The Nightmare [Cyber Attack] before Christmas
The Nightmare [Cyber Attack] before Christmas
We’re now in the period between Halloween and Christmas. The Christmas music is now in the supermarkets (as they’re the only things open at the moment) and people are looking towards cobbling together some semblance of a family get-together subject to the local Coronavirus restrictions. Some people have already put up their decorations whilst others are contemplating whether it is too early to make the trip up into the loft to get the tinsel and baubles down. Will those tree lights still work? But whilst we wonder what kind of Christmas may be possible this year, hackers are now doing reconnaissance ready for the seasonal break. And, like Sally, I sense there’s something in the wind, that feels like tragedy’s at hand.
We, at Fox Red Risk. actually wrote about this last year in this article “Security Incident Avoidance – Hackers Know We’re Away For Christmas…“. Sadly, We wrote about it too late for Travelex (which we are sure read our articles religiously), so we thought we’d write it a little earlier this year. That way people who do read this have more time to put things in place. 2020 has been an interesting year and so it’s even more important that you prevent cyber attacks crippling your organisation during this holiday season.
Travelex was infected over the 2019/20 Christmas and New Year period with ransomware. The particular ransomware is believed to be Sodinokibi which has been known about since at least April 2018. The infection is believed to have exploited unpatched vulnerabilities on the organisations VPN software. Patches had been available for this particular type of VPN since at least May 2018.
So what happened to Travelex as a result of this ransomware infection? Well, they went into Administration. The company said:
“The impact of a cyber attack in December 2019 and the ongoing Covid-19 pandemic this year has acutely impacted the business.”
What the incident serves to highlight is how cascading risks can have catastrophic impacts on a business. Sure, you might think Cyber is not a particular worry for your business but what about a cyber attack AND a specific pandemic impact to your business occurring at the same time?
So what should we do?
There are quite a few pre-Christmas checks organisations can do now to reduce the risk of a hacker conducting a successful hack whilst you’re tucking into your turkey, roast potatoes and sprouts! Here are some of the things you should be thinking about now:
Is your Cyber Incident Response Planning up-to-date?
Documenting and exercising a cyber incident response plan is critical if you are to realistically come back from a cyber incident. Not only should you think about your own planning but consider sharing threat and incident information with other organisations.
Airgap [or lose] your backups
“We’re not to0 concerned about ransomware as we have a real-time backup solution.”
Many organisations have learned the lesson that backups are critical components of a corporate IT environment. That said, many organisations fail to implement controls to protect their backups. Hackers will typically target backup infrastructure first before launching a ransomware attack. If you have an airgap between your backups and the primary infrastructure you stand a much better chance of those backups being available when you need them.
Nice work, Change daddy.
One of the biggest (if not the biggest) sources of technology disruption is change. Most organisations recognise this and implement change freezes during the Christmas period because not only are internal IT departments typically under-staffed during this time but so too are vendor third line support teams. That said, there is no getting around the fact that sometimes change is still required, even during a change freeze. It could also be argued that the period which may be quiet for other parts of the business could be the perfect time to get a lot of the housekeeping tasks done which have been kicked into the long-grass during the course of the year.
Did anyone think to patch the estate?
Expanding on the first point, InfoSec and IT should work together to identify security changes which could be implemented with minimal impact to the business and customers during the wider change freeze. Run a wide-ranging vulnerability scan across the network, check your servers against the CIS hardening standards (or your own hardening standards if they exist). Identify candidates for quick wins (e.g. removing insecure encryption algorithm, installing LAPS, implement 2FA for Admins).
Does it SIEM too quiet?
Whilst we’re entering into 2021 it is still commonplace for organisations to not have a SIEM. In some cases, the raw logging capability isn’t even turned on, and where it is turned on, it’s not actively monitored. I cannot stress this enough but:
TURN CENTRALISED LOGGING ON!!!
Even if you don’t actively monitor the logs it’s still better to have centralised logging turned on than disabling what is an incredibly rich source of forensic information about your network. These days it’s not even that hard to do.
For those who have moved up the maturity curve make sure your logs are still being shipped your central logging server by setting up alerting mechanisms. Don’t just stop there, test that the alerting will work in different circumstances. Will you still get alerts that logging is functioning if your email gateway goes down for example?
The straw that breaks the camel’s back
This year has been turbulent to say the least. Your business may have ridden out the pandemic so far. You may be on skeleton staff, whilst many of your workers are furloughed. You may have already made tough decisions about letting people go. A cyber attack, like the one that occurred at Travelex could be the last straw that takes your company into administration. It doesn’t have to be that way. Follow the advice above and you should be in a good place. There are other things that you can do in addition to the above. If you’d like a cyber breach readiness assessment, don’t hesitate to get in touch so you can avoid a nightmare after Christmas!
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301:2019 article 25 article 28 awareness bcms breach change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership management operational resilience Outsourced DPO Privacy processor resilience risk risk appetite risk management ROI security security as a service small business soc strategic strategy Subject Access Request training transparency vciso virtual ciso vulnerability scanning