Today’s history lesson comes from Wired, who did a really interesting piece last year on the Notpetya cyber attack that targeted the Ukraine, but led to billions of dollars in collateral damage. And really, the story isn't even really about Ukraine or other companies. The story is truly about a nation-state’s weapon of war that was released in such a medium that it knew no borders. The collateral damage didn’t just affect it’s intended victim, but crossed over everywhere at once. It’s a warning to businesses like yours and mine to be prepared for the worst. You may not be the original intended target, but if you don’t take active precautions then you could easily be taken down like so many other companies and countries mentioned in the following story.

SUMMARY OF NOTPETYA CYBER ATTACK

For four or five years, Ukraine and Russia have been in an undeclared war that has killed more than 10,000 Ukranians. The conflict is so bad that Ukraine has become a testing ground for Russian cyberwar tactics. They have penetrated networks, hacked governmental organizations and companies as well as media outlets to railway firms. They’ve even gone as far as causing widespread power outages.

During this time unbeknownst to anyone, Russian military hackers hijacked Linkos Group company’s update servers to give them a hidden back door into the thousands of PCs around the country and the world. Then they waited…and in June 2017, the Russian saboteurs used the back door they had setup and released a piece of malware called ­NotPetya, their most vicious cyberweapon yet.

The code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately.

“To date, it was simply the fastest-propagating piece of malware we’ve ever seen,” says Craig Williams, director of outreach at Cisco’s Talos division, one of the first security companies to reverse engineer and analyze Not­Petya. “By the second you saw it, your data center was already gone.”

Within hours of its first appearance, the worm raced beyond Ukraine and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. It crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser. In each case, it inflicted nine-figure costs. It even spread back to Russia, striking the state oil company Rosneft.

READ THE FULL STORY: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/ 

FOUR LESSONS FOR EVERY BUSINESS FROM NOTPETYA

A number of mistakes, oversights, and criminal acts went into making this attack successful. You’ll also no doubt want to take a look at how something similar might impact you and what steps you can take to protect yourself. There are a lot of takeaways in this story, but here are four very important ones that apply to every business that utilizes computers in running their business: 

1. Enforce utilizing only approved software - Maersk would not have been impacted had ONE finance executive not installed an accounting application on his computer. This stresses the importance of creating and sticking to approved software lists within your organization. Now, this one may have been approved – the story doesn’t say, but in this interconnected world, one mistake can cost a lot.

2. Patch management of the operating systems and applications - Cyber criminals can infect computers that aren’t patched, and then grab the password from those computers to infect other computers that are patched. Patching was lackluster at best and was a known vulnerability that could have been corrected, but wasn’t.

3. Backups, backups, backups - Maersk got lucky by finding one domain controller that wasn’t infected as they had no backups – they depended on replicas saving their day, and in this case, I supposed it did, but only because of a power outage isolating one network out of hundreds.

4. Know your risks and have mitigation plans - Understand that you can do almost everything right and still be impacted – so understand your risks and have mitigation plans for your most critical processes. 

Bonus – Vendor risk management. You can do everything right, but if the firms who provide your cloud applications, websites, even IT services are vulnerable, then you must understand that their risks are your risks. Be sure to include these vendors in your overall risk management program and see how they address their risks so you can make informed decisions.

CLOSING

RealTime specializes in helping businesses with complete technology solutions, backups, cyber protections and mitigation plans, vulnerability assessments and more. If you don’t have a plan in place, contact RealTime to begin the process of protecting your business. Feel free to contact us here or call us at (334) 678-1417.

Given all the news regarding cyberattacks, it’s not hard to get businesses thinking about improving their cybersecurity. But, when those same businesses want to move beyond just thinking about improvement and act to really mature their security, they may feel like they are on their own. After all, the typical small business doesn’t usually have an IT staff, and probably doesn’t know where to begin this journey. Not to worry, we’re here to help. 

These are the first 5 things we recommend a small business (really any business) do as they work to improve their cybersecurity posture.

ONE

The very first thing we recommend is to have a plan.  If you are not sure how to develop a plan, here is an overview of the different areas you’ll want to review as you begin the process of improving your cybersecurity: https://www.realtime-it.com/blog/solid-cybersecurity-plan.

TWO

You must perform risk and vulnerability assessments for your business. You want to understand (and document) how you use technology in your business and the technical risks you face so you can prioritize your cybersecurity improvement efforts.  It is not possible to fix everything at once, and your risk assessment will help you identify what might be addressed easily and what is critical to address immediately.

 For the rest of Part 1, we’ll skip ahead a bit in the process to shore up areas every business needs to address if they haven’t already.

 THREE

Backups – air-gapped, tested, secured. Simply put, you want to regularly backup all your important data, and have a copy of that backup outside of the building and inaccessible from your local computers. This way, if something bad happens, the backup isn’t affected along with everything else.  Don’t forget, you also want to periodically test your backups to make sure the process is working, and the data is up-to-date and usable.

FOUR

Firewall – managed, NextGen security. Your firewall, with the proper security services in force, is one of your primary means of cyber defense. Firewalls have been considered a security necessity for about twenty years now– and no, you can’t get a proper business-grade firewall off the shelf at your local big-box electronics store.

FIVE

Security Awareness Training – ongoing and often. If your staff is using computers and the internet, they need to be aware of the threats, to know what to watch for, and to understand how to report anything out of the ordinary. – We have a great blog on Security Awareness Training here with a lot of great links.

Finally, even though we said we’d only discuss the first five steps to consider in addressing stronger cybersecurity, we really want to make sure you understand how important it is for you to obtain adequate cyber insurance appropriate to your business type and cyber risks. Talk to your insurance agent and ask for qualified resources and options to help you find the best policy to meet your needs.

If you have Google’s Chrome browser installed on your computers, please make sure to update it asap to version 78.0.3904.87 or later (latest as of today is 78.0.3904.97) as there are two security vulnerabilities in older versions that have active exploits in the wild. Google doesn’t talk too much in detail about exploits, but Kaspersky has a decent write up if you’d like more details, https://www.kaspersky.com/blog/google-chrome-zeroday-wizardopium/29126/

 How can you tell if you need to update?

To check, open up Chrome, click on the three vertical dots in the upper right corner of the browser (“Customize and control Google Chrome”), and select Help → About Google Chrome. If the number you see is 78.0.3904.87 or higher, everything is in order. You may see a red up arrow in that right corner, indicating an update is ready to be installed. You will have to close Chrome for the updates to take effect.

RealTime clients don’t have to worry about this as we update Chrome and most other third party applications automatically as part of your managed technology services.

As you might imagine, RealTime fields a fair amount of questions regarding cybersecurity that range from, “How can we be better protected?” to “I’m scared that we might be hit like that local place just was”. As part of answering this real need for our clients, RealTime is now offering an end-user training program as part of our Identity Shield Services.

However, if you are not a client (yet) or you would like to try this on your own, then you can train on some of the basics of cybersecurity awareness just by spending a little bit of time on YouTube. This is not intended to replace formalized training, but these videos can help you address the most likely threats that the average person encounters just because they use the internet and email in the course of doing their job. These tips are excellent for anyone who just wants to reduce their risks online.

[I’ve watched all of these videos and the links are current as of November 2019. They are each under four minutes and are well worth your time.]

Best single tip that I can provide to help you avoid being hooked by phishing: Microsoft, Google, Apple, Verizon, Bank of America, SSA, IRS, and thousands of legitimate businesses just like them will NEVER, ever, send an email to you asking you to confirm your password.

SUGGESTED LINKS TO YOUTUBE LEARNING

Phishing explained with some education, by SANS

 https://www.youtube.com/watch?v=5RHeJAEdiEc

How to spot a phishing email, report by Fortune Magazine

 https://www.youtube.com/watch?v=jfnA7UmlZkE 
The best tip in this video: If the email looks suspicious, it probably is…

If you only watch one video, make it this one!

An excellent video spotting phishing scams that is well worth the almost 4 minutes of your time. Loaded with realistic examples and tips
 https://www.youtube.com/watch?v=0GwWTjz6txU 
BEST TIP: Think before you click.

Office 365 phishing attack types with some examples (this is not a video)

 https://betanews.com/2019/04/03/office-365-phishing-attacks/ 
Note that these threats are not unique to  Office 365 email – we’ve seen attempts against all web based email systems. Just more confirmation that if something asks you to confirm credentials, or enter your logon info to access an attachment – be wary!

Tech support scam, by USAGov

https://www.youtube.com/watch?v=UGBLjPKSUeU 

If you have older parents who use email and the internet, please ask them to watch this video! I have helped too many older, and not so older people, who have been scammed in this way, including my own parents more than once.  

Spot a bad URL or Link, by Symantec

https://www.youtube.com/watch?v=YIeS7sJ_Llw

Better passwords, Local CBS news report

 https://www.youtube.com/watch?v=oakITDBYElw

Better password management using a password manager.

This post explains LastPass, but all the password manager applications work pretty much the same
https://lifehacker.com/the-beginners-guide-to-setting-up-lastpass-1785424440 

One important detail – you want to be sure that whatever application you use has their security act together and stores the passwords properly.

Mobile device security from SANS Security Awareness

 https://youtu.be/WEfWFA4xdd4