Headlines abound on cybersecurity. Do these threats affect you and your firm, or do you believe these attacks “always happen to someone else?” New threats such as spear phishing, ransomware, data breaches and identity theft represent key threats to organizations which should be part of your internal control structure.



The benefits and risks associated with software-as-a-service (SaaS) and hosted applications are very different than traditional on-premises information technology, and the implications for evaluation of general computer controls are significant. Despite the enthusiasm for cloud applications, some traditional items used in an on-premises forensic investigation, like the transaction audit trail, user access logs and computer access logs, are often difficult to obtain for Cloud solutions, and may even be unavailable by the time you or your client suspect a crime. What are the top cybersecurity issues? What are the new risks associated with Cloud solutions as well as some techniques which can be used to limit these risks? What strategies can we use to manage these risks?

WHAT TYPE OF RISKS ARE THERE?

There are more new and sophisticated attacks and risks than can be enumerated in a short article. To name a few: phishing, tax-related identity theft, data breaches, ransomware, other viruses and malware, inadequate security on the Internet of Things, cyberespionage, cybertheft/crime, insecure passwords, BYOD, unauthorized data access, data stored improperly without controls, privacy and regulation, and staff engagement. What are some of the contributing factors to the scope of security concerns? Each of these are contributing factors:

• Large amounts of data to store and secure
  
• Rapid increase in mobile devices
  
• Need for any time, anywhere access to data
  
• Large number of organizations being hacked
  
• Relative risks of the cloud compared to on-premise data storage/processing
  

We could quote a broad array of statistics on data breaches, exploits and other attacks. We suggest you simply search for data breach statistics and see for yourself. The key point to remember is that whether your organization is large or small, everyone is a target. It requires a wide array of tools to protect your organization, including, but not limited to:

• Exercising due diligence in making data security decisions
  
• Choosing well-designed IT security policies
  
• Selecting hardware tools designed to mitigate threats
  
• Using software and services designed to mitigate threats
  
• Deploying strong user authentication and using multi-factor capabilities, not just user IDs and passwords
  

WHAT ARE THE ELEMENTS OF A CYBERATTACK?

We need to consider several factors that cyberattackers exploit as well as understand what must be protected to improve our cybersecurity. First, we must protect our endpoints. These are frequently the target of the attack and include individual PCs, servers, networks or cloud providers. The purpose of and endpoint attack is to control, corrupt or disable the endpoint. Attackers are looking for vulnerabilities, the weakness that permits the endpoint to be penetrated. Vulnerabilities include software flaws, system design weaknesses, insecure configurations and human errors. Attackers use malware, malicious software. There are many different types of malware and attacks often involve more than one strategy. Our organizations are attacked with a delivery vehicle: malware is delivered to victim machines through a variety of techniques from social engineering, such as phishing, to USB sticks. Finally, the method of execution (MoE) is the means through which attackers get the resources necessary including access, processing time, data, etc. to execute an attack.

Common types of malware include depositors, ransomware, backdoors, credential stealers, viruses, worms and vandalizers. For example, a few of the popular ransomware infections include CryptoLocker, CryptoWall and Locky. These types of ransomware infections are designed to hold data hostage. They have been very active from late 2013 to the present. Typically, a user opens a program on a local PC that was emailed to the user embedded in a file or accessible via a web link. The malware program installs itself in numerous places and then connects to a command and control server run by the perpetrators which gives the ransomware a public key. This key is used to encrypt all Microsoft Office files, database applications, pictures, etc., on a computer. Once data is encrypted, users are presented with an ultimatum and must pay within 72 hours or the private key (needed to unscramble the files) will be destroyed. Recent variants have been infecting Remote Data Services (RDS/Terminal Servers) and/or Citrix servers in public and private cloud installations.

Numerous CPA firms, health care entities, businesses and government agencies have fallen victim to CryptoLocker. The ransoms demanded range from $300 to $18,000. Users must pay in Bitcoin or by anonymous wire transfers. Anti-virus and anti-spam applications do not detect many variants of this threat, but some strategies such as using white listing, geofencing and other techniques have slowed down the rate of infections. However, attackers are getting smarter and choosing new methods for attack.

WHAT ARE POTENTIAL TOOLS TO PREVENT A CYBERATTACK?

There are a few defenses that have been used for some time, including a well-maintained firewall and a backup that runs almost continuously. It’s clear that a properly installed and maintained anti-virus product is the first line of defense. Signature based anti-virus products are not quite as effective as they once were. In fact, anti-virus is dead according to a Wall Street Journal (WSJ) interview with Brian Dye in May 2014. Dye is Symantec's senior vice president for information security. Symantec’s Norton antivirus suite has been at the forefront of PC security for years and has evolved into their Endpoint Protection product. Don't let the claim distract: anti-virus isn't being retired, and Dye's words reflect the new reality in anti-virus protection. Dye told the WSJ he estimates traditional antivirus detects a mere 45 percent of all attacks. Second, a properly configured firewall can help protect your network whether you are running in a public cloud or have created your own private cloud on-premise. We recommend firewalls in all business locations, and prefer business grade firewalls in homes, too. Some states have mandated encryption, like Massachusetts, and this protection is a strong third line of defense. Your fourth line of defense should be identity management, including multi-factor authentication with a product like Duo or AuthAnvil. Based on the PCI compliance regulations that went effect February 1, 2018 and requires multi-factor for some users and use cases, we are suggesting multi-factor authentication for all users. These products allow your IT team or contractor to enable a mobile phone or other method such as a token to be used to authenticate a user. Single factor authentication is something you know, like a user ID and a password, where multi-factor authentication is something you know and something you have. The broad acceptance of cell phones and the availability of inexpensive tokens plus the availability of multi-factor authentication from providers like Microsoft or Google leads us to recommend multi-factor authentication this year. Finally, and fifth, it may be time to consider Security Information & Event Management (SIEM) tools that can identify unauthorized or destructive behavior on your network.

WE ARE NOT DONE YET…

Why are the “bad guys” attacking our business and homes? The simple answer is to gain money and/or intellectual property. Another result of these attacks includes identity theft. According to the U.S. Department of Justice, identity theft and identity fraud are terms used to refer to all types of crime in which someone involves frames or deception, typically for economic gain. Essentially, someone exploiting your personal information for their personal gain is the basis of identity theft. What happens with the stolen data? A few examples from the Dark Web using the TOR network:

1. $180 USD will buy you the login information for PayPal Accounts with a $1701 USD verified balance.
   
2. Perhaps you need US Citizenship documentation. For $5000 you can have a “real” social security number, birth certificate, passport, driver’s license, etc.
   
3. Finally, you can obtain a credit card or access to a bank account with a $1500 available limit for about $100 USD.
   

There are threats beyond those identified here. Hopefully, you now understand the threats are real, and there are reasonable steps you can use to protect yourself, your family and your business.

Randy Johnston is a shareholder in K2 Enterprises, LLC, a leading provider of CPE to state CPA societies. He also owns Network Management Group, Inc., a managed services provider that provides around-the-clock support from Boston to Honolulu. Concepts for this article were extracted from the security sessions produced as part of the 2019 K2 Technology Conferences and from Johnston’s own experience working with technology at various firms in the U.S.