I don’t have specific knowledge of what happened at these organisations, but it’s a safe bet they are well run with good teams, education in place, appropriate policies and an audit process. But even so, hackers took them down.
Is there any hope for the rest of us then?
We’ve always said that you can reduce your risk, but you can’t eliminate it. You have a duty to your stakeholders to take all reasonable steps, and to keep reviewing that as the risks and challenges evolve. Our security team had a discussion about what might have happened at these two corporates. These are just speculation but it is useful to work through these items and make sure you have these covered off.
Firstly, we noticed CERT NZ put out an advisory about protecting systems from remote access vulnerabilities. That can’t be a coincidence. Organisations must make sure every connection is encrypted with a current technology – and kept up to date with the latest updates.
Secondly, ensure passwords are complex and secure. Don’t use the same password (or a variation) for everything you use. Instead, use a tool that lets you maintain unique, long and complex passwords on every site.
Then there is MFA – multi-factor authentication. Every account needs MFA. It must be mandatory on everything, If there is one thing that you do, make it MFA.
One of our guesses is that the system administrators at these sites are a point of risk. These are the people that get sent all the questionable emails and webpages to check out, so are more likely to stumble across malware and infections. To do their job, they often have ‘elevated’ rights (i.e. MASTER accounts) which give them more access, and also means that if their accounts are compromised, they can cause more harm over more systems. Finally, because they need to log in and out often, they are the ones for whom MFA is a real nuisance, so they are most likely to disable it. Our advice is to have them work normally with a more restricted user privilege and only log in with ‘admin’ rights when the task they are doing needs it, and they should lead the way with the use of MFA.
At Kinetics, we insist all our tools require MFA for access. We use a secure (SOC2 certified) password vault, and we’ve extended that so our customers can have access with our KARE Password Vault product. Our KARE for Security service is designed to add an extra layer of security to existing KARE agreements.
The law of entropy says that all systems will move towards a state of disorder. This is also true of IT and access rights. To combat that, all systems need a regular review and login accounts are no different. Decisions are made that may well be justified at the time. But weeks, months or even years later, these login accounts become a security risk. So you need to regularly review all local server accounts and passwords, all AD accounts with elevated rights and ensure every account is justified and has appropriate rights levels, and of course regularly change all passwords
What actions should you take?
- Patch your software (or use a service like KARE to ensure it is up to date and require regular reports to prove it)
- Ensure the use of strong passwords by all staff
- Make MFA mandatory for all users
- Have regular threat awareness training for staff
- Make sure users only have sufficient system access rights to be able to do their job
- Regularly review account access, rights and passwords