malicious emails and websites, as well as explanations that can help you recognize these attacks in the future. Practice makes perfect!?

https://phishingquiz.withgoogle.com/

https://www.opendns.com/phishing-quiz/ ?

https://www.sonicwall.com/phishing-iq-test/