I’ve been in this business a long time, and I can honestly say that many MSPs lack a concrete sales process structure. That’s pretty worrisome because, let’s face it, you have to have a plan in order to succeed at just about anything. Imagine you’re an engineer working on server maintenance or a network infrastructure build—you wouldn’t do that without a plan, would you? Your sales strategy should be handled no differently.
Dos and Don’ts for your Sales Process
First, let’s talk about some don’ts. Avoid taking a call and immediately giving a quote over the phone, as well as going straight to the customer site to conduct ad hoc assessments and sales presentations in the same breath. To build value, you need to stretch this into multiple touches, by which I mean multiple meetings. Sure, that’s more work for you up front, but it’s crucial for establishing trust with the client. You need to open and sustain a dialog about their needs so you can tailor a unique solution for them, without diving right into a pitch. By leading with careful consideration and attention to their needs, you can begin building a lasting relationship and, eventually, bring them a better offering.
Here’s how I recommend you structure your process.
Schedule an on-site strategy session with your client.
Meeting with a prospect face-to-face will demonstrate your investment in a trust relationship. Now, you have to listen to them. Don’t lead with a pitch. Let them tell you what their problems are, pay close attention to them as they express their needs, and take note of all their pain points.
This is also the ideal opportunity to truly grasp of whether the demands are excessive or unreasonable for your capabilities. Each relationship you enter into with clients is a partnership that comes with shared responsibilities. Be more than a fulfull/deliver shop.
Perform an in-depth assessment and discovery.
You need to discover everything that’s on the client’s network and assess exactly where they stand. Don’t do this on the same day as that initial meet; schedule a second one. Take the extra time between the meetings to prepare more specific questions that will delve more deeply into the needs your prospect expressed. This will help show the client that you’re invested in their unique challenges.
When you come back, bring an engineer or assistant with you. You need someone with you who can interview different staff members and find out about the specific issues they face. Ask basic questions to understand how the employees feel about where the company’s IT stands, like: What kind of issues are you having?; What do you see wrong with your computer network?; How could your network be improved?; and What things would you like to see change?
As you’re doing your assessment and discovery, make sure to bring cybersecurity into the discussion. Managed cybersecurity is often a poor experience, so this is your chance to feel out how else you can alleviate their pains (and set yourself apart from their current provider.)
And, finally, book the third meeting.
Make the pitch.
Ideally, your third meeting would be at your location. If there’s some reason you can’t do it in your own shop, take the prospect off-site for lunch at a restaurant that has private meeting rooms. Essentially, you want to avoid doing the presentation in their office, where they can easily get interrupted.
In this case, it will pay to be overly prepared. Again, if you listened closely, the prospect would’ve already told you what to focus on to help them succeed. Use that knowledge to craft the right message to deliver during this meeting.
Start by walking through the pain points they and their employees revealed. Talk over anything else you found in your discovery/assessment that could be improved. Have an itemized list, and then ask them if they agree with all the issues you’ve found.
Once you get agreement, then you can go into your sales pitch and present them with a well-tailored offering that can actually solve their challenges and help them grow.
Ultimately, by listening to your prospect, exhibiting an understanding of their needs, and demonstrating your level of commitment to providing value and nurturing the relationship itself, you’ll be well on your way to building a meaningful, successful business partnership.
Download my Multi-Million Dollar MSP Sales Process that will guide you through the above steps like a pro. The last few pages of the document include links to helpful templates as well as worksheets for you to hit the ground running on this process.
Flipboard, a news aggregation site, recently revealed that it’s
been the victim of a data
breach that could affect many of their more than 100 million active users. Digital
tokens were among the compromised data, which could give the attackers further
access to other sites, though Flipboard promptly removed or replaced them. At
least two separate breaches have been reported by Flipboard, with one occurring
in the middle of 2018 and the other in April of this year. Both allowed the
attackers nearly unlimited access to databases containing a wealth of user
data.
Keylogger Targets Multiple Industries
At least two separate campaigns have been found to be sending malicious emails to industry-leading companies in several different areas of business. Hidden within these emails are two variants of the HawkEye keylogger that perform various malicious activities beyond simply stealing keystrokes from the infected device. By acting as a loader, HawkEye can install additional malware and even contains a script to relaunch itself in case of a system reboot.
Australian Teen Hacks Apple
A teen from Australia was recently in court to plead guilty
to two separate hacks
on Apple, which he conducted in hopes of gaining a job with the company.
While Apple has since confirmed that no internal or customer data was breached,
they have chosen leniency after his lawyer made a case for the perpetrator being
remorseful and not understanding the full impact of his crimes.
Fake Crypto-wallets Appear on App Store
Several fake
cryptocurrency wallets have made their way into the Google Play store
following the latest rise in the value of Bitcoin. Both wallets use some form
of address scam, by which the user transfers currency into a seemingly new
wallet address that was actually designed to siphon off any transferred
currency. The second of the two wallets operated under the guise of being the
“mobile” version of a well-known crypto-wallet. It was quickly identified as fake
due to an inconsistent icon image. Both fake wallets were tied to the same
domain and have since been removed from the store.
Ransomware Focuses on MySQL Servers
While the threat of GandCrab
is not new, organizations discovered its persistent risk after researchers found
it has been refocused on attacking MySQL servers. By specifically targeting the
port used to connect to MySQL servers, port 3306, the attackers have had some success,
since many admins allow port 3306 to bypass their internal firewalls to ensure
connectivity. As GandCrab continues to narrow it’s attack scope, its remaining viable
vectors are likely to be even more lucrative given that most organizations are not
able to secure everything.
As technology continues to evolve,
several trends are staying consistent. First, the volume of data is growing
exponentially. Second, human analysts can’t hope to keep up—there just aren’t
enough of them and they can’t work fast enough. Third, adversarial attacks that
target data are also on the rise.
Given these trends, it’s not
surprising that an increasing number of tech companies are building or implementing tools that promise automation and tout machine
learning and/or artificial intelligence, particularly in the realm of
cybersecurity. In this day and age, stopping threats effectively is nearly
impossible without some next-generation method of harnessing processing power
to bear the burden of analysis. That’s where the concept of a cybersecurity
platform built on threat intelligence comes in.
What is a platform?
When you bring together a
number of elements in a way that makes the whole greater or more powerful than
the sum of its parts, you have the beginnings of a platform. Think of it as an
architectural basis for building something greater on top. If built properly, a
good platform can support new elements that were never part of the original
plan.
With so many layers continually building on top of and alongside one another, you can imagine that a platform needs to be incredibly solid and strong. It has to be able to sustain and reinforce itself so it can support each new piece that is built onto or out of it. Let’s go over some of the traits that a well-architected threat intelligence platform needs.
Scale and scalability
A strong platform needs to
be able to scale to meet demand for future growth of users, products,
functionality. Its size and processing power need to be proportional to the
usage needs. If a platform starts out too big too soon, then it’s too expensive
to maintain. But if it’s not big enough, then it won’t be able to handle the
burden its users impose. That, in turn, will affect the speed, performance,
service availability, and overall user experience relating to the platform.
You also need to consider
that usage fluctuates, not just over the years, but over different times of
day. The platform needs to be robust enough to load balance accordingly, as
users come online, go offline, increase and decrease demand, etc.
Modularity can’t be
forgotten, either. When you encounter a new type of threat, or just want to add
new functionality, you need to be able to plug that new capability into the
platform without disrupting existing services. You don’t want to have to worry
about rebuilding the whole thing each time you want to add or change a feature.
The platform has to be structured in such a way that it will be able to support
functionality you haven’t even thought of yet.
Sensing and connection
A threat intelligence platform
is really only as good as its data sources. To accurately detect and even predict
new security threats, a platform should be able to take data from a variety of sensors
and products, then process it through machine learning analysis and threat
intelligence engines.
Some of the more
traditional sensors are passive, or “honeypots” (i.e. devices that appear to
look open to attack, which collect and return threat telemetry when
compromised.) Unfortunately, attack methods are now so sophisticated that some
can detect the difference between a honeypot and a real-world endpoint, and can
adjust their behavior accordingly so as not to expose their methods to threat
researchers. For accurate, actionable threat intelligence, the platform needs
to gather real-world data from real-world endpoints in the wild.
One of the ways we, in
particular, ensure the quality of the data in the Webroot® Platform, is by
using each deployment of a Webroot product or service—across our home user,
business, and security and network vendor bases—to feed threat telemetry back
into the platform for analysis. That means each time a Webroot application is
installed on some type of endpoint, or a threat intelligence partner integrates
one of our services into a network or security solution, our platform gets
stronger and smarter.
Context and analysis
One of the most important
features a threat intelligence platform needs is largely invisible to end
users: contextual analysis. A strong platform should have the capacity to
analyze the relationships between numerous types of internet objects, such as
files, apps, URLs, IPs, etc., and determine the level of risk they pose.
It’s no longer enough to
determine if a given file is malicious or not. A sort of binary good/bad
determination really only gives us a linear view. For example, if a bad file
came from an otherwise benign domain that was hijacked temporarily, should we
now consider that domain bad? What about all the URLs associated with it, and
all the files they host?
For a more accurate picture, we need nuance. We must consider where the bad
file came from, which websites or domains it’s associated with and for how long,
which other files or applications it might be connected to, etc. It’s these
connections that give us a three-dimensional picture of the threat landscape,
and that’s what begins to enable predictive protection.
The Bottom Line
When faced with today’s cyberattacks,
consumers and organizations alike need cybersecurity solutions that leverage
accurate threat telemetry and real-time data from real endpoints and sensors.
They need threat intelligence that is continually re-analyzed for the greatest
accuracy, by machine learning models that are trained and retrained, which can
process data millions of times faster than human analysts, and with the
scalability to handle new threats as they emerge. The only way to achieve that
is with a comprehensive, integrated machine-learning based platform.
Cities are expanding their technological reach. Many of their efforts work to increase public protections, such as using GPS tracking to help first responders quickly locate the site of a car accident. But, in the rush for a more secure and technologically advanced city, privacy can fall by the wayside. We’ve reviewed the top cities around the world that are using technologies that may invade citizens’ privacy, so you know what to expect and what you can do.
Big brother in Beijing, China
China is infamous for its mass surveillance, with Beijing often serving as a testing ground for new surveillance software. The Chinese government uses internet monitoring, GPS tracking, and the “world’s biggest camera surveillance system”, with more than 170 million CCTV cameras to monitor the country’s populace. These CCTV cameras are backed by powerful facial recognition algorithms, which can track an individual down in just seven minutes. It is safe to say that you are probably being monitored anywhere you travel while in China, but a general rule is that, the higher the population, the more surveillance there is.
The town of Yizhuang has more than 2,243 high definition security cameras, 277 vehicle recognition cameras, and 267 facial recognition cameras. It also features six patrol vehicles with mobile cameras, and enforcement officers equipped with video capture equipment. Each of these cameras is sending live video streams to a main control center 24/7—all to monitor a single 11-square-mile suburb of Beijing.
Beijing is also preparing to roll out a social credit system in 2020. This system will award personal trustworthiness points to citizens and businesses based on their financial credit scores, as well as their personal and professional behavior. In the meantime, how the Chinese government plans to use this system to reward or punish its citizens remains a mystery.
Always watching in Moscow, Russia
Not one to be outdone, Russia has also embraced mass CCTV surveillance. Moscow alone has more than 170,000 cameras, making it the most surveilled city in Russia. Facial recognition software is paired with this massive network of cameras to track down persons of interest, though exactly what defines a “person of interest” is somewhat nebulous. In fact, Moscow officials recently admitted that they “can now trace the debtors’ movements,” thanks to this massive network of CCTV cameras. He declined to comment on the number of debtors who have been traced using this technology, nor the severity of their debts.
Mass monitoring in Darwin, Australia
Darwin, Australia is piloting a surveillance system similar to the technologies used in China, with some warning that it could evolve into a social credit system. Darwin has installed poles throughout the city outfitted with speakers, cameras, and WiFi. These monitoring stations track people and their movements all around the city, and are aided by facial recognition software. They can even respond to triggers, such as when a specific individual breaches a “virtual fence.”
“We’ll be getting sent an alarm saying, ‘There’s a person in this area that you’ve put a virtual fence around.’ … Boom, an alert goes out to whatever authority, whether it’s us or police to say ‘Look at camera five,’” said Josh Sattler, the Darwin Council’s General Manager for Innovation, Growth, and Development services in an article with NT News.
This system also tracks mobile phone use, web traffic, and mobile app usage—but only to help local businesses, of course.
“[It will tell us] where people are using WiFi, what they’re using WiFi for, are they watching YouTube, etc., all these bits of information we can share with businesses… we can let businesses know ‘Hey, 80 percent of people actually use Instagram within this area of the city, between these hours,’” said Sattler.
‘I spy’ in New York City, USA
In an effort to assist its police force, NYC has turned to the world’s largest surveillance technology company—the Chinese state-owned Hikvision—to install the same surveillance tools being used in China. Thousands of surveillance cameras have been operating in New York City since 2014, using the same facial recognition software that enables law enforcement in Beijing to locate and track individuals within the city. These cameras are equipped with infrared sensors that help capture high resolution images even in very low light. The NYPD has direct access to this surveillance network, and monitors the footage remotely to avoid showing an obvious police presence. The full extent of the surveillance in New York is unknown, but reports indicate the NYPD is using these products on a “large scale.”
Small-town surveillance in Hillsboro, USA
Hillsboro, Oregon is the smallest city on this list, with a population of just over 100,000. So why is such a small town on the same list as places like Beijing, Moscow, and New York? The Washington County Sheriff’s Office, which presides over Hillsboro, recently became the first law enforcement agency in the United States to use Amazon’s AI-powered facial recognition tool, Rekognition. As this is the first real-world test of this technology, its accuracy is hotly debated. Many experts argue that this technology will likely lead to the wrongful arrest of innocent people whose only crime is bearing a resemblance to the accused.
More than 300,000 mug shots taken at the Washington County jail have been uploaded into the Rekognition system. These pictures can be cross-referenced with images from a security camera, social media accounts, or even a deputy’s mobile device—without requiring a warrant. More than 1,000 facial recognition searches were logged into the Rekognition system by the Washington County Sheriff’s Office, but public records requests show that only nine official case reports mention the use of the tool. Washington County deputies are under no imperative to note when facial recognition software assisted with an arrest, so we have no way to judge how accurate the system is.
Your Privacy is Your Concern
While the only way to avoid detection through the facial recognition algorithms is to hide or alter your face, there are some precautions you can take to protect your privacy when visiting these cities. As an example, you can easily obscure your digital traffic, which can help prevent the kind of tracking reported in Darwin. Strong encryption is your best protection against privacy invasive cities. Research a reliable VOIP and text messaging encryption service, and invest in a trusted VPN to shield your web and mobile traffic. Encryption may not stop state actors from intercepting your data, but it will make it nearly impossible for them to interpret it.
Have other tips for protecting your privacy while traveling? Let us know in the comments.
In a constantly evolving cyber landscape, it’s no simple task to keep up with every new threat that could potentially harm customers. Webroot Senior Threat Research Analyst Kelvin Murray highlighted the volume of threats he and his peers are faced with in our latest conversation. From finding new threats to answering questions from the press, Kelvin has become a trusted voice in the cybersecurity industry.
What is your favorite part of working as a Senior Threat Research Analyst?
My favorite part about being a threat researcher is both the thrill of learning about new threats and the satisfaction of knowing that our work directly protects our customers.
What does a week as a Senior Threat Research Analyst look like?
My week is all about looking at threat information. Combing through this information helps us find meaningful patterns to make informed analysis and predictions, and to initiate customer protections. It roughly breaks down into three categories. The first would be “top down” customer data like metadata. The data we glean from our customers is very important and a big part of what we do. The interlinking of all our data and the assistance of powerful machine learning is a great benefit to us.
Next would be “whole file” information, or static file analysis and file testing. This is a slow process but there are times when the absolute certainty and granular detail that this kind of file analysis provides is essential. This isn’t usually part of my week, but I work with some great specialists in this regard.
Last would be news and reports on the threat landscape in general. Risks anywhere are risks everywhere. Keeping up to date with the latest threats is a big part of what I do. I work with a variety of internal teams and try to advise stakeholders, and sometimes media, on current threats and how Webroot fits in. Twitter is a great tool for staying in the know, but without making a list to filter out the useful bits from the other stuff I follow, I wouldn’t get any work done!
What skills have you built in this role?
Customer support taught me a lot in terms of the client, company culture, and dealing with customer requests. By the time I was in business support I was learning the newer console system and more corporate terms. Training on the job was very useful for my move to threat, where I also picked up advanced malware removal (AMR), which is the most hands on you can get with malware and the pain it causes customers. All of that knowledge is now useful to me in my public facing role where I prepare webinars, presentations, interviews, blogs, and press answers about threats in general.
What is your greatest accomplishment in your career at Webroot so far?
Learning the no-hands trick on the scooter we have in the office. And of course my promotion to Senior Threat Research Analyst. I have had a lot of different roles in my time here, but I’m glad I went down the path I did in terms of employment. There’s never a dull moment when you are researching criminal news and trends, and surprises are always guaranteed.
What brought you to Webroot?
I like to say divine providence. But really I had been travelling around Asia for a few months prior to this job. When I got back home I was totally broke and needed a job. A headhunter called me up out of the blue, and the rest is history.
Are you involved in anything at Webroot outside of your day to day work?
Listening, singing and (badly) dancing to music. Dublin is a fantastic place for bands and artists to visit given its proximity to the UK and Europe and the general enthusiasm of concert goers. I do worry that a lot of venues, especially nightclubs, are getting shut down and turned into hotels though. I sing in a choir based out of Trinity College.
Favorite memory on the job?
Heading to (the now closed) Mabos social events with my team. The Mabos collective ran workshops and social and cultural events in a run-down warehouse that they lovingly (and voluntarily) converted down in Dublin’s docklands. Funnily enough, that building is now Airbnb’s European headquarters.
What is your favorite thing about working at Webroot?
The people that I get to work with. I have made many great friendships in the office and still see previous colleagues socially, even those from five or six years ago.
What is the hardest thing about being a Senior Threat Research Analyst?
Prioritizing my time. I can try my hand at a few different areas at work, but if I don’t focus enough on any one thing then nothing gets done. I find everything interesting and that curiosity can get in the way sometimes!
What is your favorite thing to do in Dublin?
Trying new restaurants and heading out to gigs. I’d be a millionaire if I didn’t eat out at lunchtime so much. Dublin is full of great places. I like all kinds of gigs from dance to soul to traditional. The Button Factory is one of the coolest venues we have.
How did you get into the technology field?
I first become interested in technology through messing with my aunt’s Mac back in the early 90s. There were a lot of cool games on her black and white laptop she brought home from a compucentre she worked in, but the one that sticks in my memory was Shufflepuck Café. My dad always had some crazy pre-Windows machines lying around. Things with cartridges or orange text screens running Norton commander.
After the discovery of the banking Trojan known as Trickbot,
an Ohio school district was forced to cancel school since they were unable to
fully disinfect the networks before classes resumed the following Monday.
Preliminary reports have concluded that no students were responsible for the
attack, as it appears to have started its data-gathering on a computer
belonging to the district treasurer’s office. In order for classes to resume
normally, the IT staff for the district had to re-format nearly 1,000 affected computers.
GetCrypt Spreading Through RIG Exploit Kits
Another ransomware
variant, GetCrypt, has been spotted in the
wild that spreads itself across systems by redirecting visitors to a
compromised website to a separate page hosting an exploit kit. After checking
for several Eastern European languages, the ransomware begins encrypting all
files on the system and displays a standard ransom note. In addition to
removing all available shadow copies from the computer, GetCrypt also appends
all encrypted files with a randomized, four-character string based on the CPUID
of the device itself.
Google Assistant Logs All Online Purchases
It was recently discovered that Google’s
Assistant, released last year, keeps a log of all online purchases for
which a receipt was sent to the user’s Gmail account. The “Payments” page on a
user’s Google account shows transactions, flight and hotel reservations, and
other purchases made up to several years prior, even showing the cost, date,
and time of the purchase.
Forbes Joins List of Magecart Victims
It was revealed late last week that Forbes
had fallen victim to a Magecart attack possibly affecting anyone who made a
purchase on the site during that time. Fortunately, the researcher who
discovered the attack quickly notified both Forbes and the domain owner,
resulting in a swift removal of the malicious payment card skimmer from the
highly-trafficked site. It’s likely that Forbes became a victim after another vendor
in their supply chain was compromised.
Australian IT Contractor Arrested for Cryptomining
An IT contractor working in Australia was arrested after
being caught running cryptomining
software on government-owned computers, which netted him over $9,000 in
cryptocurrency. The charges encompass misuse of government systems by making modifications
to critical functions and security measures for personal gain while in a
position of trust. By making these changes, this contractor could have exposed
a much larger portion of the network to malicious actors who take advantage of
misconfigured settings to access company data.
Technology has unlocked a new type of worker, unlike any we have seen before—the digital nomad. Digital nomads are people who use technologies like WiFi, smart devices, and cloud-based applications to work from wherever they please. For some digital nomads, this means their favorite coffee shop or co-working space. For others, it means an idyllic beach in Bali or countryside public house. One thing remains true wherever a digital nomad may choose to lay down their temporary roots: They are at a higher cybersecurity risk than a traditional worker. So what risks should they look out for?
Public Wifi
Without a doubt, public WiFi is one of the main cybersecurity hazards many digital nomads face. The massive and unresolved flaw in the WPA2 encryption standard used by modern WiFi networks means that anyone connecting to a public network is putting themselves at risk. All public WiFi options—including WiFi provided by hotels, cafes, and airports—poses the risk of not being secure. How can a digital nomad be digital if their main source of internet connectivity is a cybersecurity minefield?
When connecting to public WiFi as a digital nomad, it is crucial to keep your web traffic hidden behind a virtual private network (VPN). A quality VPN app is simple to set up on your mobile devices—including laptops and smart phones—and uses a strong encryption protocol to prevent hackers and other snoops from stealing important personal information such as account passwords, banking information, and private messages. VPNs will keep your data encrypted and secure from prying eyes, regardless of locale.
Device Theft
Physical device theft is a very real risk for digital nomads, but one that can largely be avoided. The first and most obvious step to doing so is to never leave your devices unattended, even if your seatmate at the coffee shop seems trustworthy. Always be mindful of your device visibility; keeping your unattended devices and laptop bags locked away or out of sight in your hotel room is often all it takes to prevent theft. Purchasing a carrying case with a secure access passcode or keyed entry can also act as an additional deterrent against thieves looking for an easy mark.
If your device is stolen, how can you prevent the damage from spiraling? Taking a few defensive measures can save digital nomads major headaches. Keep a device tracker enabled on all of your devices—smartphones, tablets, and laptops. Both Apple and Android have default services that will help you locate your missing device.
But this will only help you find your property; it won’t prevent anyone from accessing the valuable data within. That’s why all of your devices should have a lock screen enabled, secured with either a pin or a biometric ID, such as your fingerprint. If you believe these efforts have failed and your device is compromised, enabling multi-factor authentication on your most sensitive accounts should help reduce the effect of the breach.
However, if you cannot recover your device, remotely wiping it will prevent any additional data from being accessed. If you have a device tracker enabled, you will be able to remotely wipe your sensitive data with that software. If you’re using a data backup solution, any lost files will be recoverable once the status of your devices is secure
Lower Your Risk
Being a digital nomad means that you’re at a higher risk for a breach, but that doesn’t mean you can’t take steps to lower that risk. These best practices could drastically reduce the risk incurred by leading a digitally nomadic lifestyle.
Toggle off. Remember to always turn off WiFi and Bluetooth connectivity after a session. This will prevent accidental or nefarious connections that could compromise your security.
Mindfulness. Be aware of your surroundings and of your devices. Forgetting a device might be an acceptable slip up for most, but for a digital nomad it can bring your lifestyle to a grinding halt.
Be prepared. Secure your devices behind a trusted VPN before beginning any remote adventures. This will encrypt all of your web traffic, regardless of where you connect.
Stop the spread. In case of a device or account breach, strong passwords and multi-factor authentication will help minimize the damage.
A staggering 4.8 million Americans describe themselves as digital nomads, a number that won’t be going down anytime soon. With remote work becoming the new norm, it’s more important than ever that we take these cybersecurity measures seriously—to protect not just ourselves, but also our businesses and clients. Are you a digital nomad making your way through the remote-work landscape? Let us know your top tips in the comments below!
WhatsApp Exploited to Install Spyware through Calls
A serious flaw has been discovered in the messaging app WhatsApp
that would allow an attacker to install spyware on a victim’s device by
manipulating the packets being sent during the call. Further disguising the
attack, the malicious software could be installed without the victim answering
the call, and with access to the device the attacker could also delete the call
log. Fortunately, the Facebook-owned app was quick to respond and quickly
released an update for affected versions.
SIM Swapping Group Officially Charged
Nine men in their teens and 20s have been arrested and charged
for a SIM-swapping
operation that netted the group over $2 million in stolen cryptocurrency. The
group operated by illicitly gaining access to phone accounts by having the
phone swapped to a SIM card in their control. The group would then fraudulently
access cryptocurrency accounts by bypassing 2-factor authentication, since login
codes were sent to devices under their control. Three of the group were former
telecom employees with access to the systems needed to execute the scam.
Web Trust Seal Injected with Keylogger
A recent announcement revealed that scripts for the “Trust
Seals” provided by Best of the Web to highly-rated websites were
compromised and redesigned to capture keystrokes from site visitors. While Best
of the Web was quick to resolve the issue, at least 100 sites are still linking
customers to the compromised seals. This type of supply chain attack has risen
in popularity recently. Hackers have been seen injecting payment stealing
malware into several large online retailer’s websites since the beginning of
the year.
Fast Retailing Data Breach
The online vendor Fast
Retailing is currently investigating a data breach that gave attackers
full access to nearly half a million customer accounts for two of the brand’s
online stores. The attack took place within the last three weeks and targeted payment
information with names and addresses for customers of UNIQLO Japan and GU
Japan. Fast Retailing has since forced a password reset for all online
customers and delivered emails with further information for those affected by
the attack.
Data Leak in Linksys Routers
Last week researchers discovered a flaw in over 25,000
Linksys routers that could give attackers access to not only the
device’s MAC address, but also device names and other critical settings that
could compromise the security of anyone using the router. Additionally, by
identifying the device’s IP address, attackers could even use geolocation to gauge
the approximate location of the exploited device, all without authentication.
It’s a familiar story in
tech: new technologies and shifting preferences raise new security challenges.
One of the most pressing challenges today involves monitoring and securing all
of the applications and data currently undergoing a mass migration to public
and private cloud platforms.
Malicious actors are
motivated to compromise and control cloud-hosted resources because they can gain
access to significant computing power through this attack vector. These
resources can then be exploited for a number of criminal money-making schemes, including
cryptomining, DDoS extortion, ransomware and phishing campaigns, spam relay,
and for issuing botnet command-and-control instructions. For these reasons—and
because so much critical and sensitive data is migrating to cloud platforms—it’s
essential that talented and well-resourced security teams focus their efforts
on cloud security.
The cybersecurity risks
associated with cloud infrastructure generally mirror the risks that have been
facing businesses online for years: malware, phishing, etc. A common
misconception is that compromised cloud services have a less severe impact than
more traditional, on-premise compromises. That misunderstanding leads some
administrators and operations teams to cut corners when it comes to the
security of their cloud infrastructure. In other cases, there is a naïve belief
that cloud hosting providers will provide the necessary security for their
cloud-hosted services.
Although many of the leading cloud service providers are beginning to build more comprehensive and advanced security offerings into their platforms (often as extra-cost options), cloud-hosted services still require the same level of risk management, ongoing monitoring, upgrades, backups, and maintenance as traditional infrastructure. For example, in a cloud environment, egress filtering is often neglected. But, when egress filtering is invested in, it can foil a number of attacks on its own, particularly when combined with a proven web classification and reputation service. The same is true of management access controls, two-factor authentication, patch management, backups, and SOC monitoring. Web application firewalls, backed by commercial-grade IP reputation services, are another often overlooked layer of protection for cloud services.
Many midsize and large
enterprises are starting to look to the cloud for new wide-area network (WAN)
options. Again, here lies a great opportunity to enhance the security of your
WAN, whilst also achieving the scalability, flexibility, and cost-saving
outcomes that are often the primary goals of such projects. When selecting these types of solutions, it’s
important to look
at the integrated security options offered by vendors.
Haste makes waste
Another danger of the
cloud is the ease and speed of deployment. This can lead to rapidly
prototyped solutions being brought into service without adequate oversight from
security teams. It can also lead to complacency, as the knowledge that a
compromised host can be replaced in seconds may lead some to invest less in upfront
protection. But it’s critical that all infrastructure components are
properly protected and maintained because attacks are now so highly automated
that significant damage can be done in a very short period of time. This
applies both to the target of the attack itself and in the form of collateral
damage, as the compromised servers are used to stage further attacks.
Finally, the utilitarian
value of the cloud is also what leads to its higher risk exposure, since users
are focused on a particular outcome (e.g. storage) and processing of large
volumes of data at high speeds. Their solutions-based focus may not accommodate
a comprehensive end-to-end security strategy well. The dynamic pressures
of business must be supported by newer and more dynamic approaches to security that
ensure the speed of deployment for applications can be matched by automated
SecOps deployments and engagements.
Time for action
If you haven’t recently
had a review of how you are securing your resources in the cloud, perhaps now
is a good time. Consider what’s allowed in and out of all your infrastructure
and how you retake control. Ensure that the solutions you are considering have
integrated, actionable threat intelligence for another layer of defense in this
dynamic threat environment.
Have a question about
the next steps for securing your cloud infrastructure? Drop a comment below or reach
out to me on Twitter at @zerobiscuit.
Researchers recently discovered a new ransomware variant
that displays an ESET
AV removal screen once launched in order to divert the a victim’s attention
from the silent encryption taking place. Initially dropped by an email spam
campaign, the payload comes as a password protected zip archive, with the
password made available in the body of the email to entice curious readers. In
addition to the ESET removal instructions, the archive also contains a
traditional ransom demand with instructions for purchasing and transferring Bitcoin.
Binance Crypto-Exchange Hacked
At least 7,000 Bitcoin were illicitly removed from the hot
wallet of Binance,
an international cryptocurrency exchange, in a single transaction. By
compromising the personal API keys and bypassing two-factor authentication, the
hackers were able to access the wallet and steal roughly $41 million worth of
Bitcoin. The complete details of the breach are still unknown.
Global Malvertiser Sentenced in US
A man operating several fake companies distributing hundreds
of millions of malicious
ads across the globe has been arrested and is facing charges after his extradition
to the U.S. For nearly five years, Mr. Ivanov and his co-conspirators created
dozens of malvertising campaigns, usually starting a new one immediately after
the previous one was flagged by a legitimate ad network. While this is not the
only case of malvertising campaigns causing chaos on the web, it is one of the
first to see actual indictments.
Robbinhood Ransomware Shuts Down Two US Cities
Both Baltimore City Hall and the city of Amarillo, Texas,
were victims of a variant of Robbinhood
ransomware this week. Following the attack,
citizens of both cities will be seeing online bill payment options temporarily
offline as they work to restore networks that were damaged or disconnected to
stop the spread of the infection. This is the second cyber attack to hit both
cities within the past year, with Potter County, Texas recovering from a
similar attack just a couple weeks ago. Neither city has released more
information on the ransom amount or when the attack began.
Freedom Mobile Exposes Payment Credentials
An unencrypted database containing millions of customer
records for Freedom
Mobile, a Canadian telecom provider, was discovered to be left freely
available to the public. While the database was secured in less than a week, the
time it was left accessible to criminals is cause for concern. The data
contained full payment card information, including essentially everything a
criminal would need to commit identity fraud against millions of people. Though
Freedom Mobile claims the 15,000 were affected, it calls into question the
practices used to store their sensitive data.
