Advanced warning should have stopped this ransomware attack, and more on two-factor authentication
Welcome to Cyber Security Today. It’s Monday June 15th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Last Friday I talked about ways in which cyberattacks, including ransomware, can be stopped. Today I want to talk about a ransomware attack that wasn’t stopped even though the victim organization was warned. The story of the incident comes from security reporter Brian Krebs, who was tipped off by a cybersecurity firm late last month that hackers had gotten into the IT system of the city of Florence, Alabama. In fact the researcher had figured out the computer the hacker used to get into the system belonged to the IT manager. Krebs called the city and left a warning message that got to the right person, a system administrator, who called him back. The infected computer was taken offline and the account of the owner was changed. “We got everything taken care of now,” the reporter was told. Well, it wasn’t, because on June 5th the hidden ransomware was triggered and shut the city’s email system. The city says it will pay just under $300,000 ransom to get its system back to normal. What went wrong? The city had lots of warning.
It appears that the city didn’t go far enough to protect its systems. The IT manager said after being warned he was trying to get city council approval to hire a cybersecurity firm to help rebuild the computer network, but decisions weren’t made fast enough.
There’s a big lesson here to all organizations: The purpose of most ransomware attacks is to infect as many computers and servers as possible before scrambling data. So if ransomware is confirmed on one computer then all the software on every system has to be deleted and re-installed — what professionals call rebuilding the network. Is your organization ready to do that quickly?
That Friday podcast also talked about the importance of two-factor or multi-factor authentication as an extra step to make it harder for an attacker to break into an organization with a stolen or guessed username and password. A column from IBM’s Security Intelligence blog published after I recorded my podcast makes the same point. It also argues that multi-factor authentication has to be added to all applications that need logins, not just email or the corporate virtual private network.
Finally, here’s another example of how multi-factor authentication can be invaluable to protect an organization. To see how hackers work a security company called Cybereason set up an internet-connected computer infrastructure that pretended to be an electricity generator’s network. This kind of test is called a honeypot, and its designed to attract attackers to learn lessons. Similar to many organizations, this fake company had a way that allowed staff to remotely log into the network with a password. Within three days of connecting to the internet hackers had discovered the fake electricity company, and, using an automated tool, guessed the administrator’s access password and logged in. Cybereason told me the password was of medium complexity. Two-factor authentication would have made it much harder for the attacker, the company acknowledged. Of course, the idea of this particular honeypot was to not make it too hard for a hacker so researchers could see what they would do. After breaking in the hacker tried to access to the domain controllers. This is crucial. In a Windows environment a domain controller is a server that approves users’ authentication to computer resources. If a hacker can take over the domain controller they can access anything. Finally, in this test the hacker deployed ransomware on any computer they could. Among the lessons is that IT security teams have to be more vigilant in watching for cyber attacks.
That’s it for Cyber Security Today. Links to details about these stories can be found in the text version of each podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon