Blog | 24By7Security

So Many Freedoms, So Much to Celebrate

Written by Rema Deo | June, 28 2022

Independence Day in America is a huge national event that we celebrate in many ways. Americans prize their freedoms above virtually all other values, and the Fourth of July 2022 will serve as another annual testament to that spirit.

While the freedoms described in the U.S. Constitution’s Bill of Rights are part of the heart and soul of America, there are other freedoms worth noting as Independence Day approaches.

As an award-winning cybersecurity firm, we believe that American organizations, agencies, and businesses can ensure certain freedoms for themselves by operating cybersecurity programs that are solid, comprehensive, and actively maintained all year long. Here we take a look at five of those freedoms.

Freedom from Easy Hacks

Hackers are a lot like everyone else when it comes to preferring work that is easier rather than more difficult. Most look for low-hanging fruit they can easily grasp and exploit, rather than riches to be won by hacking their way up the tall trees.

The result of this very human tendency is that they tend to find and exploit the easiest targets. They may look for masses of poorly protected logon credentials to swipe and sell on the dark web. Or they may troll for other rich troves of data such as personally identifiable information (PII) or protected health information (PHI). Wherever they can find and readily exploit information for profit or politics, hackers will take the path of least resistance.

Organizations can declare freedom from easy hacks by reexamining their password policies, strengthening the weak ones, and adding the missing ones. Strict adherence to the fundamentals of password protection, including the following actions, will keep your passwords from being low-hanging fruit.

  • Implement a secure, encrypted password management tool for your business. Among other conveniences, it keeps track of all passwords to ensure they are not reused. Reuse makes them more vulnerable.
  • Configure the minimum length for passwords to be 10 characters, and 15 characters for passphrases. Password cracking algorithms are proven less effective after 10 characters. (Passphrases can actually be up to 127 characters long in the major operating systems.)
  • Implement rules that require passwords to be changed every 90 days, and passphrases every 180 days. No exceptions, not even for executives.
  • Establish complexity requirements for both passwords and passphrases.
  • Use strong admin passphrases for all domain admin accounts. 
  • Reset admin passwords every 180 days.
  • Implement multifactor authentication for every sign-on.

Freedom from Ransomware Payments

One of the best protections against a ransomware attack is to have access to a very recent backup of your company’s data. This can enable your organization to continue operations despite the hackers’ theft of that data. And when they contact you with their ransom demand, you won’t be nearly as vulnerable to the threat. Ransomware is here to stay because it is so profitable for cybercriminals. Through regular and frequent data backups, you can help reduce the profitability factor.

This said, ransomware criminals will still threaten to publish your stolen data on the dark web, even offering it for sale to other cybercriminals. And just this month, an article at Krebs On Security observed that the ransomware gang ALPHV (aka BlackCat) had begun publishing stolen company data on the open Internet and making it available in an easily searchable form.

According to Krebs, ALPHV announced that it had hacked a luxury spa and resort in the western U.S. and, for an added jolt, had published a website with the resort’s name in the domain and their logo on the homepage. The website claims to list the hijacked personal information of some 1,500 resort employees and 2,500 guests, offering two buttons for employees and guests to view their stolen information on the site.

This new tactic is believed to be a test run to gauge whether the threat of more public exposure can yield greater ransom profits for the gang.

The lesson for organizations is that having a complete and recent data backup is absolutely crucial—but hardening the entire cybersecurity program is equally important. Declare your freedom from ransomware payments by taking both actions, and quickly. As an aid to shoring up your cybersecurity, conduct a security risk assessment soon.

Freedom from Unknown Vulnerabilities

Whether you’re responsible for an entire business, or for managing its cybersecurity program, it’s easy to be distracted by a hundred other priorities.

A tried-and-true security risk assessment is a critical step in (1) identifying risks to your organization from inside and outside, (2) discovering the gaps in cybersecurity and physical security, and (3) providing clear guidance for implementing a sound risk management strategy.

A security risk assessment provides a structured, qualitative evaluation of your organization’s operating environment in terms of threats, vulnerabilities, risks, and security safeguards.

In addition, a security risk assessment is part of the NIST Cybersecurity Framework as well as a requirement of federal regulations such as HIPAA, GLBA, and the PCI Data Security Standard, to name a few. Penalties for failure to comply are applied frequently, and in the healthcare industry they are widely publicized as well.

Declare your freedom from unknown vulnerabilities and security gaps you may not be aware of with a security risk assessment today. And make sure it includes an implementation plan that addresses security weaknesses in priority order in accordance with an established schedule.

Freedom from Known Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Government has added significant known vulnerabilities in Adobe, Cisco, Google, Microsoft, Netgear, and other products to its catalog of known exploited vulnerabilities.

The current catalog includes almost 800 known vulnerabilities and was updated most recently on June 14, 2022. The catalog can be downloaded as a CSV file, enabling users to sort as needed by CVE number, date added, vendor name, and more. Links to the CVE website offer details for each vulnerability.

Following is a list of just a few of the known vulnerabilities added recently. Updates or patches are available for virtually all known flaws.

  • CVE-2009-4324: Flaw in both Adobe Acrobat and Adobe Reader that allows remote attackers to execute code via a crafted PDF file.
  • CVE-2010-1297: Memory corruption vulnerability in Adobe Flash Player that enables remote attackers to execute code and conduct denial of service attacks. 
  • CVE-2016-1646 and 5198: Vulnerabilities in Google's Chromium V8 JavaScript engine that allow remote DOS attacks.
  • CVE-2018-17463 and CVE-2017-5070: Flaws in Chrome V8 that enable cybercriminals to execute code they can then exploit to access networks. 
  • CVE-2012-4969: Vulnerability in Microsoft Internet Explorer that allows remote execution of code. IE is a sunset system and any organization still using this browser should have replaced it long ago.
  • CVE-2013-1331: Buffer overflow vulnerability in MS Office that enables remote attacks to be launched by bad actors.
  • CVE-2012-0151: Flaw in MS Windows’ Authenticode Signature Verification function that allows attackers to execute remote code assisted by unsuspecting users.

In concert with the National Security Agency (NSA) and Federal Bureau of Investigation (FBI), the CISA emphatically recommends not only (1) patching affected software and devices, but also (2) removing or isolating compromised devices from the network, (3) replacing end-of-life hardware, (4) disabling unused or unnecessary services, ports, protocols and devices, and (5) enforcing multifactor authentication for all users, without exception.

There’s no excuse for falling victim to a cybercriminal’s exploitation of any known software vulnerability, thanks to the CVE catalog and availability of vendor software updates. Declare your freedom from known vulnerabilities by installing all updates pronto. If you are seriously backlogged, don’t try to tackle them all at once. Instead, create an update schedule and stick to it relentlessly. Your company’s cybersecurity depends on it.

Freedom from Social Engineering

Social engineering is a set of tactics that take advantage of human vulnerabilities for the benefit of the exploiters. Unsuspecting employees, who may also include part-timers or contractors, are duped into revealing information they shouldn’t share. And the results can be serious for their employers, whose data becomes accessible and exploitable virtually overnight.

Employers can declare freedom from social engineering ploys by ensuring their employees are trained to spot these tactics and report them to designated company personnel. It’s better for an employee to report an unfounded suspicion than to wait for the suspicious activity to actually take place. Declare your freedom from social engineering with regular, robust cybersecurity awareness training. Regular training is effective in preventing social engineering by helping employees remember what to watch for and what to do when they see it.

Summary

As Independence Day approaches, we were inspired to call attention to some of the special freedoms that American organizations can provide for themselves—by ensuring that their cybersecurity programs are solid, comprehensive, and actively maintained.

Among the cyber freedoms we’ve described here, in no particular order, are the freedom from social engineering, freedom from easy hacks, freedom from ransomware payments, and the freedom from both unknown and known vulnerabilities. We’ve provided security guidance that has proven to be effective in repelling these and other types of cybercrimes across most industries. And we’ve provided links to resources that can assist you further.

Now it’s up to you to take the next steps and declare your freedom from cybercrime!