What? How? Huh?

You ever wonder how some people manage to stay in business? Like, literally? Do they honestly have their processes written down as their policies and procedures?

Repeat after me:

  1. Security by obscurity is not secure
  2. An open port on a firewall is an open port on a firewall regardless of the service
  3. NAT is not security
  4. Static WiFi passwords are not secure
  5. Local admin privileges for users is not best practice
  6. Password complexity requirements help, but don’t help if you give your password to somebody else
  7. If you don’t know what chmod 777 does, you shouldn’t be using Linux
  8. Cyber security requires layers of protection
  9. Tools that worked in 1998 are disguised as weapons today (looking at you sysinternals)
  10. If you don’t segment your network and protect between the edges at a very minimum, you’re going to have a bad time

Over and over again, especially now, we see where some guy on the staff, decided they could open up their domain controller through their firewall and everybody could work from home. If this is you, stop.

What most people fail to recognize is the sophistication that is happening on the WWW right now. Every moment, it gets better. Every moment, it gets smarter.

There isn’t some guy sitting behind a keyboard (well, I am) who is actively attacking your network. They have applications that look at Facebook, Twitter, LinkedIn, Monster, Glassdoor, etc. They’re looking for names, titles, companies, domains, emails; anything that they can use to feed their database.

Then, their applications take that information and start figuring out ways, based on keywords (like CEO, or Marketing Officer) that hit the weak points of your company. They start campaigns via email and social media against these people. Automated attacks that bombard your users and millions of others around the world with SPAM and Phishing attempts.

All it takes is one.

In parallel, they’re digging through their shared resources. Scanning IP subnets. Collectively updating open ports. Collectively updating vulnerabilities in software, hardware, IOT devices, etc.

Then, when there is a correlation between an IP address, a phished credential, an open port, a vulnerability; there are yet other programs that begin actively attacking the weak spots. But just a little.

Let’s take an open RDP server. Let’s say that it lives on a multi-use server that acts as everything for a small company. So DC, File/Print, DHCP, DNS, RDP, etc. You’re sitting behind the most sophisticated firewall in existence. And you decide to do a port redirection from your public IP on port TCP/9666 to an internal port on the server of TCP/3899 via NAT.

During a routine port scan from a bad actor, they see port TCP/9666 is open on your firewall and it returns as MS-RDP…. we’ll just hold on to that for a moment.

The bad actor’s software then routinely begins trying a brute force attack using dictionaries against your RDP server. Randomly throwing the most well known account/password combos at your server. This runs off and on for months or longer if you don’t catch it and stop it.

It just so happens, that somebody from your company falls for phishing attempt. They try to log in to their webmail app residing in a popular cloud service, type in their username/password and it fails. So they try again, and it works… probably the most common ways for your credentials to be stolen.

I’ll explain. The bad actor’s software sent an email to your user saying their account needed attention. The email looked legit. The link looked legit. So they clicked it. What they didn’t realize is the first page they hit belongs to the bad actor. It looks just like the real thing. So they put in their credentials and when they hit submit, it stores it in their database and redirects them to the real site; where their credentials, typed in a second time work.

What happens next is all too common.

The bad actor has an open RDP port. All they need are good credentials to log in. Suddenly, the user has provided them. Even better, they provided the IP address they submitted their request from unknowingly.

The bad actor’s software is built to know when this happens. User-A gave us credentials from this IP address. Do we have this IP address in our database of attacks? Why yes we do. Let’s try them. Boom. We’re in.

Not only are they in, but they don’t need admin level credentials to perform their attack. They can use old tools from the past to execute and deliver their payload. As is often the case, they deploy ransomware and have their bitcoin wallet tied to the screen.

The important thing to remember here is that this all happens with ZERO intervention from the bad actor. Their software handles all this and runs against your company and many MANY others. It is a near zero investment on their part yielding a possible big payoff should somebody pay to get the keys to unlock their data.

So if you, Mr. IT Person, aren’t doing everything you can to protect your company or your client; by securing the perimeter. Securing the endpoints. Following some sort of Security Framework. Reviewing your logs. Restricting your users. It isn’t if, it is when.

Put it in writing. Create policies and procedures to hold yourself and your team accountable. Get buy-in from your owners, from your client’s owners. Educate yourself as often as you can and put away your pride.

Somebody else IS better than you.

Somebody else IS more sophisticated than you.

The bad guys work collectively, so should you.