Unexpected Side Effects: How COVID-19 Affected our Click Habits

Phishing has been around for ages and continues to be one of the most common threats that businesses and home users face today. But it’s not like we haven’t all been hearing about the dangers of phishing for years. So why do people still click? That’s what we wanted...

Key Considerations When Selecting a Web Classification Vendor

Since launching our web classification service in 2006, we’ve seen tremendous interest in our threat and web classification services, along with an evolution of the types and sizes of cybersecurity vendors and service providers looking to integrate this type of...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now...

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have? Substitute your digital...

4 Ways MSPs Can Fine-Tune Their Cybersecurity Go-To-Market Strategy

Today’s work-from-home environment has created an abundance of opportunities for offering new cybersecurity services in addition to your existing business. With cyberattacks increasing in frequency and sophistication, business owners and managers need protection now more than ever.

MSPs are ideally positioned to deliver the solutions businesses need in order to adapt to the current environment. In this post, we’ll briefly summarize four ways to fine-tune your cybersecurity GTM strategy for capitalizing on the shifting demands of today’s market.

1. Build an Offering That Aligns with Your Customer’s Level of Cyber Resilience

A cybersecurity GTM strategy is not a one-size-fits-all proposition. Each customer has unique needs. Some operate with higher levels of remote workers than others. Some may have more sensitive data than others. And some will have lower tolerances to the financial impact of a data breach than others. So, understand the current state of your customer’s ability to adequately protect against, prevent, detect and respond to modern cyberthreats, and then focus on what aspects of cybersecurity are important to them.

2.  Leverage Multi-Layered Security

Today’s businesses need a cybersecurity strategy that defends against the methods and vectors of attack employed by today’s cybercriminals. This includes highly deceptive and effective tactics like Ransomware, phishing and business email compromise (BEC). These methods require a layered approach, where each layer addresses a different vulnerability within the larger network topology:

  • Perimeter – This is the logical edge of your customer’s network where potentially malicious data may enter or exit. Endpoints (wherever they reside), network connectivity points, as well as email and web traffic all represent areas that may need to be secured.
  • User – The employee plays a role when they interact with potentially malicious content. They can either be an unwitting victim or actually play a role in stopping attacks. This makes it necessary to address the user as part of your GTM strategy.
  • Endpoint – Consider the entire range of networked devices, including corporate and personal devices, laptops, tablets and mobile phones. Every endpoint needs to be protected.
  • Identity – Ensuring the person using a credential is the credential owner is another way to keep customers secure. 
  • Privilege – Limiting elevated access to corporate resources helps reduce the threat surface.
  • Applications – These are used to access information and valuable data. So, monitoring their use by those with more sensitive access is critical.
  • Data – inevitably, it’s the data that is the target. Monitoring who accesses what provides additional visibility into whether an environment is secure.

For each layer, there’s a specific tactic or vector that can form the basis of an attack, as well as specific solutions that address vulnerabilities at that layer.

3. Determine the Right Pricing Model

Pricing can make or break a managed service. Too high and the customer is turned off. Too low and there’s not enough perceived value. Pricing is the Goldilocks of the MSP world. It needs to be just right.

Unlike most of your other services, cybersecurity is a constantly moving target, which can make pricing a challenge. After all, a predictable service offering equates to a profitable one. The unpredictability of trying to keep your customers secure can therefore impact profitability. So, it’s imperative that you get pricing correct. Your pricing model needs to address a few things:

  • It needs to be easy to understand – Like your other services, pricing should be straightforward.
  • It should demonstrate value – The customer needs to see how the service justifies the expense.
  • It needs to focus on protection – Because you have no ability to guess the scope and frequency of attacks, it’s important to keep the services centered around preventive measures.
  • Consider all your costs – Cost is always a factor for profitability. As you determine pricing, keep every cost factor in mind.

4. Rethink How You Engage Prospects

Assuming you’re going to be looking for new customers with this service offering (in addition to selling it to existing customers), it’s important to think about how to engage prospects. The days of cold outreach are long gone as 90% of buyers don’t respond to cold calls3. Instead, today’s buyer is looking to establish connections with those they believe can assist their business. Social media sites have become the primary vehicle for a number of aspects of the buyer’s journey:

Build a Cybersecurity GTM Strategy that Works

The biggest challenge with bringing a cybersecurity service to market is meeting the expectations of the prospective customer. Demonstrate value from the very first touch through social media engagement and content. Meet their unique needs with comprehensive solutions that address all their security vulnerabilities. And finally, make sure your pricing is simple, straightforward and easy to understand.

Ransomware: The Bread and Butter of Cybercriminals

Imagine a thief walks into your home and rummages through your personal belongings. But instead of stealing them, he locks all your valuables into a safe and forces you to pay a ransom for the key to unlock the safe. What choice do you have?

Substitute your digital space for your home and encryption for the safe and you have what’s known as ransomware. Ransomware is a type of malware. After the initial infection, your files are encrypted, and a note appears demanding payment, which is usually in the form of cryptocurrency such as bitcoin because transactions can’t be stopped or reversed. Once your files are encrypted, you can’t access them until you pay the ransom.

The roots of ransomware can be traced back to 1989. The virus, known as PS Cyborg, was spread through diskettes given to attendees of a World Health Organization International AIDS conference. Victims of PS Cyborg were to mail $189 to a P.O. box in Panama to restore access to their data.

Historically, ransomware was mass distributed indiscriminately which happened to be mostly personal machines that ended up getting infected. Today, the big money is in attacking businesses. Most of these infections go unreported because companies don’t want to expose themselves to further attacks or reputational damage.

Criminals know the value of business data and the cost of downtime. Because they service multiple SMB customers simultaneously, managed service providers (MSPs) are now an especially attractive target. A successful attack on an MSP magnifies the impact of attacks and the value of the ransom.

Primary ransomware attack vectors – with more detailed descriptions below – include:

  • Phishing
  • Cryptoworms
  • Polymorphic malware
  • Ransomware as a Service (RaaS)
  • Targeted attacks

Want more on ransomware and how it’s advancing? Click here for a new Community post.

Phishing: Still the No. 1 Ransomware threat

Ninety percent of all Ransomware infections are delivered through email.  The most common way to receive ransomware from phishing is from a Microsoft Office attachment. Once opened the victim is asked to enable macros. This is the trick. If the user clicks to enable the macro, then ransomware will be deployed to the machine. Phishing remains a significant and persistent threat to businesses and individuals. The Webroot 2020 Threat Report showed a 640% increase in the number of active phishing sites since 2019.

Cryptoworms

Cryptoworms are a form of ransomware that able to gain a foothold in an environment by moving laterally throughout the network to infect all other computers for maximum reach and impact. The most spectacular incarnation of a cryptoworm was WannaCry in 2017, where more than 200,000 computers were affected in 150 countries causing hundreds of millions in damages.

Polymorphic malware

One of the more notorious forms of ransomware circulating today is polymorphic malware, which makes small changes to its signature for each payload dropped on machine – effectively making it a brand new, never before seen file. Its ability to morph into a new signature enables it to evade many virus detection methodologies. Studies show that 95% of malware is now unique to a single PC. This is largely due to the shape-shifting abilities of polymorphic malware code. Today, nearly all ransomware is polymorphic, making it more difficult to detect with signature-based, antivirus technologies.

Ransomware as a Service (RaaS)

Ransomware has become so lucrative and popular that it’s now available as a “starter kit” on the dark web. This allows novice cybercriminals to build automated campaigns. Many of these kits are available free of charge for the payload, but criminals owe a cut (around 30% but this can vary based on how many people you infect) to the author for a ransom payment using their payload. Grandcab, also known as Sodinokibi, was perhaps the most famous to use this tactic.

Targeted attacks

Cybercriminals are moving away from mass distribution in favor of highly focused, targeted attacks. These attacks are typically carried out by using tools to automatically scan the internet for weak IT systems. They are usually opportunistic, thanks to the vulnerability scanners used. Targeted attacks often work by attacking computers with open RDP ports. Common targets include businesses with lots of computers but not a lot of IT staff or budget. This usually means education, government municipality, and health sectors are the most vulnerable.

Stay cyber resilient with multi-layered defense

As you can see, ransomware authors have a full quiver of options when it comes to launching attacks. The good news is, there are as many solutions for defending systems against them. The best way to secure your data and your business is to use a multi-layered cyber resilience strategy, also known as defense in depth. This approach uses multiple layers of security to protect the system. We encourage businesses of all sizes to deploy a defense-in-depth strategy to secure business data from ransomware and other common causes of data loss and downtime. Here’s what that looks like.

Backup

Backup with point-in-time restore gives you multiple recovery points to choose from. It lets you roll back to a prior state before the ransomware virus began corrupting the system.

Advanced threat intelligence

Antivirus protection is still the first line of defense. Threat intelligence, identification and mitigation in the form of antivirus is still essential for preventing known threats from penetrating your system.

Security awareness training

Your biggest vulnerability is your people. Employees need to be trained on how to spot suspicious emails and what to do in case they suspect an email is malicious. According our research, regular user training can reduce malware clickthrough rates by 220%.

Patch and update applications

Cybercriminals are experts at identifying and exploiting security vulnerabilities. Failing to install necessary security patches and update to the latest version of applications and operating systems can leave your system exposed to an attack.

Disable what you’re not using

Disable macros for most of the organization as only a small percentage will need them. This can be done by user or at the group policy level in the registry. Similarly, disabling scripts like HTA, VBA, Java, and Powershell will also stop these powerful tools that criminals use to sneak infections into an environment.

Ransomware mitigation

Make sure your IT staff and employees know what to do when a ransomware virus penetrates your system. The affected device should immediately be taken offline. If it’s a networked device, the entire network should be taken down to prevent the spread of the infection.

Want to learn more about how to protect your business or clients from ransomware? Here are five actionable tips for better defending against these attacks.

Cyber News Rundown: Android Giveaway Fraud

Thousands of Android Users fall Victim to Giveaway Fraud

Upwards of 65,000 Android users were potentially compromised after installing a malicious app promising free giveaways. Over the year the scam was in effect, roughly 5,000 apps were spoofed to lure victims into downloading in exchange for a phony giveaway. In reality, the infection pushes silent background ads which generate ad revenue for the scammers and decrease device performance.

North American Real Estate Firm Hit by Ransomware

A new ransomware variant known as DarkSide claimed its first victim, Brookfield Residential,  after operating for nearly two weeks. The North American real estate developer recently noticed unauthorized access to several systems and was left a ransom note stating that over 200GB of data had been stolen. The data has since been published to DarkSide’s leak site, which has prompted many to speculate the ransom was not paid by Brookfield Residential.

Cryptominers Caught Using AI

Researchers have been at work creating an AI algorithm to detect malicious cryptocurrency miners while avoiding legitimate ones. The detection method compares currently running miners to graphs of both legitimate and illegitimate miners and monitors changes between the processes being used and the scheduling of mining activity. This type of detection may be put to use to decrease the overall use of malicious code that can often tax the system’s CPU usage to max capacity.

Los Angeles School District Suffers Cyber Attack

Just weeks after the FBI issued a warning about the threat of cyberattacks against school districts, the Rialto School District in California has fallen victim to just such an attack. These setbacks have made the return to online schooling particularly difficult. The extent of the attack remains unclear and officials are still working to determine the effects on the 25,000 enrolled students.

Maze Ransomware Cartel Adds New Variant Team

The authors of the lesser-known ransomware variant SunCrypt have recently joined forces with the Maze ransomware cartel. It’s believed the new cartel members were brought in to assist with the high volume of attacks that the Maze Group is handling and are being paid with a portion of its profits. In addition to new revenue streams from its partnership with the organization, cartel members also benefit from access to the Maze Group’s resources including obfuscation techniques and posting cartel member’s stolen data to their dedicated leak site.

10 Ways a Commercial DNS Filtering Service Improves Your Cyber Resilience

If you’ve landed on this blog, then there’s a good chance you’re already aware that DNS is undergoing a major overhaul. DNS 2.0—aka encrypted DNS, DNS over HTTPS, or DoH—is a method for encrypting DNS requests with the same HTTPS standard used by numerous websites, such as online banking, to protect your privacy when dealing with sensitive information display.

While there’s no doubt that DoH offers incredible privacy benefits, it also has the potential to be a major security risk for businesses. That’s because DoH effectively wraps DNS requests in encryption protocols, which prevent traditional DNS or web filtering security solutions from being able to filter requests to malicious, risky, or otherwise unacceptable or inappropriate websites.

Although some DNS filtering solutions are now making moves to modernize, many of them simply provide the option to either allow or block all DoH requests, rather than offering any sort of nuanced control.

“That’s really where Webroot® DNS Protection differs from the competition,” says George Anderson, product marketing director at Webroot, an OpenText company. “Ours is currently the only DNS security product that lets businesses fully leverage DoH and its privacy benefits. Our solution encrypts data using HTTPS to route DNS requests through secure Webroot resolvers to prevent eavesdropping, manipulation, or exploitation of data.”

How a Commercial DNS Filtering Service is a Game Changer

According to George, the cyber resilience benefits of using a private, commercial DNS security service that fully supports DoH are numerous. When we asked him to narrow down to his top 10, here’s what he had to say.

  1. First, it provides a very secure, reliable, multi-point of presence connection to the internet with high availability.
  2. Second, trusted DNS resolvers process ALL of your internet requests—we are talking any user, server, or application using the internet with a single, tamperproof choke point for admin and policy request controls.
  3. Third is confidentiality. It keeps your organization’s internet requests private and invisible to malicious actors, your ISP, and so-called “free” DNS resolvers—all of whom can abuse this data.
  4. It then gives your organization full visibility and log access to all of your internet traffic requests, allowing for security analysis and management through reports or ingestion via a SIM/SIEM.
  5. With Webroot, you also get transparent security policy filtering of both encrypted (DoH) and clear text (DNS) requests.
  6. Webroot BrightCloud® threat intelligence data automatically applies the latest and most accurate internet domain security in real time to every outbound request, regardless of source, meaning we stop the majority of malicious and suspicious request responses that could have led to a breach.
  7. A commercial service also provides the flexibility to manage internet access for guest/public WiFi networks, IP address ranges, user groups down to individual user, and lets you filter using a wide range of domain categories.
  8. In the context of WFH, if the user is connected to the internet via VPN or a local DNS agent on their device, then a DNS filtering solution protects them no matter where they connect.
  9. Also, from a WFH perspective, you need your DNS security service to integrate with the majority of VPNs and work easily with your other security and network technologies.
  10. Lastly, and definitely key your organization, a commercial DNS security service can offer great visibility into internet usage with scheduled executive reporting that lets you oversee internet use, assist with HR initiatives, and help ensure compliance.

As DoH continues to grow in adoption, George advises all businesses to be proactive about their cyber resilience strategies. Particularly as more work is conducted outside of more traditional office settings, it’s critical to understand and embrace the value that a flexible cloud gateway—whose protection is not confined to a physical network—can offer.

“Ultimately, in a world where many companies continue to support remote workers, businesses really can’t afford not to use a filtering solution that provides both privacy and security control.”

– George Anderson, product marketing director at Webroot, an OpenText company

Learn more about Webroot’s answer to DNS filtering or take a free trial of Webroot DNS Protection here.

Cyber News Rundown: Ransomware Targets Major Cruise Line

Ransomware Attack Targets Major Cruise Line

Officials for Carnival Cruises have confirmed that a portion of their IT systems were encrypted following a cyberattack identified over the weekend. The company also revealed that sensitive information for both employees and customers was illicitly accessed, though they did not admit to what extent.

Millions of Social Media Profiles Exposed

More than 235 million social media profiles belonging to several major platforms, which contained personally identifiable information including names, locations and contact data, were publicly exposed due to a misconfigured database. Social Data, an online data marketing broker, seems to be the owner of the data, though it is unclear how they obtained it since data scraping for profit is generally not tolerated by Facebook or other platforms. According to Social Data, the database was exposed for up to three hours after initially spotted. It remains unknown how long the data was accessible without authentication.

Wine and Spirits Conglomerate Suffers Ransomware Attack

Brown-Forman, the parent company of many major liquor brands, recently fell victim to a ransomware attack that appears to be the work of the REvil ransomware authors. While the company was able to detect and thwart the attack before encryption, upwards of 1TB of highly sensitive internal information on employees, clients, and financial statements was stolen. Though no formal ransom was delivered, the attackers are likely to auction the data imminently.

File-less Worms Creates Linux Crypto-mining Botnet

Linux systems are on the lookout for a new infection that has been silently creating a botnet to employ ­­target machines as crypto miners. Since the start of the year, over 500 SSH servers have been infected around the world by a worm creating additional backdoors to allow attackers to return to the systems later. Due to the file-less nature of this infection, a simple reboot of the system can temporarily remove the malicious processes, but because the login credentials have already been exported the system can be quickly re-infected.

Canadian COVID-19 Relief Sites Breached

Several Canadian government websites connected to healthcare relief funds were breached with the intent to steal COVID-19 relief fund payments. Though only a small portion of the 12 million total accounts, 9,000 GCKey accounts were directly affected after being breached via credential-stuffing. Credential-stuffing uses brute force attacks with employs previously leaked credentials in the hopes victims use the same login info for multiple sites. Since the websites affected don’t use multi-factor authentication, the odds of a successful credential-related attack were increased.

WFH for the Long Haul? These Tips Will Help You Create a Cyber Resilient Home Network

Cyber resilience is being put to the test during the coronavirus pandemic. As more and more users work from home, it’s becoming increasingly difficult for IT teams to ensure uniform cyber security on home devices and networks that they don’t own or control. At the same time, cybercriminals are using the pandemic to launch more deceptive attacks. In this post, we’ll break down a few steps you can take to add resilience to your home network, so you don’t have to sacrifice security for convenience during the global pandemic. We cover all of these tips and more in our Work From Home Playbook.

The secure tunnel

We lose a measure of security the minute we step outside the protective shell of our corporate network. The average home network is significantly less secure than corporate networks. This leaves remote workers more vulnerable to attacks anytime they’re not connected to the corporate network.

Luckily, you can easily improve your at-home security by using a virtual private network (VPN). With a VPN, you can establish a secure tunnel between your home network and your corporate environment, making your home connection more immune to outsider attacks. A VPN extends your home network – or connection from the local coffee shop – across a public network, allowing you to interact with your corporate system as if you were connected directly to it. This allows applications to operate securely and encryption to be enabled within the connection, ultimately privatizing any data being shared or input.

Handshake hygiene

A clean handshake is healthier in the physical world. And it’s the same with the digital handshake between your home devices and your corporate network. Anytime someone from outside the network attempts to log on, there’s a risk the person isn’t who they say they are. Login credentials are stolen all the time. In many scenarios, all it takes is a username and password to gain access to the company network. Once inside, cyberthieves can unload malicious payloads or find additional user credentials to launch even more pernicious attacks. But by adding just one extra layer of security in the form of an additional checkpoint, it’s possible to thwart most attacks that rely on only a username and password.

That’s why multi-factor authentication (MFA) has become the go-to method for adding extra verification steps to confirm that the person logging on is truly who they say they are. With MFA, the user verifies their identity using knowledge only they have, like a password or answers to challenge questions. As an additional verification step, the user supplies an item, like a YubiKey or a one-time password sent to a mobile device. Lastly is an inherited characteristic unique to who the person, such as a fingerprint, retina scan, or voice recognition. In today’s highly regulated business environment, most businesses make MFA mandatory for employees logging in from outside the network.

First, second and third lines of defense

Cybercriminals have a full quiver of options when it comes to launching attacks. But the good news is that there are also multiple solutions for defending home systems against them. The best way to secure the home network is to use a multi-layered cyber resilience strategy, also known as defense in depth.

This approach uses multiple layers of security to protect home devices and the networks they’re connected to. Here’s what that looks like:

  • Backup – Backup with point-in-time restore gives you multiple recovery points to choose from. It ensures you can roll back to a prior state before the ransomware virus began corrupting the system.
  • Advanced threat intelligence – Premium antivirus protection is still the first line of defense. And antivirus that is backed by advanced threat intelligence, identification and mitigation is essential for preventing known threats from penetrating your system.
  • Patch and update applications – Cybercriminals are experts at identifying and exploiting security vulnerabilities. Failing to install necessary security patches and update to the latest version of applications and operating systems can leave your devices exposed to an attack.

Learn more

Cyber resilience while working from home is every bit as critical as working on-site. For more tips on how to add resilience to your home environment, and how to prepare your space for working from home long-term, download the Work from Home Playbook.

Cyber News Rundown: Ransomware Strikes Colorado Town

Colorado Town Suffers Ransomware Attack

The town of Lafayette, Colorado, fell victim to a ransomware attack last week without the capability to recover from the attack without paying a ransom of $45,000 in cryptocurrency. The attack disabled many city services for a number of days until officials determined they would not be able to recover without paying for systems to be decrypted. This attack was another example of how having data backed up, even if somewhat dated, is less expensive and more secure in the long run.

Illinois Healthcare Data Breach

The Illinois healthcare system suffered a multi-month data breach stemming from several compromised email accounts earlier this year. The breach does not affect all IHS clients, but those who were affected had much of their sensitive information, including social security numbers and personal health documents, leaked. The breach began in early February, but victims were not informed until the end of July, when they were offered credit and identity monitoring services to protect against illicit use of their data.

Cyberattack Strikes InfoSec Training Organization

One of the largest cybersecurity training organizations was recently targeted by a phishing attack against an internal email account. The compromised account was then used to install an illicit Office365 add-on to maintain control of the account and to forward over 500 emails to a third-party account, many of which contained sensitive information on customers. Affected customers have been contacted and warned to be vigilant against future phishing attacks.

Pace Center Data Compromised Following Blackbaud Breach

Some donor data for the Florida-based non-profit Pace Center for Girls was leaked after a data breach targeted its software provider, Blackbaud, in May. The breach affected over 200 organizations relying on Blackbaud for cloud-computing services and contained personally identifiable information on thousands of donors. Fortunately, no payment card data was included in the breach and the Pace organization has begun improving security protocols to avoid further attacks. ­­

Payment Card Data Stolen from MSU Website

At least 2,600 individuals were possibly affected by a payment card leak after the Michigan State University online shop was infiltrated through a known website vulnerability. The attack used a card-skimming technique and remained active on the site for nearly a year, leaving many customer’s data vulnerable to other possible attacks. This would be the second cybersecurity-related incident to target MSU in the last year. In May, the university was hit with a ransomware attack that resulted in the publishing of stolen data.

Cybersecurity and Back to (Virtual) School 2020: What You Need to Know

Even though the 2020 Back to School season may look very different from those in years past, there are a few things that will remain the same. First, since Back to School is often when parents and caregivers stock up on new clothes, tech, and school supplies for students, it’s also when lots of stores (especially online retailers) run huge sales.

Second, there will be the customary spike in cyberattacks. In fact, the attacks on the Education sector are already up. The latest data from Microsoft shows that the Education sector has recently suffered more encounters with malware (over 5,000,000 in the last 30 days) than any other industry!

Since a lot of children and teens will be attending school virtually, either part-time or full-time, they’ll be spending even more time on the internet than they currently do. The more time they spend online, the higher the risk they face.

Here are the top threats to watch out for, as well as tips for how to help keep young learners safe during Back to (Virtual) School.

Phishing

According to Tyler Moffitt, security analyst at Webroot, “phishing isn’t going to go away any time soon. As tactics go, it’s an oldie, but goodie. Times of year when people do more shopping, like Back to School or Christmas, are a big draw for cybercriminals. We always see a spike in phishing during those times. And with more people shopping and streaming online during COVID-19, I’m betting we’ll see even more activity this year than we would normally expect.”

To underscore Tyler’s point, the latest intelligence from the Webroot BrightCloud® Real-Time Anti-Phishing service shows that phishing URLs targeting global streaming services have increased significantly. In March 2020 alone, we saw the following increases in phishing URLs, broken out by service:

  • Netflix – 525% increase
  • YouTube – 3,064% increase
  • Twitch – 337% increase
  • HBO – 525% increase

Not only should you and your young learner keep an eye out for email scams, but also bear in mind that phishing can happen through a variety of channels. Because many students will end up communicating mostly via online chat, text message (SMS), or social media, it’s important for us all to be extra vigilant about what we click, what we download, and what information we transmit.

Zoom-bombing

The rise in the use of Zoom and other videoconferencing platforms has also paved the way for malicious actors to cause trouble. While it’s named after Zoom, zoom-bombing as a term refers to the act of intruding on a video conference on any platform and creating a disruption, such as spreading hate speech, displaying pornography, and more.

Additionally, Webroot threat researchers have seen videoconference executable files (i.e. the file you run to launch the program) either faked or manipulated so that unwitting victims end up downloading malware.

Fake Websites and Spoofing

Webroot researchers have seen huge jumps in the number of fake websites out there, particularly those with “COVID” and related terms in their domain names. Tyler also warns us to be on our guard for website spoofing, which is when malicious actors create a fake version of a website that looks like the real thing.

“A lot of people will have to access specific websites and online systems for school and related activities,” he says. “Criminals will effectively set traps, so that a mistyped URL or a fake search result could land you on a fake page that looks completely real, only to steal your info or install malware on your system.”

How to Keep Yourself and Your Family Safe

Here are Tyler’s top tips for staying safe online through Back to School and beyond.

  1. Use internet security software.
    If you haven’t already, install internet security with antivirus on all your devices, especially those that will be used for schoolwork. Don’t forget about using a VPN to protect kids’ internet activity from prying eyes.
  2. Update videoconferencing software.
    Make sure children and teens are always using the most up-to-date versions of Zoom (or any other videoconferencing software) to ensure they have the latest patches to prevent malware distribution and disruptions.
  3. Watch out for phishing in all its forms.
    Talk to kids about phishing. Make sure you all know to look before you click. And remember, phishing scams can look just like a text message from a best friend, classmate, or teacher, so always be wary of messages that ask you to click a link or download a file. Use a secondary means of communication, like a phone call, to verify that these are legitimate.
  4. Use your bookmarks.
    Bookmark all required distance learning pages. Criminals may try to spoof these for phishing, especially if there is a popular portal that many schools use. Using a bookmark, instead of Googling and clicking a search result, will help ensure that your kids are on the right page.
  5. Just say ‘no’ to macros.
    If you or your kids download a document and it asks you to enable macros or enable content, DO NOT DO IT. This is very likely to be a malicious file that will infect your computer.
  6. Use a secure backup.
    When we’re all so reliant on our computers and other internet-connected devices to work and study, it’s extra important to make sure they’re backed up. Nobody wants to lose a term paper or other important documents to a malware infection, hardware failure, damage, loss, or theft. Save yourself the hassle and heartache by investing in backup software.

This Back to School season, it’s especially vital that we all do what we can to ensure children and teens have the skills, awareness, and security protocols to stay safe. By following these tips, you can help make sure they stay safe today, tomorrow, and beyond.

Company Culture and Cyber Resilience by the Numbers

There’s no doubt we’ve all had to change our work habits as a result of the global coronavirus pandemic. Companies have had to adapt rapidly to smooth the transition to work from home. But companies will have to do more than adapt if they’re going to make cyber resilience a long-term priority going forward. As the edge of the network expands to include thousands of home networks and devices, it’s going to fall on leadership to establish a culture of cyber resilience, so employees internalize cyber security best practices instinctively.

What is a cyber resilient culture?

We asked Principal Product Manager Philipp Karcher what a cyber resilient culture is and what it takes to establish one at an organization. He said a culture of cyber resilience recognizes that everyone – not just IT – has role in cyber security. Karcher defines cyber resilience as the application of the same principles of IT resiliency so that employees:

Business benefits of security training

When businesses internalize this culture, they’re better prepared, better able to respond and better positioned to experience growth, Karcher says. Asking employees to devote time and effort toward security awareness is an investment in the future of the business.

On the other hand, businesses that don’t actively work toward a culture of cyber resilience are more vulnerable to cyberattack. Their employees are more likely to practice poor password hygiene, click on something they shouldn’t and make other mistakes, like misconfiguring access rights or accidentally sending someone the wrong file.

Cyber Resilience training delivers results

While IT resilience focuses on hardening data and applications, your overall cyber resilience as an organization depends equally on making users resilient. This should include a program of training and communication on security issues employees need to be aware of and education on how to properly respond to incidents.

We believe that when you look at the results of Webroot’s training program, it’s no wonder why it was recognized as a Strong Performer in The Forrester Wave™: Security Awareness and Training Solutions, Q1 2020. According to data from the Webroot Threat Research team:

Webroot also partnered with leading cybersecurity education content provider, NINJIO, to deliver engaging three-to-four-minute Hollywood-style micro-learning videos that feature updated COVID-19 content and encourage cyber resilient behavior, like identifying phishing emails and malicious URLs. 

In addition to regular employee training, Karcher says businesses should publish regular communications on security topics in the form of emails, internal social media, posters and videos. Examples include coverage of real-world threats they need to defend against in their work and personal lives, and industry news about other businesses that were adversely affected by attacks.

Cyber resilience can only become a part of culture through sustained, long term engagement – not just annual check-box training.

Interested in implementing a culture of cyber resilience? Take the first step here.

Cyber News Rundown: Twitter Hack Arrests

Multiple Individuals Charged for Twitter Hack

Three people were charged with last month’s Twitter hack, which generated over $100,000 in bitcoin by hijacking high-profile accounts. Of the 130 accounts used to spread the Bitcoin scam, major names included Elon Musk and Bill Gates, who have been portrayed in similar past scams. The FBI was apparently able to identify the perpetrators through a known hacking forum offering Twitter account hacking services for a fee.

Kentucky Unemployment Faces Second Breach in 2020

Kentucky’s unemployment system suffered its second data breach of the year last week. The breach came to light after a user reported being able to view another’s sensitive information while attempting to review their own. Officials are still uncertain how the breach occurred or the exact contents of the information available to the person who reported the incident.

Canon Suffers Ransomware Attack

Several services related to Canon, including its cloud storage systems, fell victim to a ransomware attack that knocked them offline for nearly a week. In addition to the offline systems, more than 10TB of customer data were allegedly stolen and a ransom note pertaining to the Maze Ransomware variant was identified. A large number of Canon’s website domains were also taken offline, with an internal server error being displayed to site visitors.

Havenly Interior Design Breach

A data trove containing roughly 1.4 million Havenly user accounts were posted for sale on a Dark Web marketplace last week. It included personally identifiable information of customers including names, physical addresses and emails. The company’s official statement stated no financial information was lost in the breach. While Havenly has recommended all customers update their login credentials, the breach occurred well over a month ago, enough time for affected customers to be subjected to identity theft or attacks aimed at compromising further accounts.

Massive VPN Server Password Leak

The credentials for over 900 enterprise-level VPN servers from Pulse Secure recently appeared on a hacker forum known to be frequented by ransomware groups. The plain-text information contains enough information to take full control of the servers that are currently running a firmware with known critical vulnerabilities identified within the past two months. The vulnerability that allowed this breach, CVE-2019-11510, was identified and a patch was released late last year. Many of the attack’s victims had neglected to implement the patch.

Hack, Crash, Storm, Spill: Pick Your Poison

Don’t expect cybercriminals to go easy during a hurricane. Quite the opposite, in fact. Just like they’ve used the coronavirus pandemic to launch COVID-related malware scams, hackers will capitalize on the names and news coverage of hurricanes to disguise attacks. That’s why now is a good time to review your cyber security posture and your overall cyber resilience strategy. We talked with Carbonite VP of Product Management Jamie Zajac about how to anticipate the types of adverse events that catch a lot of people and businesses off guard. With the right protection in place, you can maintain access to data during a hurricane – and all year round. You can start by knowing what to expect.

Get woke to data loss

When most people think of data loss, they think major disasters, like headline-generating storms and floods. Of course, it’s important to anticipate highly impactful outages. But these are far more rare than other causes of data loss. “It’s everyday scenarios that are really common. Like leaving a laptop on an airplane, dropping a phone in the river, or accidentally deleting a folder and having the recycle bin policies expire,” Zajac says.

Another cause of data loss is hardware failure. “Hardware has become more reliable,” Zajac says, “but you never know when a hard drive will fail, a computer will be dropped or a motherboard will crash.”

Since hardware has a finite lifespan, failure is inevitable. When you’re considering how to protect devices that store important data, Zajac recommends looking for a few key features:

  • Continuous backup (so you’re capturing changes as you make them)
  • Online file recovery (so you don’t have to wait to buy a new computer)
  • Cloud failover for critical servers or disaster recovery as a service (DRaaS)

An ounce of prevention

Whether it’s a lack of awareness, the complexity of systems or the perceived difficulty of deploying protection, too many people and businesses fail to protect themselves ahead of time. “We often don’t think to make cyber security and data protection a priority until it’s too late,” Zajac says. “For consumers and business alike, we see a ton of inquiries about how to get data off a hard drive that wasn’t backed up. That is way more time-consuming, expensive, error-prone and ineffective than having a full cyber resilience and protection plan in place.”

“It’s never worth the risk of being hacked,” Zajac says. “I’ve seen businesses struggle and even close when they lose data, or their brands suffer because hackers have stolen their data. As compliance requirements and privacy requirements evolve, more and more small businesses face these risks.”

Hurricane checklist

Hurricane season is prime time for system outages. But it’s also a useful reminder to prepare for the unexpected. Here are three key steps you can take to form a strategy for dealing with annually occurring threats, according to Zajac.

  1. Anticipate your office being unavailable – Like the physical disruptions we’ve experienced with the COVID-19 pandemic, anticipate IT infrastructure becoming unavailable. Can you run systems in the cloud? Can you access a cloud backup quickly? DRaaS is a great solution for businesses susceptible to hurricanes.
  2. Back up everything, not just some things – Many people realize too late that they only chose to back up critical systems, and that one of those “second-tier” systems is also necessary to run the business. It’s better to have everything backed up than to be missing something. You can often save costs by tiering your backups or having different recovery objectives for different systems. But don’t skip backing up some systems.
  3. Test your backups – Know whether you can recover systems within the time required.

When it comes to hurricanes and weather-related risks, specific security-related concerns should also be considered. “It’s important to train people on the protocols for when they need to work remotely,” Zajac says. “Generally speaking, you should be training users on security best practices, whether they are remote or in the office. But people are more distracted and thus susceptible to phishing and social engineering when they are remote.”

If people need to work from cloud workstations, personal devices or laptops, make sure they have a security suite, such as cloud-based anti-virus and anti-phishing protection. Make sure you have security software that doesn’t require people to be in the office. For example, if you are relying on your firewall to block malicious websites, it won’t help employees who are off the network. Use DNS protection with roaming device security for these scenarios.

An all-of-the-above approach

Murphy’s Law dictates that you’ll probably experience the data breach you’re not prepared for. Any form of data loss can have bad effects. So, if you’re too narrowly focused on just one threat, consider all the potential adverse events you could experience.

“Hackers are a constant threat and can have really big impacts in terms of data loss, productivity loss, compliance requirements, regulatory fines, brand damage and more,” Zajac says. “A coffee spill is a constant threat,” she warns, “but the damage is typically isolated. You still don’t want to rely on someone re-creating all of your work if a coffee spill or other localized damage even occurs, especially if it is the CEO’s laptop.” Zajac continues, “A hurricane is a rare and often well-predicted event, but the impact can be catastrophic. You can’t wait for a hurricane to build a plan.”

The good news is that a competent IT consultant can help you build a strategy, and a good vendor can protect you against many of these adverse events in one fell swoop.

Setting expectations

There’s no backup without recovery. But how do you know if your recovery process is sufficient? It should align with the objectives you establish before disaster strikes.

“On an endpoint, you can typically get very fast file backup and recovery so that you only lose minutes of data and all files are available online in a web interface for fast access,” Zajac says. “For servers, you need to tier systems into mission-critical applications and use a very low RPO solution, such as DRaaS. Non-mission critical infrastructure can withstand a few hours or days to get running again.” Zajac suggests doing an impact analysis. If a given system is offline, how much will it cost your business?

Cloud considerations

It’s not just devices that are worth protecting. Today, both personal and business users leverage the public cloud, like Microsoft 365 and Azure, for much of their storage and computing needs. A lot of people make the mistake of thinking cloud data is protected by the vendor. But this is not the case.

“Microsoft cannot tell the difference between accidental data loss and legitimate file deletions because the content is no longer relevant. It’s up to users and company admins to make this determination,” Zajac says. “Microsoft 365 credential attacks are on the rise. It’s only a matter of time before someone creates or spreads ransomware to Microsoft 365 native data. That won’t be a good day for anyone who doesn’t have a backup in place.”

Next steps

Never let a good catastrophe, or the threat of one, go to waste. Use this hurricane season to make sure you have a robust cyber security and resilience plan. And not just for hurricanes, but for all the ways you can lose access to data.

Cyber News Rundown: WasteLocker Ransomware

Garmin Hit with WastedLocker Ransomware

Nearly a week after the company announced they had suffered a system outage, Garmin has finally admitted to falling victim to a ransomware attack, likely from the increasingly popular WastedLocker variant. As is the norm for WastedLocker, the attack was very specific in its targeting of the company (even mentioning Garmin by name in the ransom note) and took many of their services offline. Though Garmin has confirmed that no customer data was affected, they are still unsure when their services will return to full functionality.

Israeli Marketing Firm Suffers Data Breach

More than 14 million user accounts held by the Israeli marketing firm Promo were compromised in a recent breach. Subsequently, at least 1.4 million decrypted user passwords were found for sale on a Dark Web forum, along with 22 million records containing highly sensitive information. The company has since contacted affected customers and is pushing a forced password reset.

Netwalker Ransomware Targets U.S. Government Organizations

The FBI has released a security statement concerning Netwalker ransomware attacks, which have targeted both U.S. and foreign government agencies in recent months. Netwalker is known for exploiting remote desktop utilities to compromise major enterprise networks. It also offers ransomware-as-a-service to other cybercriminals. The best methods for blocking these types of attacks is setting up two-factor authentication (2FA) and creating offline data backups to protect in case of a successful breach.

Lazarus Hacking Group Branches Out to Ransomware

The North Korean state-sponsored hacking group Lazarus has added ransomware to their latest attacks. Unfortunately for the group, the ransomware variant they’ve chosen is inefficient at encrypting data, sometimes taking up to 10 hours to fully encrypt a single system. These attacks are similar to those targeting Sony Pictures in 2014 and those that affected the 2018 Winter Olympic games, both of which are suspected to have been conducted by state-backed actors.

Nefilim Ransomware Begins Publishing Dussman Groups Data

At least 14GB of data belonging to a subsidiary of Dussmann Group, a major German MSP, is being leaked by the operators of the Nefilim ransomware variant. The operators have confirmed they were able to obtain roughly 200GB of data from the subsidiary after discovering a still-unknown method for compromising the network. Customers affected by the leak have already been notified.