The Realities of Cyber Security Threats

Ransomware and other cyber threats have evolved in recent years, and with that so has cybersecurity. In this episode we’ll share stories of modern day cyber attacks that keep IT professionals up at night. We'll hear about a cyber attack that impacted a country's health service, an attack on a legal firm's web server that exposed sensitive client data, and we’ll hear how attackers found vulnerable systems in a small company's network and got in. Experts share advice about best security practices for organizations and individuals alike. It's #CyberSecurityMonth, and this is an episode you won't want to miss.

PODCAST | 22m
October 20, 2021
S4:Ep3

Executive summary

  • Security should be baked into everything we do, whether we’re IT professionals or hybrid workers.
  • Discover what security vulnerabilities to look for and hear advice on the steps to take to make sure your system and data are secure.

Featured voices

Kurt Roemer
Chief Security Strategist
Citrix

Fahmida Rashid
Cybersecurity Journalist

Melanie Green (host):

Hi, I’m Melanie Green. This is Remote Works - Hybrid Survival Guide, an original podcast by Citrix.   It all started with a floppy disk. Remember those? The year was 1989. Shoulder pads were still a thing. Madonna was at the top of the charts. The Giants had won their third super bowl. And thousands of computer users received an envelope in the mail. Inside was a floppy disk. Most of them popped the floppy disk into their desktop computers. Then, a few days later, the users' files disappeared and a message popped up demanding that they send $189 by mail to a PO Box in Panama. That was history’s first widespread computer ransomware attack. Authorities quickly found the source of the floppy disks and they arrested the hacker and he went to prison. That failed floppy disk scheme was the birth of a whole new destructive business. Today, hacking and ransomware is costing us billions of dollars. That’s why, on this installment of our Remote Works: Hybrid Survival Guide -  we’re featuring cybersecurity and IT’s biggest fears -- and how to keep you and your data safe -- no matter how or where your work is getting done.

 

We’ll meet Kurt Roemer, Chief Security Strategist at Citrix. He’ll share what he knows about preventing attacks on IT departments and individuals. Here’s a hint. Avoid CVE’s.

 

Kurt Roemer:

CVEs - Common Vulnerabilities and Exposures - And if there's a critical CVE that is affecting one of their systems, take action immediately.

Melanie Green (host):

And embrace SASE.

Kurt Roemer:

So the secure access service edge or SASE is really bringing security to the edge of the network.

 

Melanie Green (host):

We’ll explain everything in a few minutes. But first, let me introduce you to someone who has done a lot of research into just how bad cyber attacks can be.  Fahmida Rashid is a software developer turned cybersecurity journalist. She has spent years writing about security technology for IT professionals, business managers, and consumers. She was also the Senior Managing Editor of Decipher, an online information security and privacy news site. Fahmida shared three hacking stories with me, each touching on a different industry. Each has an important lesson on how to keep hackers out of your system. The first story dives right into one of the biggest and most expensive hacks: ransomware.

IT and the threat of ransomware

Fahmida Rashid:

Ransomware is really obvious. I mean, as a IT admin, as a IT staff, or even as a regular user in your company, you're going to know you've been hit because your computer is suddenly going to display a screen, saying all your files have been encrypted and you now have to pay this much amount in Bitcoin to get your stuff back.

Cyber attack stories

Melanie Green (host):

And in her research Fahmida has come across plenty of stories of ransomware attacks in places where they can have serious consequences. A recent cyber attack on a major health system, for example.

Fahmida Rashid:

Staff noticed  - they came into work one morning - and they noticed that I think two or three of their computers had this message saying, all your files have been encrypted, you now have to pay. And here's the information. And sometimes they give you a technical support number. Like call this number or email us, and we'll help you get the cryptocurrency to pay us, and you get your files back.

Melanie Green (host):

The system’s computers were hacked. There were the computers that doctors and nurses would use to see patient diagnoses and what drug they should be taking and the computers where information like names, addresses and insurance companies were stored.

Fahmida Rashid:

From the hospital standpoint, the impact is if they can't get up and running, then they are essentially closed. There have been cases where they had to say, Hey, sorry, we're not doing any surgery today.  Go to the next hospital. And hopefully they'll be able to take in new patients today. So data, even though it's essentially just things on the screen or just nebulous items, they translate to people not actually getting the care they need, not seeing their doctors, not receiving their medicines. So the impact becomes very, very immediate in the physical space.

Repercussions of cyber attacks

Melanie Green (host):

And the repercussions of such an attack go far beyond data security. When a hospital has to close its doors, people suffer. Those are the types of situations that have Kurt Roemer, Chief Security Strategist at Citrix, on high alert.

 

Kurt Roemer:

A ransomware attack is very pervasive and it's an attack that hits both the technology, as well as the business. It's really concerning when it hits physical security as well and starts impacting lives as it does with hospitals.

 

Melanie Green (host):

Kurt says that his first line of defence is always to prepare in advance for the day that you get locked out of your system.

 

Importance of backup procedures

 

Kurt Roemer:

It is absolutely essential for hospitals to have backup procedures and have resiliency built in so that if there is an attack and they need to move away from IT supplied systems, they can do that and still supply the required patient care. I think what stands out the most is how common all of these issues are and how preventable these issues are. When you run through scenarios as a healthcare provider, you have to think if this technology is unavailable to me, what would I do next? What's my plan of action, and constantly have that in mind. And so you might not be running in an optimal situation, but you're at least able to have continuity of patient care.

 

Melanie Green (host):

So the lesson here is to back up your data. And then back it up again. IT departments should be front and center here. They need to develop a strong game plan for backing up data and develop a strategy for the worst possible scenario: the shutdown of the entire system. Fahmida Rashid’s second story gets at the complexities of securing your website. It’s all about CMS: content management systems. When you use a template and add plugins, there’s more risk of a hack. You’ve suddenly become vulnerable to other people’s weaknesses in their software.

Fahmida Rashid:

There was a law firm that used a major content management system, a CMS, to run their website. And that’s actually a pretty common scenario. Very few companies, very few organizations currently hand code their websites. And they were using this CMS software and they had a plugin that really made it dynamic and ways to include images, but they hadn't updated that specific plugin. And because the plugin wasn't updated, the attackers were able to upload malware and then get access to the web server and then get access to everything else on that machine, because they were already on that machine. And once they were on that machine, they just basically looked around what directories were there and they found clients, client data. So a law firm is dealing with mergers, acquisitions, personal information — a lot of these are really sensitive in terms of, if you release the information too early, you can be manipulating the stock market. They're just a whole load of sensitive information that a law firm is sitting on. And if somebody steals it, the law firm is basically right now having to do a lot of damage control. They have to find out what was stolen, who had it, what the impact on their customers and their clients are going to be. And in some cases it could be again, not just a regulatory thing, but it could be a business disruption. They're not going to be able to do anything until they get their client data back.

 

Melanie Green (host):

That is truly layers and layers of trouble.  Kurt Roemer says that understanding the ripple effects of a hack can show you how important it is to devote resources to preparation and prevention. Once again, IT needs to be at the center of it all.

Common Vulnerabilities and Exposures (CVEs)

 

Kurt Roemer:

Be very careful about what extensions you use and use only approved extensions from your IT department if you're doing any browser extensions. It's best to avoid them in the first place though.

 

Kurt Roemer:

Companies should be watching out for any of the alerts that come in in terms of CVEs - Common Vulnerabilities and Exposures - and be able to assess those. And if there's a critical CVE that is affecting one of their systems, take action immediately. That's something where you could have an attack against your organization that's highly targeted, maybe even something like ransomware.  And it's very likely it's going to be weaponized and used against you. And so much like knowing that a wildfire is approaching your town or that there's civil unrest right next door, you're going to act differently. It's the same thing when you've got very, very substantial CVEs. Now from an individual perspective, many people don't have that information right in front of them. But when your computer says, Hey, you need to patch this, there's a patch available, do it as soon as possible. Do it immediately if you possibly can and go through and proactively look for applications that need to be patched and updated as well as getting rid of applications that you're not using anymore so that they're not leaving you exposed.

 

Melanie Green (host):

It sounds so simple. And that’s what strikes me about these two stories. There’s no complex spy movie plot.  Hackers just rely on us to be the unknowing accomplice. Or it could be a supplier, a contractor or a vendor. That’s the route the hackers took in Fahmida’s third story. This time the victim was an HVAC company.

Fahmida Rashid:

So there was a major retailer. They did a great job. They had a very comprehensive security program. They had a large security team and they were on top of things and they were compromised. Not because the team forgot something, but what had turned out was they were working with a small HVAC company, which was handling their air conditioning and refrigeration and a lot of other, I think, temperature control for their stores. So that company was doing their due diligence. But they had a vulnerable system that was exposed to the internet. So somebody was able to basically poke around, they found this computer, they got in, they looked around and they said, ‘Huh, okay. This is a small company but, hey, there is a login and a password combination here. What does this do?’ So they started testing out credentials and then they found like, ‘Hey, I am connected to this other computer that’s not in this network, but a different one. Let me see if these credentials work for that connection’. And it turned out it did. And that network connection was that larger retailer.

Melanie Green (host):

So. The attackers started with a small HVAC company. They came in with just one computer that was accessible from the internet. Then they found the password, and they connected to the retailer. Once they got to the retailer, they were able to just poke around looking at other computers on a network until they found the network that contains all the credit card information. That would be a retailer's nightmare - having your database breached -- and having your customers’ credit card numbers stolen. It’s a breach of the trust you’ve worked so hard to build. It can have devastating consequences for a business.

 

Fahmida Rashid:

And that is what the attacker found. They were able to basically make copies of all of that and they basically sent those copies out. So as far as the retailer was concerned, they didn't even know that the credit card data, the payment data had even been stolen. They didn't even know that the attackers had been wandering around the network. They didn't even know that the HVAC company had been compromised. The only reason that the retailer was even able to discover that this had happened was the criminals had been bragging on criminal marketplaces about how much of the great credit card data they had, that they were offering for sale.

Melanie Green (host):

Listening to that story, Kurt Roemer, security strategy expert, just nods knowingly. It’s a familiar story. Passwords have always been a big problem. Did you know the most common password is still 123456? Yikes. Kurt says the best way to solve the perennial password problem is to avoid passwords all together.

The problem with passwords

Kurt Roemer:

Passwords definitely are one of the biggest concerns today in terms of cyber security, because they're very easily discoverable, guessable, crackable, and something that leaves us all exposed. The best thing to do is to look for systems and applications that don't rely on passwords and migrate over to those as soon as humanly possible. And by doing so, you're utilizing multi factor authentication where you might have a token or token code that you're utilizing, you might have biometrics, you know, facial scanning or retina scanning, or thumbprint scanning. And you can utilize multiple factors to be able to authenticate to these systems.

Melanie Green (host):

Fahmida’s three hacker stories highlight three vulnerabilities hackers use to access our systems: not having your data backed up, using vulnerable third-party software and the ever-present problematic passwords. But there’s one more vulnerability to assess: what about the security risks of hybrid work? Kurt has given a lot of thought to how security plays out as many of us head back to the office for part or all of the week.

Kurt Roemer:

I think, as there's a return to the office, there's going to be a lot more focus on how do we take information and how do we take systems that were being utilized in people's homes, have them integrate with the corporate network again and not have them impact the corporate network? We've seen examples of where companies are having people return to the office. They're going through and scrubbing their machines and resetting them completely in many ways to make sure that there's nothing brought into the corporate network that could impact it. And I look at that and say, that's wrong on so many levels because if that machine's been running great in somebody's home and not exposing everything, you're fine. But if there was concern, why would you have let somebody use it at home for all of these months? And secondly, if you're concerned about an outside system affecting the corporate network, you definitely have an issue with that corporate network and you need to have it updated.

Melanie Green (host):

I’m with Kurt. Too much scrubbing is a bad thing. You should see my kitchen sink. But seriously, when Kurt dives deeper into keeping ourselves secure in hybrid work, he goes back to something we’ve talked about on this podcast before: Zero Trust.

Adjust security measures so the risk is appropriate

Kurt Roemer:

It's about making sure that everything that you do is continuously situationally aware and contextually risk appropriate. So that regardless of what situation somebody is working in, whether it's from home, whether it's from in the office, whether it's on a personal device or a corporate device, whether they're an employee or non-employee, those situations are constantly being evaluated as they change. And your security measures are being adjusted so that risk is always appropriate.

Melanie Green (host):

And the technology that enables security anywhere on many devices has to keep evolving. Kurt explained a security system especially targeted at remote and hybrid work.  It’s called secure access service edge or SASE for short. The idea is to bring security to us - wherever we're working, whatever devices we’re on.

Secure Access Service Edge

 

Kurt Roemer:

So the secure access service edge or SASE is really bringing security to the edge of the network. The edge of the network is really where personal responsibility starts in a lot of cases. And so when you're working at home, you've got your home router, which you've provided some levels of protection for. And if your company doesn't provide a VPN or doesn't provide a secured way to go to the cloud your home router is the edge of the network in many cases. And oftentimes a home router is also used for general internet access for gaming and may or may not be secured. So by providing security at the edge and providing additional measures you're either bringing them directly into the end point and extending the edge of the network further to the end point, so that it's better protected, or putting it into that network appliance so that all of the devices are protected on the network no matter what's happening on all the networks around you that you're connected to. And so that could be into someone's home, that could be into a branch, that could even be into a branch of one in many cases as people are travelling.

 

Melanie Green (host):

Thinking about the edge of the network, it seems like it could be a really vulnerable place. And a crack IT department will secure that place with a strong secure access service edge.

 

Kurt Roemer:

SASE is typically implemented in a couple of different ways. It can either be an agent that goes on a device, whether it's a Chromebook or Windows or Mac or Android or iOS, and basically provides all of the security protections that you otherwise would have maybe had to install 10 or 12 separate agents for. That same model can also take all of those protections and combine with a network appliance, typically also involving SD-WAN or Software Defined Wide Area Network. And so it provides for both security and availability and protects not just the single device, but protects anything on the network, which can be traditional laptops and tablets and smartphones, but also IOT devices and medical equipment and things on a manufacturing floor.

 

Melanie Green (host):

So it's taking all of the protections that used to be built into the corporate network.  Like antivirus protection. Intrusion detection.  And it includes Data Leakage prevention, threat intelligence from the cloud. That all becomes available no matter where we are.

 

Kurt Roemer:

So that you've got the best of both worlds. You have all of the information that typically would have been installed on the end point but it's constantly making sure that the threat environment is being kept up to date and relevant so that you're protected.

Melanie Green (host):

If I were the head of IT security, SASE would help me breathe a little easier. Depending on your business, you might be listening to some of these stories and think, ’that’s not me’. I don’t work in a high tech job. I don’t need to worry about security.  Think again, says Fahmida Rashid.

 

Fahmida Rashid:

We don't realize sometimes just how much we rely on technology. And then until it’s actually something you start counting, you know, we think of say a bookstore. Well, it’s a business about books, right? No actually it's a technology company because they probably have some kind of a customized software that tracks their inventory. So suddenly they are a tech company as well as a bookstore. And they probably are taking credit card data because not everybody's going to pay in cash. Okay, now they have to be thinking about how they're handling credit card information — that is a technology question. Credit card information, payment card information, that's money. People want to steal money. So now it becomes a security conversation. You can't just start up a business anymore that takes any kind of currency and say, ‘I don't have to think about security’.

 

Melanie Green (host):

In other words Fahmida Rashid wants all of us to think about security. Kurt agrees.

Security is everyone’s responsibility

Kurt Roemer:

Security responsibility is a shared responsibility and it's really all of our responsibility to help to protect the organization and all of its interests.

 

Melanie Green (host):

So security should be baked into everything we do: whether we’re IT professionals or hybrid workers. That’s great advice. Here’s what I’ve learned from our hacker stories: Number one: backup your data. Number two: be careful with third-party software. Number three: don’t rely solely on passwords. And pay attention to SASE: The secure access service edge. What’s happening on the outer edge of your network. When you’re working in more than one location on multiple devices ensure you have the highest level of protection possible on your network. Something that will protect all of your devices no matter where you are working. It really is all about taking control. That means identifying vulnerabilities and then taking the steps to make sure your system and data are secure. And really, couldn’t we all use a little more security in our lives? You’ve been listening to Remote Works, Hybrid Survival Guide, an original podcast on Fieldwork by Citrix.   Subscribe and come back in two weeks.  That’s at Citrix dot com slash remote works.