Experiencing a Security Breach?
contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

Category: Blog Posts

Let’s Go Phishing

Posted on by Prism Infosec

Kian J recounts a recent simulated phishing engagement delivered to a major financial organisation

We recently completed a project for a major financial organisation which saw us deliver a red team engagement covering three scenarios. The first involved a simulated phishing attack and we thought it worth sharing the procedures used by our consultants to gain complete, persistent, unauthorised access to the company’s internal network.

Before we embarked upon the exercise, we needed to assess the requirements of the phishing campaign and pick a campaign profile that was a best fit for the use case. Examples of possible attacks included:

  • Email Phishing
  • URL/HTTPs Phishing
  • Spear Phishing
  • Whale Phishing
  • Vishing
  • Smishing
  • Angler Phishing
  • Pharming
  • Clone Phishing

Note: this is not a complete list of attacks, but only a handful that would be considered in a remote phishing engagement.

Due to the engagement requirements, we had decided that the best approach would be a multi-pronged campaign, consisting of vishing, email phishing and URL phishing.

Initially, we used email, however, it quickly became apparent that users had been trained in this area, resulting in burnt accounts which we were able to diagnose due to a high bounce back rate on our emails. Despite running the assault over a couple of days with various attack vectors, it all led to the same result – with our account or domain being blacklisted.

At this stage the natural conclusion would have been to assume that the staff had received adequate training in phishing engagements. However, we decided to give it one last shot using a vishing campaign conducted using URL phishing.

We continued with our OSINT efforts, specifically scraping phone numbers from various sites such as rocketreach.io and lusha.com to put together a new target list. Ideally, we wanted this new list to consist of higher value targets such as developers or technical leadership roles. The purpose of this was that once we landed in the environment, we would hopefully have more privileges enabling us to escalate access. This resulted in a target list consisting of 31 phone numbers.The next step we needed to take was to get the staff to either visit a malicious site or to give us their username, password, and MFA token over the phone. We figured the first solution would have a better outcome (this is where the URL phishing comes into play). So, we went through the endpoints we had access to and decided that we would clone a Citrix site, and had created the following page:

Citrix Login
Citrix Gateway Login Screen

The page, after submitting credentials would then ask for a MFA token:

Citrix Login
Login Requesting an MFA Token Value

Great, now we had a target list and a malicious site (hosted in AWS to bypass any proxy filtering) and so were primed and ready to begin the vishing attack. 

On our first call we managed to get a hold of someone I will refer to as “Mark”. We than ran through a simple script with him, explaining that we were swapping over Citrix environments and needed to test the database changeover had worked.

Mark was a great help throughout the assessment, but specifically on this call, he gave us a vital piece of information; the Citrix authentication was being handled by Microsoft single-sign-on (SSO) and that the page wasn’t sending him the SMS. We quickly got another consultant on the case to process the request (by submitting the credentials into their legitimate site) which would then force the SMS process to kick off.

We then called Mark back and, as we were already friendly with him, went through the same process. Mark then submitted the newly generated MFA token, an example of the output of which can be seen here:

Phished Credentials
Receiving the Credentials from our Target

Mark was then forwarded straight to their legitimate landing page, and it appeared as though sign-in was successful; this was caused by their time-out periods being overly long.

Perfect! So now we had Mark’s username, password, and an MFA token, but if we wanted to access the Citrix environment consistently, we would need multiple tokens.  As it worked out, we had an easy solution to bypass this: the Microsoft Authentication application. We proceeded to log in to the app with Marks details:

Authenticator Screen
Microsoft Authenticator App

This then reflected on the website, adding two new options to the user:

Login Screen with Auth Options
The login then allowed use of the Authenticator

The two new options, “Approve a request on my Microsoft Authentication app” and “Use a verification code from my mobile app” were now the only indicators that the user had been compromised, however this did not lead to the campaign being discovered.

Finally, after a week of attempts, we had established a means of gaining complete, persistent, unauthorised access to the company’s internal network. From this point, we were then able to compromise another two accounts, totaling three before we decided that it was no longer going to provide us with an advantage and disclosing to the client.

In conclusion, we think there are two key recommendations not just for the company concerned but for anyone else who thinks they’ve covered the bases when it comes to phishing attacks. Firstly, we would advise that staff are trained in different forms of phishing attacks, such as email attacks and vocal attacks. Staff can quickly let their guard down when different channels are used. Secondly, we would also advise that any unmanaged devices are blocked, or at least have heavy restrictions placed upon them.

If you’d like to talk to us about how we can help test your resilience to a phishing attack, do contact us at contact@prisminfosec.com or call us on 01242 652 100.

ICO data reveals sharp rise in attacks

Posted on by Prism Infosec

Recent data from the Information Commissioner’s Office (ICO) Data Security Trends Analysis Q1 2021-22 (capturing incidents for the period 1 April – 30 June 2021) reveal there’s been a sharp rise in specific cyber attacks as attackers seek to capitalise on the disruption caused by the pandemic and working from home (WFH).

The biggest leap was in misconfigurations of software and hardware, up a staggering 543% from 7 incidents last year to 45. This reflects the rapid expansion within the cloud as businesses sought to roll-out remote working to enable WFH. Misconfigurations routinely top the list of cloud security issues due to a failure to configure cloud solutions. Left in their default settings, these systems become much easier to compromise when exploits then surface. 

There was also a marked increase in attacks against the user. Malware was up a third and phishing attacks were up 54% compared to the same time last year while ransomware more than doubled due to the growth of Ransomware-as-a-Service (RaaS). RaaS enables cyber criminals to use malware for extortion without the need to code it themselves and was responsible for two thirds of all campaigns during 2020. 

This year also saw the ICO also include cryptographic flaws and denial of service attacks which were omitted last year, indicating a growth in highly targeted organised attacks. The only attack type to buck the trend was unauthorised access which fell 28% from 87 to 63, but this could equally be due to the difficulty of detecting such an attack outside the corporate network.

The results show that many users have fallen victim to attack while WFH, let down by insufficient support and a failure to implement secure remote access. Staff training should have helped prevent phishing attacks, for instance, with virtual training sessions offered to help with reinforcement. The increase in malware also suggests inadequate protection of endpoints, no doubt caused by many relying on connecting from home on personal devices. 

Attack Trends 2020 – 2021

The ICO also helpfully breaks down these figures into specific sectors, and virtually all of them have seen an increase in incidents. The retail and manufacturing industries continue to suffer the highest volume of attacks but saw a relatively modest increase of 48% compared to some of the others. 

Perhaps not surprisingly given the disruption to normal working practices, it was the General Business sector that saw the greatest rise at 282%, closely followed by the Utilities sector at 250% and the Health sector at 238%. The Legal sector and Transport and Leisure both saw a tail-off in demand for their services during the pandemic but an uptick following the easing of lockdown, resulting in attacks increasing by 117% and 106%, respectively.

A sector that was relatively unscathed by the pandemic and able to maintain BAU was Online Technology and Telecoms. It saw an increase of only 14%, revealing that it was better able to defend its operations. Similarly, the Finance sector saw only a 2% increase and Local Government 6% while those operating in Social Care actually saw an 11% decrease in attacks.

Attacks by Sector 2020 – 2021

The results of the Data Security Trends Analysis 2021-22 suggest that many organisations struggled to put in place adequate security measures and adapt quickly enough to meet the demands for WFH. This then made it difficult to enforce security policies, leaving staff exposed. 

The question that now remains is how effectively these sectors can play catch-up. Given that we will have a hybrid workforce for the foreseeable future, its vital that organisations now identify where their security gaps lie. Most sectors have some work to do to better protect their infrastructure, data and staff.  

Our recommendations are to:

  • Focus on your users by improving identity and access management. Provide remote staff training so that they know how to connect securely. Use refresher training to remind staff of best practice for password management and how to avoid phishing and malware attacks.
  • Examine how you monitor remote devices and BYOD. Many security solutions are not designed to monitor endpoint devices and third-party connections so you may need to re-evaluate how you carry out remote network monitoring.
  • Address cloud security as a priority, particularly the configuration of cloud solutions, and ensure that you these down to the minimum requirements.
  • Put in place procedures to thwart brute force attempts such as 2FA, limit log-ins and failed log-in attempts and prevent root user access.
  • Adjust your Incident Response to ensure everyone knows what to do in the event of an attack. Check your Disaster Recovery plans to ensure you have back-ups and can perform effective remediation.

If you’d like some advice on how to make your business more resilient and your staff more secure, or if you’d like to assess how effective your current security measures are, we’re here to help. Email us at contact@prisminfosec.com or call 01242 652 100.

Threats and priorities for 2022

Posted on by Prism Infosec

Phil Robinson, December 23rd 2021

Many businesses will still be grappling with the seismic shifts of the pandemic as they eye 2022. The rush to roll-out systems to support home working and to activate virtual versions of real-world business channels saw unprecedented digital transformation equivalent to years achieved in just a few months. But this rapid expansion came at a cost, leaving systems and networks overly exposed. 

We’re already seeing the manifestation of more attacks, with the World Economic Forum reporting a 50.1% increase in cyber attacks due to the pandemic with 30,000 related to COVID-19 as well as huge spikes in phishing and ransomware. This has caused many organisations to task their security teams with retroactively fixing any security gaps.

Our top three issues to address going into 2022 and beyond include:

  1. Cloud misconfiguration

Research claims 90% of businesses are now susceptible to attack due to misconfiguration so businesses need to identify and assess how well configured cloud systems are to enforce access restrictions, overly permissive storage policies, clamp down on compliance, apply least privilege and practice credential hygiene, and look at virtual network functions. At the same time, they can’t afford to stand still and need to continue to expand their cloud presence to remain competitive, so will need to focus on how they can continue to build-out in the cloud but in a more resilient fashion. 

2. Ransomware and phishing

Ransomware-as-a-service or RaaS gaining ground, synonymous with groups such as DarkSide, Babuk and Cuba. These attacks typically involve the installation of malware which comes about by employees installing new software or through the security team failing to lock-down admin privileges. 

Phishing can vary, from scatter gun email phishing, to targeted spear phishing, or text based attacks known as “smishing” . These attacks usually involve the attacker emailing or co-ercing an employee to execute a malicious file or visit a website to provide their credentials. This then allows the attacker to establish a command-and-control (C&C) server connection within the environment to establish a further foothold and attempt to escalate privileges. A recent example is the texts and emails offering an NHS pass/certificate for travel purposes with a request for payment (even though these are legitimately available for free via the NHS app).

Regularly educating users on how to spot phishing attacks and not to click on suspicious links or execute unknown attachments is imperative and you can make this relevant by running a test to see how many do fall foul of a staged attack. 

When it comes to the user device, businesses need to protect user workstations with anti-virus and EDR (Endpoint Detection and Response) solutions and to prevent the execution of unknown files or scripts as well as ensuring that all Operating Systems and applications are kept up to date. 

You can also stop a lot of this from getting through in the first place by blocking unnecessary file attachments at the email gateway or cloud solution (e.g. macro files, htm/html files, executable files/scripts) and marking inbound email as ‘EXTERNAL’. But you also need a failsafe so that in a worst-case scenario you’re prepared so ensure offline backups/snapshots are being made of critical data and regularly test that these can be restored.

3. Abuse of collaboration tools

We expect to see increased attempts to copy common notifications sent from business services such as Office 365 (e.g. sharing and encryption emails). Attackers could start utilising alternatives to email to attempt to deliver payloads and this could include messaging systems such as Teams. Additionally, there will be more attempts to exploit open file sharing mechanisms such as Onedrive and Sharepoint sites that allow guest access, which is more common than you might think.

If you’d like help with attack mitigation or remediation, cloud configuration or advice on how to make remote working more secure, email us at contact@prisminfosec.com or call 01242 652 100 for a one-to-one consultation.

Alexis V elected to CREST-EU Council

Posted on by Prism Infosec

We’re proud to announce that Alexis V, Senior Security Consultant at Prism Infosec, has been elected to the newly formed CREST-EU Council. 

CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security market, announced its intention to form the Council and an EU Chapter at the end of October. Due to meet in the new year, the council will represent its international members in the European Union and will work to “ensure greater alignment with European initiatives”. 

CREST has been restructuring since 2006 by carrying out democratic elections to form country and regional councils. These councils will feed into a single International Council which will include representation from each region. These representations will enable its members to shape and influence CREST’s strategic initiatives as well as the global cyber security market at large.

Alexis was elected to one of just ten seats on the EU Council. With over ten years’ experience of working in the UK cyber security space, he has played a crucial role at Prism Infosec over the course of the past year by establishing our office in Belgium. He currently delivers a range of penetration testing services to clientele, assists with securing sales through scoping projects, and implements our training programme to help upskill members of the team. 

Commenting on his election, Alexis said: “I’m passionate about security and encouraging and supporting others to start their cyber security journey or develop their career. Growing the Belgian office by attracting new talent, getting involved in local initiatives and developing the team has been hugely rewarding and has allowed me to draw upon my previous experience delivering Advanced Web Application Testing training at BlackhHat USA. Going forward, I hope to replicate and improve upon some of the work we’ve done in the UK cyber security sector within the EU.”

Under his remit on the EU Council, Alexis hopes to be able to bridge the gap between the suppliers and consumers of security services and would like to ensure suppliers receive a consistent quality of service from within the industry which he believes can be achieved through reproducible methodologies. 

Responding to the news, Phil Robinson, Founder and Principal Consultant at Prism Infosec, said: “Alexis has such enthusiasm, knowledge and drive that I’m not at all surprised by his election. He continues to be a real asset to the Prism Infosec team and has been instrumental in our expansion and the setting up of our office in Belgium. He’s also represented the company on numerous speaking engagements where he has sought to increase awareness about new techniques and attack vectors and to promote industry best practice so he will be in his element and able to offer a unique perspective when he takes his seat on the EU Council”.

Was the NSA’s Cyber Security director right to say attackers know networks best?

Posted on by Prism Infosec

By Phil Robinson

There was an interesting spat on Twitter during September when Rob Joyce, Cyber Security Director of the National Security Agency, disputed the notion put forward by security researcher @RayRedacted that “Defenders think in lists, attackers think in graphs”. (Presumably suggesting that defenders are preoccupied with tick lists and compliance while attackers are looking at the data to see where performance discrepancies and chinks in the armour lie). Joyce’s retort was that…

“Attackers put in the time to know the network and the devices better than the defenders. That’s how they win.”

His statement suggests that far from being just opportunists, attackers study the network and carefully craft their attacks. Time is on their side, which allows them to explore and reverse engineer at their leisure. And the implication is that, if their knowledge of the network outpaces your own, they capture the castle. 

But is this really true? I’d argue that there are plenty of organisations that have a strong understanding of their IT estate and a decent awareness of their environment. They may even have implemented robust defences that have met or exceeded industry best practice across their technology stacks. They know every inch of their network and what’s running over it but this doesn’t guarantee they won’t be compromised. 

What’s really happening

Security breaches occur due to a number of reasons. These can range from a lack of coverage (OS and app patching), competence (configuration weaknesses), staff awareness (password insecurity), budget (holes in defence technology), or just plain bad luck (exploiting windows of opportunity) – so it’s not just a matter of good situational awareness.

The National Cyber Security Centre (NCSC) makes the distinction that the majority of attacks are stil not targeted. Some adopt a more scatter gun approach, such as phishing, water holing, ransomware and scanning, and these by far outnumber the more time intensive targeted attacks, with 27% of businesses being attacked once a week and 83% of these suffering phishing attacks according to the Cyber Security Breaches Survey 2021 by the DDCMS. 

There’s a good reason for this. Targeted attacks can take months of preparation and execution. The attacker will typically profile your business and probe the network for weaknesses to exploit using the oft quoted cyber kill chain approach. “Attacker time” tends to preoccupy the industry, which is why you’ll hear a lot about Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR), which are terms used to hawk security solutions. But the truth is you need people and process – not just technology – to keep one step ahead of the attacker. 

What can you do?

There is no single solution or tool that can be deployed to protect against the possibility of a security breach, however, if the organisation uses a variety of proactive approaches it can reduce the likelihood of being caught unawares. Here is my top 5 list of “common sense” practices that can be used to protect an organisation and reduce the possibility of compromise..

  1. Staff/User Awareness – regular security awareness training which covers the dangers of common attacks (phishing / spear phishing etc) and educates on what to look for and how to report them quickly. Implement a “no blame” culture and encourage reports. What you don’t want are people covering their tracks for fear of reprisals from management.
  1. Device Security – ensure that devices (such as workstations and servers but also mobile devices and other networking hardware) are configured to be as secure as possible, with users having a low level of privilege, effective Anti-Virus (AV) and/or Endpoint Detection and Response (EDR) software deployed. Remove unnecessary software, follow best practice guides on hardening (e.g. NCSC and CIS) and limit execution of unknown executables and scripts (e.g. Microsoft Defender Application Control).
  1. Centralised Management – wherever possible use a centralised security management solutions (such as Mobile Device Management, centralised AV/EDR consoles and centralised patch management tools) to view and manage the estate. Do not leave the security of AV reports, patching, et al to the individual user/workstation level. This may seem like an expensive route – but solutions exist within cloud subscription fees (e.g. Microsoft 365 and Google Workspace)
  1. Logging and Event Reporting – in the absence of a SOC or SIEM solution, wherever logs and events can be enabled across the technology stack, make sure these are set-up and tuned. Ensure coverage at firewall, network device (switch/router), workstations, servers, applications and cloud services. Ensure that logging is not overwhelming to prevent alert fatigue and that key events are prioritised (e.g. multiple password failures, AV/EDR alerts, unexpected privilege escalation)
  1. Robust Authentication – many breaches (particularly for Internet-based services) occur due to weak passwords combined with a lack of additional controls such as multi-factor authentication (MFA) or password lockouts. Review all login interfaces (prioritising Internet-facing) and ensure that as many as possible support these security controls”

Taking such actions will bolster defences and take the weight off the IT/security team, allowing them to monitor and respond appropriately. And they’ll be able to mitigate attacks so that as and when they do occur you can limit incursions. This all makes logical sense but security is still being sidelined in many businesses, particularly in the wake of the pandemic.

The DDCMS 2021 survey reveals that a third of businesses took no remedial action following their most disruptive breach and it’s this inertia that then paves the way for repeat or lateral attacks. The report concludes that organisations need to “recognise that good cyber security facilitates better business resilience” and suggests many businesses have focused too much on business continuity at the expense of security due to the pandemic.

Develop your awareness

Ideally, you want to begin to look critically at your network from the perspective of the attacker and that’s where penetration testing or simulated testing comes in. There are also now frameworks that track the pattern of attacker activity. The  MITRE ATT&CK (an acronym that stands for Adversarial Tactics, Techniques and Common Knowledge) framework, identifies the tactics, techniques and procedures (TTP) attackers use and contains over 245 techniques. PRE-ATT&CK looks at attacker activity that happens prior to exploitation of a target network or system, providing some idea of how attackers scope attacks. The framework is continually updated so that new approaches spotted in the wild are added. 

Such frameworks can be used to help with penetration testing. This both identifies any security vulnerabilities and weaknesses and whether your controls are implemented and operating correctly and tests are configured to meet the needs of the business, so range in depth.

If you’d like to gain more visibility into your network to counter the ‘knowledge threat’ and to find out more what’s involved in pen testing your systems, email us at contact@prisminfosec.com or call +44 (0) 1242 652 100 for a quick consultation

No Shell? No Problem!

Posted on by Prism Infosec

Enumerating internal networks via ssh-tunnels, Alexis V, November 2021

On a recent engagement, we were tasked to assess the security of an Secure File Transfer Protocol (SFTP) server. We were provided with a regular account to facilitate the file uploads, and so proceeded to work our way through the common checks. We tried to:

  • Log in directly via SSH with the account – this failed as the user most likely had the shell set to /usr/bin/false or similar. 
  • Attempt command execution by appending a command right after SSH login: e.g. ssh user@host /bin/bash. This also failed as the sftp user was set up correctly. 
  • Log in via SFTP, which we did, and checked to see if we were in a chroot jail – as this turned out to be the case we could not access any other directories, files, etc.
  • Attempt SSH tunnelling with the valid account. This worked, as we were able to bind to an internal service via a command like:  ssh -CnfN -L 31337:127.0.0.1:22 user@host

Great, so far so good as we can now access the internal network and start searching for any services that we can exploit to gain a foothold. The problem is that this presents us with 65,535 ports to go through, and that’s just on the SSH host. It doesn’t include all the possible internal hosts. Going through all of these would be an extremely time consuming process if we did so manually.

Despite searching, I was unable to find any tools/scripts that would help me solve this problem, so we decided to write our own.

Flow Diagram of the Enumeration Technique

The concept was fairly simple and could be broken down into the following steps:

  • Create an SSH tunnel to an internal IP and port
  • Use netcat to prod the tunnel on the localhost 
  • Look for a ‘connect failed’ string from SSH, indicating a closed port
  • Or catch a timeout exception, indicating a valid port
  • Kill the tunnel and move on to the next internal IP and port

After a few hours, we had a working proof of concept that (albeit slow, with a small false positive rate) got the job done. Here’s a sample output of the tool running:

TunnelSweep Output

With this information, we can then bind to the known services, access them locally, and start exploiting them to help laterally move through the network.

We’ve uploaded the code to our GitHub. Note that the script was created during an assessment so is in no way optimised, it also sometimes reports false positives (although this can be reduced by setting a correct timeout variable in the script). We always appreciate pull requests!

Blog Post: Top 3 Common Networking Attacks

Posted on by Prism Infosec

Prism Infosec’s Senior Security Consultant, Aaron, reviews the “Top 3 Common Networking Attacks”​

During this unprecedented period when much of the world’s population is affected by lockdown measures and limited activities, cyber criminals have intensified their attacks. The state of fear and uncertainty has provided them with a new “business opportunity” and whilst most of us are spending more time on the Internet than ever before, several types of cyber-attacks have seen a drastic increase over the last few months.

1. Phishing Attacks

Amid this chaotic situation, many people are seeking out COVID-19 related information online, hoping to find reliable guidelines to stay safe and well. At the same time, hackers are taking advantage of this by ramping up “phishing” attacks that trick internet users into opening malicious files or links that report to provide COVID-19 information.

Cyber criminals do this by impersonating trusted organisations and sending out convincing emails containing attachments that are laden with malicious payloads. On opening, the attachments execute the code and allow an attacker unauthorised access to system resources and data, along with the capability to execute further attacks on other networked devices or resources.

In other phishing attacks, unsuspecting users are tricked into following links that lead the user to realistic login pages for trusted brands. On logging in, the valid usernames and passwords are captured and later used by criminals to conduct financial fraud and impersonation. 

Phishing attacks can be mitigated in several ways:

  • Implement anti-spoofing policy with malware and spam filters on mail servers to keep malicious emails from employees.
  • Implement email security protection measures such as SPF, DKIM and DMARC. This increases assurance around the validity of the sender associated with a particular domain and verifies whether it has been impersonated and prevents the emails from reaching inboxes.
  • Training employees on how to identify phishing exploits and the actions to take when they suspect phishing or have already opened an attachment or followed a link.

2. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attack

At a time when Internet connections are required more than ever, a successful Denial of Service attack will have a more damaging impact than ever before.

A Distributed Denial-of-Service (DDoS) attack is when a collection of computers are infected with malicious code and controlled as a group (botnet). They are then targeted on another Internet service such as a web site, which is flooded with Internet traffic to deny its service to legitimate users. The outcome of a DDoS attack is operational disruption, which is achieved when systems and services are taken offline. Furthermore, attackers can disrupt organisations by threatening to shut down business services unless large sums of money are paid.

  • Utilising a Web Application Firewall (WAF)
  • Implementing rate limiting

It is crucial that organisations understand Denial of Service attacks and always be prepared to defend against it.

3. Remote Desktop Server Attack

Recently, many organisations have turned to Microsoft’s Remote Desktop Protocol (RDP) as a method of allowing remote workers access to corporate resources. The sharp increase in corporate services that need to be remotely accessible has significantly increased and with it the requirement to support remote working, however so has the number of reported RDP attacks.

RDP is a simple and cost-efficient method of facilitating remote working and access to corporate resources such as applications or desktops. However, the protocol is not sufficiently secure to be exposed to the internet. Without adequate security configurations in place, it can be easily compromised allowing an external attacker to gain a foothold into internal networks.

RDP attacks typically involve brute-forcing usernames and passwords, attempting all possible combinations until the correct one is found. Upon discovery of a correct combination, an attacker can gain full desktop access to a computer in the target network.

If your organisation must enable RDP, it is crucial that the following protection measures are in place:

  • Unique, long and random passwords are in use to protect the systems
  • Two factor authentication
  • Limiting the use of RDP to devices using a Corporate VPN
  • Ensure security options such as Network Level Authentication are enabled
  • Avoid connectivity of the RDP service to a corporate domain

If RDP access is not required, then it should be disabled and access to port 3389 should be blocked at the firewall.

Conclusion

In conclusion, cyber-crime is bound to increase for the rest of 2020 as cyber criminals are constantly engineering new methods to attack business operations. Hence, it is crucial that businesses stay ahead of cyber threats by maintaining good security practices, such as:

  • Regularly review network security – Audit security controls in place to ensure that network perimeters are well protected and unnecessary access are removed. Continue to monitor all systems and networks for unusual activities.
  • Maintain user education and awareness – Constantly remind employees of the importance of both physical and cyber security awareness. Develop home working policies and train employees to adhere to it.
  • Ensure Malware prevention is in place – Ensure that all anti-virus solutions are updated daily and anti-malware policies are in place.
  • Maintain secure configuration on all systems – Make sure that all servers and end user devices are patched up to date. Ensure that all remote working devices are subject to integrity checks before they are allowed access into corporate networks.
  • Secure remote access configurations – All remote solutions should utilise secure authentication, encryption technologies and have multifactor authentication enforced where possible.
  • Monitor user activities and privileges – Continue to monitor user activities for potential malicious activities and ensure that principle of least privilege is actively applied.
  • Incident response plan – Always be alert and prepared for potential cyber-attacks, ensure that an incident response plan is in place to deal with any emergencies.

Blog Post: Home Working Cyber Security Guidance

Posted on by Prism Infosec

During these uncertain times, Prism Infosec are doing their utmost to support the community with information security guidance and advice.

To start, Prism Infosec has published a blog post (longer read) and quick guide (key points) as essential updates for ensuring systems and data availability without compromising security.

A PDF of our full blog post can be downloaded from here.

For the quick guide, this can be downloaded here.

Blog Post: eCommerce Websites: Assessing the Risk

Posted on by Prism Infosec

The last year has seen a significant rise in the quantity and impact of attacks on eCommerce (eCom) websites which has cumulatively resulted in the exposure of millions of personal data and, in some cases, card holder data records.

In many cases, relatively simple attacks have been used to compromise eCom applications despite the best efforts of Information Security staff and standards bodies such as the PCI Security Standards Council (SSC). The potential impacts of data breaches include class action lawsuits, brand/reputational damage, fines from regulators such as the Information Commissioner’s Office (ICO) and card scheme fines from Mastercard and Visa.

Looking further into the recent breaches, there is no doubt that firms such as British Airways, Ticketmaster and Quora will have invested significantly in security and compliance. So where did it all go wrong? Are the standards not strong enough, or have the threats increased in sophistication? Why are breaches which affect millions of people so common?

What can organisations do to ensure that they minimise the risk of a successful eCom attack?

After investigating security across many eCom sites, it is apparent that gaps really do exist in many cases. One problem is that there are so many different ways to attack an eCom site, for example:

  • The underlying platform or environment hosting the eCom application;
  • Libraries, packages or dependencies used by the application;
  • The core web application functionality itself;
  • Network security;
  • Configuration settings across all systems and applications;
  • Remote access and management of the environment, including third parties; and
  • The Content Management System (CMS)

Many organisations only defend against a sub-set of these attack points or, in some cases, mistakenly believe that one or more contracted third parties is covering certain areas when this may not actually be the case.

Should an attacker gain unauthorised access to an underlying server involved in the delivery of a web site or the CMS application, then it can be straightforward to modify pages and code associated with critical pages such that information entered by a customer is duplicated to another web site under the control of the attacker. 

The issue associated with this particular attack is that the data (sensitive details such as personal data or credit card data) is not necessarily stored on the compromised server itself, but is nevertheless duplicated to a second malicious web site controlled by the attacker. The eCom site will appear to continue to process transactions ‘normally’ and so the attack can remain undetected for some time, harvesting many thousands of stolen records over a period of weeks or months.

This means that it is vitally important to ensure that access to the eCom servers and associated management systems are strongly protected, both from internal and external attackers. Additionally, detection of unexpected changes to core code and anomalous calls in client transactions are all measures that could be used to detect and prevent the success of such an attack.

Prevention

An online web application associated with the delivery of sales transactions can minimise the risk of a successful attack using effective eCom security management, such as:

  • Prevention of attacks with defence-in-depth (multi-layer security)
  • Detection and alerting of anomalies in eCom operation
  • Fast response to attacks to minimise the risk to the business

Regular testing and scanning of the eCom site is an essential basic, should be frequently conducted, with anomalies remediated as a priority – after all, attackers are testing and scanning all eCom sites across the Internet continuously.

A challenge mentality should be present in the teams managing the site’s infrastructure, code (whether bespoke, off the shelf eCom software / cloud service or a hybrid of the two) and cyber security. This is preferable to considering penetration testing and vulnerability scanning as “tick box exercises” – even issues rated as low risk should be reviewed and managed as part of an effective risk management regime. 

It is also recommended to conduct regular focused eCom risk assessments on new or existing sites, or when changing underlying application frameworks or adding new features such as voucher codes or customer product reviews.

An effective eCom risk assessment should cover:

  • Platform/technologies in use (hosting, network and software)
  • Effective management of any third parties
  • Resilience of eCom platform
  • Sensitive data stored, processed or transmitted, compliance obligations
  • eCom code and content development, testing and deployment
  • Logging/monitoring, testing and assurance

Relying on just baseline security practices such as patching and network security is quite clearly not the only requirement to ensure adequate protection of an eCom website, and many different threats and attacks need to be considered.

An eCom risk assessment, combined with regular testing and scanning, will ensure that the many risks of an eCom breach are understood, properly managed and mitigated as far as possible.