Moore Stephens North America is comprised of 42 member firms that provide key services across a wide variety of industries and niches. This month’s “Moore Together” is a collaboration between Karl Kispert with Grassi & Co. and Arnold Klein with Topel Forman.
As a new, or even a current business owner, your focus is probably on the day-to-day operational aspects. Of course, today, the underpinnings of those operations are almost all internet/computer based and those underlying connections, while typically hidden, are critical for success. But how do you manage and add value to your company while staying secure in today’s world?
Below are several recent real-world personal experiences that demonstrate today’s very real business risks and what should be considered to reduce risk:
1. We were engaged to setup networking and workstations for a newly formed billion-dollar hedge fund. About two months into their new operations, the CFO received an email from the CEO to transfer money to a bank account—which they did. Although the money was recovered, this demonstrates the speed with which bad actors are scanning the internet (in this case LinkedIn profiles), and then crafting emails based on the people and their roles that are publicly available in social media.
Actions to consider:
- Staff security awareness training
- Educate employees on the impact of social media usage and how “bad actors” use public information to target companies and craft emails
- Set internal controls to guard against single point-of-authority for wire transfers and anything that has to do with money
2. A law firm had 20 years of case files encrypted by ransomware. Their IT team stated that the data was not recoverable. Our IT team did recover all the data and made several strong recommendations. There are a few lessons here including proper planning of your IT infrastructure to assess critical operational risk: vetting your IT vendor and making sure you have “versioned” daily/hourly and possibly real-time backups of all data.
Actions to consider:
- Vet your IT vendor
- Executable backups
- Lock down your desktops
- Provide multiple layers of defense
3. This third example demonstrates the fact that your business will be under attack as soon as you have internet connectivity. These are two lines from a firewall log showing packets from foreign countries scanning client networks to see if there are any points of entry. The x.x.x.x. simply hides the real endpoint as these cannot be shown for security reasons:
Alert - 103.251.109.141, 443, X1 – x.x.x.x, 25295, X1 tcp
TCP scanned port list, 53789, 14393, 2295, 48798, 57424 - Possible port scan detected
Source IP Country: Singapore
Alert - 202.43.154.162, 16286, X1 – x.x.x.x, 7070, X1 – tcp
TCP scanned port list, 8888, 8000, 9090, 8081, 8088 - Possible port scan detected
Source IP Country: China
These are but two lines from a single home-based firewall. These “port scans” occur 24 hours a day, 7 days a week, looking for entry points. The world can access you, and malicious agents will try, incessantly. If your operations were compromised, what impact would that have on your business? Would you be able to survive a security breach if all your systems were compromised? If some of your systems were compromised? What would be the cost to restore services, rebuild client trust, and rebuild brand loyalty?
To deepen your understanding of the actions that are used and methods for defending, consider these six techniques commonly used to disrupt business operations and some possible ways to mitigate these attacks. This is but a small subset of techniques that are used but it does provide some insight into understanding dynamics of attack and defense.
Bad Actors, as mentioned in last month’s article, are a worldwide diverse group of nations, organizations and individuals with many different motivations and immediate access to anything connected on the internet. They do tend to use published or published set of attacks and toolsets.
The vulnerabilities below are very common and relatively basic. The goal is to give thought to these types of attacks and consider how someone could compromise your business, and then determine which actions or investments can provide an effective countermeasure.
MITM – Man in the Middle – Can be a physical attack. Someone who has placed a device in your environment and monitors your every keystroke, or who could be intercepting your Wi-Fi at your place of business or while you’re travelling with your laptop.
DOS – Denial of Service – Your company website is bombarded with so many requests that it is no longer able to respond and therefore shuts down.
Phishing & Spear Phishing – Phishing is the sending of indiscriminate emails to a broad group of people hoping that someone will click on a link. Spear Phishing is targeted. The hacker is using something personally identifiable about you or your company to elicit information or an action.
Bad guys are clever and getting more and more attuned to our language and customs. The days of receiving a poorly written email from Nigeria asking for money, while still present, is going away. Crafted emails and voice calls by people trained in this area are on the rise.
Data Exfiltration– A hacker has managed to insert malicious software into your environment via a phishing attack. They may very well start probing your network and copy data off your computers and onto their computers.
Ransomware – As mentioned earlier, this is malicious software—typically via email—that encrypts all the files on the current user’s computer and will more than likely start scanning your network for other target computers/servers in order to encrypt their files as well. The attack typically leaves a file informing you of what happened, how much they are asking for to decrypt the files and a link with instructions on how to pay via Bitcoin or another crypto-currency.
Cryptomining – Crypto-mining is relatively new. It is the use of your desktop/laptop’s internet browser (Chrome/Firefox/Microsoft Edge) to steal a small portion of your computers CPU cycles to acquire a Bitcoin or Minero Coin. Your computer alone is miniscule but 100’s or 1000’s of compromised systems can be financially rewarding to bad actors. You will see a decrease in your computers performance. There are also reports of IT and non-IT people setting up computers on company premises to make use of the “free” electricity to perform their own crypto-mining on the company dime.
So what are the defenses to these attacks? Many of these attacks can be mitigated by simple good IT practices and the suggestions here are by no means conclusive. However, they do provide an understanding of the thinking associated with defending against each of these attacks.
MITM attacks can be challenging but designing your network with an alerting system to warn when devices are connected to your network is one way to defend against MITM. Also, when at a public Wi-Fi location, using a VPN (virtual private network) software to obfuscate your local connection to the Wi-Fi access point greatly increases your security.
DOS – Denial of Service – If you are going to have a public-facing internet presence it is important that you host the website with a reputable company that understands a DOS (Denial of Server) attack or uses a service like Cloudflare.com that can deter Denial of Service attacks.
Phishing and Spear Phishing—it is critical that your company culture become aware of these attacks and receive awareness training so they understand the consequence of their social posts and how they can be used against them and the company.
Data Exfiltration – This area is challenging but it can be countered by observational data trends i.e.: seeing more data moving out of an HTTP/HTTPS session than in a software designed to encrypt all files tied to an access control list. This is a critical design element in segmenting data and setting user rights and permissions.
Ransomware – Defending against Ransomware is a multi-pronged defense. Good multi-level antivirus, limiting user’s local admin rights and offsite versioned backups are viable solutions.
Cryptomining – Most of the web browsers are starting to identify and incorporate anti-crypto-mining elements into their software. If you have a firewall capable of blocking the data mining websites that is another good defense. In addition, monitoring desktop CPU cycles to a central management server would provide an alert.
These are a limited set of attacks and countermeasures. There is quite a lot more which begs the questions, where do you start? How do you scale? How do you manage the IT Security process? How does this fit into my overall business strategy?
That’s where Security Frameworks come into play. They provide a foundation for thinking, strategizing and implementing a long-term security defense. If you become more aware after reading these two articles, then our goal has been met. Today an
entire organization must take responsibility for secure and safe cyber practices—not just IT anymore.
To learn more about the cyber risks associated with the cannabis industry, please contact
Karl Kispert with Grassi & Co. or
Arnold Klein with Topel Forman.
We’re great alone, but we’re “Moore Together!” If you would like to collaborate with other members, or if you have a topic you would like to address, please contact
Laura Ponath.
About the authors:
Karl Kispert is the Cyber and Information Security Principal at Grassi & Co., the 70
th largest accounting firm in the US specializing in auditing, tax, technology, and business consulting services. Grassi & Co. has offices in New York City, Long Island, White Plains, NY, and Park Ridge, NJ as well as internationally through its association with Moore Stephens International. He can be reached directly at
kkispert@grassicpas.com.
www.grassicpas.com.
Arnold Klein is the Founding Partner/Member of Topel Forman Information Services, LLC. A Chicago based Information Technology Firm providing IT guidance, design, implementation and support for small and mid-sized businesses. He can be reached at
arnold@tfisllc.com,
www.tfisllc.com.