How Long Have You Lived Here?
Riverbank Ruminations; Observations from The Banks of The Technology River
Tom Evans ~ Ashton Engineer Emeritus
When we have a conversation with someone who we are getting to know, one of the questions we might ask is “How long have you lived here?”. Their answer cues us in to how familiar they may be with the area, and whether we ask them for advice on where to eat or the best route to the east side of town.
With ransomware and data exfiltration becoming ever more prominent in the news, there has been more discussion about how these attacks occurred. With the SolarWinds compromise, one important question is starting to get asked:” How long was the attacker on the network?”. Analysis indicates that the attackers were on the network for several months. This is known as “persistence”.
At first, the hackers were just observing and mapping out the network and procedures. They knew where software source code existed, how it was compiled, and where they needed to insert themselves to launch their attack. The hackers knew to replace good source code with infected code and when to delete the infected code and put the good code back. This resulted in SolarWinds unknowingly sending infected software to their clients.
The result being that some very high-profile customers were put at risk and some were attacked. It remains to be seen what the final fallout from all of this will be. So far, it has been a huge problem for SolarWinds.
This brings me to something I read the other day. “There are two kinds of companies: those that have been hacked and those that don’t know they have been hacked”. I don’t think I agree with that, but if SolarWinds is an example of undetected, dormant intrusions, then they might be right. I prefer to divide companies into those that have been hacked and those that think they won’t be hacked.
Trust Me. You Are a Target
Everyone is a target, it just might take some time for your turn to come around. Take for example a vendor for the city of Griffin, Georgia. The city got an email claiming to be from a vendor requesting a change in their account information for payment purposes. Around $800,000 was sent to the fraudulent account. What allowed the scammer to send an email that was convincing enough to accomplish the fraud?
According to the city, the Scammer knew:
- The City did business with that company,
- Details of the project being done by this company
- The cost of that project
- The invoice amounts related to the project.
This information would not be hard to get if you were on the vendor’s network. The scammer created a bogus domain with a name that was close enough to that of the vendor that the email was accepted as legitimate, initially (imagine vendor.com and vend0r.com, where an ‘o’ has been replaced by a zero). After the fraud was discovered, the City went back to the emails and found they were incorrect. How long was the scammer on the vendor’s network?
Is Your Network Monitored?
Would you know if someone was on your network? Do you have anything in place to detect a compromise? You would think that SolarWinds, a company involved in security management software, would have things well in hand in that department. Unfortunately, one of the things cited in the analysis is the fact that one of their servers had the password ‘soloarwinds123’!
If there is one thing that even small businesses can learn from this, it is that little things are important. Password policy is important. NIST (The National Institute of Standards and Technology) has recently come out with the recommendation against regular password changes. Instead, they suggest only changing passwords when a compromise is suspected. So the traditional, routine 90-day lifetime of passwords is no longer considered good practice. Making sure long/complex passwords are used is even more important today. Privileged accounts and high-value servers must be secured with a good password that is not generally shared or reused from somewhere else.
Least Privilege
If you are running a small business, how many people know the administrator password for the network? How many need to know it? While a small business might not see the value (or have the budget) to properly monitor their network, good password hygiene is a strong starting point. It is also possible to make sure people do not have more access than they need to do their job. Just because the boss feels like he should have the admin password is not a sufficient reason for him to have it. Executives are high value targets that hackers love, making it a reason to prevent the boss from having admin passwords!. Even in small networks, you can minimize damage by keeping everyone at ‘least privilege’ (only enough to properly do their jobs) when it comes to access.
In the early days, the internet was open and everyone was trusted. Those days are gone. You can’t trust the internet – there are too many bad guys out there. You need to minimize the damage that can be done if your network is compromised. Proper network configuration can help, and proper security training for employees is a huge step forward.
Bad guys can be like mice. They get in and live on your premises for a while before you know they are there. Make sure you keep everything locked down as well as is possible, without impeding your business. And it wouldn’t hurt to have a pest inspection once in a while!
Need help with your network security? Call Ashton Technology Solutions at 216-397-4080.