Earlier this month, an investigation by the FBI’s Cyber Task Force in partnership with the Washtenaw County Sheriff’s Office and the Michigan State Police, led to Konrad Voits (27) guilty plea to damaging a protected computer within Washtenaw County government computer system. Voits’ motive focused on altering computer records of an inmate in an effort to get that inmate released early. The fact that Voits succeeded in altering a government computer system is astonishing. The thought that it can happen to your organization is terrifying! How does this happen and more importantly, what can you do to ensure your organization and IT architecture is better prepared to handle these types of threats!
How does a security threat like this succeed?
Voits’ intrusion campaign utilized multiple techniques from social engineering using burner phones, phishing attempts through emails, and typosquatting (using a domain name very similar to the target domain). For instance, Voits registered the domain name “ewashtenavv.org” which is extremely close to their actual domain name “ewashtenaw.org”. He did this to trick County employees into clicking on links through phishing emails that navigated the unsuspecting employee to a malicious website which hosted malware.
Voits also called County employees and impersonated County Information Technology employees in a social engineering campaign where he attempted, in some cases successfully, to get employees to navigate to his typosquatting malicious domain name which contained the malware. Voits also managed to obtain remote login credentials for a County employee using social engineering which was used to further install malware onto County systems. Ultimately, Voits gained full control over the Washtenaw County government network and computer systems. At this time, Voits proceeded to target the Xjail system where he accessed multiple inmate records and altered at least one in an effort to get that inmate released early from jail.
How was the threat identified?
In the end, it was Washtenaw County’s careful inmate release review process which discovered the record discrepancies and alerted employees that something was wrong and further investigation was needed to determine what happened. A third-party Incident Response company was brought in to help with the investigation which contributed to the total reported County losses/damages of $235,488. For damaging a protected computer, Voits is now facing a maximum penalty under federal law of 10 years’ imprisonment and a $250,000 fine, sentencing is scheduled for April 5, 2018. If this can happen to a government agency, it can happen to any organization. What can you do to help your data remain secure?
Where do you even start?
There are many security controls that can be implemented to help defend against social engineering, phishing, and typosquatting threats, below is a short list of potential counter-measure controls which may help prevent and/or detect these types of attack methods.
POTENTIAL COUNTER-MEASURE AND CONTROLS
Security Awareness Training (with particular attention to Social Engineering)
An engaging and effective Security Awareness Training program can be the difference between another day in the books or a day in the news, and not in the good way. People interacting with computer systems and applications must be able to identify when something looks fishy (phishy) and be able to look at things critically based on some valuable lessons that Security Awareness Training should cover. For example, here are some basics that should be covered when it comes to Social Engineering Security Awareness Training program:
- How to identify the different types of Social Engineering – Phishing, Spear Phishing, Whaling, Spoofing, Phone Calls, On-site Impersonations, Tailgating, Shoulder Surfing, etc…
- What to do if some type of Social Engineering is encountered
- What not to do, no *clicky clicky*, no providing usernames or passwords, no sharing of sensitive information (personal or business), no following directions from strangers, etc
Web Security Gateway (capable of critically inspecting suspicious or newly created websites)
A Web Security Gateway or proxy is in many cases a last line of defense against social engineering attacks such as Phishing. Many Phishing attacks will utilize domains which are very similar to their targets trusted domain, this is called typosquatting. These domains are used in many cases as a place to reference in an email using a URL which directs the user to some type of payload with malicious intent. Without a Web Security Gateway, the user's computer browser will utilize the default path to the Internet which could be a direct connection to the “Internet” at large, everything, good and bad. When a Web Security Gateway or proxy is utilized, it provides a layer of separation from the end user and the Internet at large. This provides an entity with the ability to protect an Internet request before it makes it to the Internet and can help determine if a URL appears safe to browse or not and can allow, warn, or even block requests.
Security Information and Event Management (with Machine Learning / Artificial Intelligence)
Security Information and Event Management (SIEM) has been debated as a dead technology in the past because it is a detective tool and by the time you find out something happened, it’s too late. However a renewed breath of life has been blown into SIEM in the form of Machine Learning and Artificial Intelligence. Keeping in mind that audit logging is important on its own and is different than SIEM. Audit logging is a process, while a SIEM is a technology/product/tool. SIEM’s, which leverage Machine Learning and/or Artificial Intelligence, have the capability of ingesting and parsing audit logs from multiple sources in order to correlate relevant information based on the who, what, where, when, and sometimes how (why is harder to correlate) data from the audit logs. Using Machine Learning and/or Artificial Intelligence, SIEMs are now capable of identifying threats based on abnormal events identified within logs and can provide real-time notifications and in some cases can block or prevent bad things from happening.
Two-factor / Multi-factor Authentication (eliminate single-factor passwords where possible)
Two-factor / Multi-factor Authentication means that an identity is required to use a combination of authentication measures to validate that they are who they say they are based on:
- Something they know, such as a username and password
- Something they have, such as a number generating token
- Something they are, which may use some type of biometrics such as a fingerprint or facial recognition
When Two-factor or Multi-factor is in use, if an identity (such as a person) tries to access a system with a username and password/pin and is then asked to input a code that was sent to their phone (for example). Multi-factor may add yet another authentication measure to this process such as an authentication certificate on the trusted device. If any of the measures fail, access is denied. This helps to reduce the risk of password disclosure as it is not the only thing stopping an attacker from using this information to easily access an entity's resources.
As you can see, there are a lot of processes that can help ensure your organization is more secure. IT security will be a constant conversation and Solutions II is here to provide you with guidance. Our expertise in the area of security is constantly evolving, so don't be shy about leveraging us to bolster your security posture! If you're still looking for information, feel free to check out a data sheet on "Evolving Challenges in IT Security". Informing yourself is a great first step!