CIT Security Services Notification Updated July 9th 2021

July 20, 2021/in Cybersecurity Advisories /by Kelsey Sarff

CIT Security Services Notification

Updated July 9th 2021

The CIT Security team is sending an alert in regards to a new privilege Escalation “zero-day” vulnerability labeled as PrintNightmare in all Windows Server systems.

At this time there is not a patch available for this vulnerability however, it is possible to disable the print spooler service that is affected by this vulnerability until a patch can be made available from Microsoft. Once the official patch is released from Microsoft it will be approved for installation for CIT managed customers. Managed customers who wish to have the print spooler service-disabled may also make this request to the CIT Services Team

July 9th update:

As a follow-up to our previous security alert regarding the Microsoft privilege escalation zero-day vulnerability labeled as PrintNightmare, Microsoft released an emergency patch which CIT has released effective immediately. All customers that receive CIT patching will receive this patch cycle. If you have any issues or concerns, please reach out to the CIT Support desk at support@cit-net.com or 651.255.5799

CIT Security Update July 2021

July 12, 2021/in Cybersecurity Advisories /by Kelsey Sarff

Over the last several months there has been a significant increase in attacks on the critical infrastructure of the United States. These attacks include, but are not limited to, attacks on the Solarwinds and Kaseya products. Some attacks have been linked to “State-level” actors and others are still under investigation. The attacks we are addressing today are specifically “supply chain attacks”. Other recent examples of supply chain attacks include the Colonial Pipeline cyber attack and the attack on JBS S.A., a meat processing company. The Solarwinds and Kaseya events were both very serious; however, it is worth noting these are not new. Virtually no vendor, whether commercial or open-source, is immune to attack. As an example, Microsoft recently suffered an attack on their supply chain as well.

As a trusted partner, we at CIT wanted to take a few minutes to outline a broad scope of how we protect our company and work to secure our customers.

CIT has built its security program around the NIST 800-171 security framework. This framework was used to help us define our risks and build out a governance program designed to mitigate those risks.

The NIST framework includes five functions: Identify, Protect, Detect, Response, and Recover. A few high-level examples of what that includes are as follows:

Identify.

This is the core of our security program. Our security governance program includes assessments, gap analyses, security policies and procedures, change management processes, vendor management processes, and so on.

Protect.

This includes building both administrative and technical controls to protect data, identifiable information, and all company assets. Some tools that assist with this function include using multifactor authentication (MFA), limiting access to management interfaces, continuously reviewing and remediating vulnerabilities, and building out a cybersecurity training program.

Detect.

CIT uses several tools to help detect threats and anomalous behavior, including a SIEM solution, as well as an advanced detection and response toolset from Darktrace.

Response.

As mentioned above, CIT uses Darktrace as part of our autonomous response systems, as well as a Security Operations Center to review alerts and correlate data against known and unknown threats.

Recover.

CIT uses a robust backup and restoration toolset to ensure we can continue to provide service to customers, as well as ensure our operations are minimally impacted.

Last but not least, CIT uses a third party to audit our security program to the SOC 2 Type II compliance standard.

CIT also partners with several great resources, including CISA and the FBI, in addition to our vendors. While we do not use the Solarwinds or Kaseya products that were affected by the attacks, we do still use the lessons learned to improve our posture and response capabilities.

While we covered a good deal of CIT’s security program above, CIT has also been helping secure our customers by using these same core principles. For example, we include yearly security reviews, security training, vulnerability scans, and so on in our offerings. This is by design as we are purposely building a strong, secure core infrastructure and the foundation of a security program for our customers. While that is a great start, our customers are strongly encouraged to have detection and recovery processes and tools in place, such as Darktrace or endpoint detection and response (EDR) capabilities, as well as a secure, validated recovery solution, such as a Datto.

As mentioned, CIT uses Connectwise as our core toolset. Connectwise has put significant effort into improving its security posture. Most recently it has rolled out a security page to help be more transparent about its program and roadmaps.

Best,

Todd Sorg, CISO

The State of Malware in 2021

The State of Malware in 2021

You may have been hearing of a new term when discussing malware and ransomware known as Zero-Days.

Zero-day (or 0Day) vulnerabilities and exploits are the hardest kind of attack to detect, because it means the vulnerability, attack, or exploit has never been seen by any security company before they are seen in the wild. These kinds of attacks often have no patches, no workarounds or remediations, and very few rule-based security toolsets can detect them. Rule-based security toolsets are things like traditional antivirus you would run on individual devices, and a new study by WatchGuard Technologies shows these tools are no longer winning the fight against malware.

A few years back Zero-day malware represented only 30% of total detected malware. More recently that number has risen to the 50-60% mark and reviewing the most recent data on Q1 of 2021 shows an explosion of up to 74%!

That means if you are relying on rule-based antivirus to stop attacks, they are missing nearly 3 out of 4 attacks. Pattern-based malware detection is no longer sufficient in today’s world. New exploits, including file-less malware and living-off-the-land techniques, can bypass these toolsets.

With traditional antivirus is no longer sufficient, many companies are turning to the next generation of protection including endpoint detection and response (EDR), network detection and response (NDR), managed detection and response (MDR), and finally extended detection and response (XDR).

Here is a brief rundown of how each can be used to help protect your business:

EDR: Endpoint detection is different than traditional endpoint protection (EPP) because EPP solutions focus on preventing malware before it can execute. While this is a noble goal, with a miss rate of up to 74%, it is no longer sufficient. EDR assumes that some malware will get by despite our best intentions and so instead it focuses on detecting and responding to malware that can make it onto your systems, despite your best efforts.
NDR: Network detection and response looks at the whole picture of how the individual endpoints on your network communicate with each other as well as with network servers to focus on unusual activity or signs of lateral movement. Often combined with machine learning, this kind of protection provides full network insight and analysis to identify threats.
MDR: Managed detection and response is ideal for companies that want to outsource the management of their security toolsets to experts on an as-needed basis. The focus with these tools is the additional benefits of a strong security team without the full-time security team price.
XDR: Combining the above toolsets with not just machine learning but artificial intelligence gets us to eXtended detection and response tools. Especially when combined with a Security Information Events Management (SIEM) tool, XDR provides the most comprehensive security available. Visibility includes endpoints, servers, network traffic, and then XDR adds machine learning and artificial intelligence to respond quickly and effectively to any threat seen, both on endpoints and the network itself.

Just as your business continues to grow and mature, the cyber threats around us are also continuing to see growth. Adding detection and response to your line of defenses can increase your peace of mind that your company has reduced their attack surface and increased your ability to detect, respond, and remediate any issues that might come up.

https://cybersecurity.osu.edu/cybersecurity-you/avoid-threats/what-zero-day-exploit

https://www.darkreading.com/vulnerabilities—threats/74–of-q1-malware-was-undetectable-via-signature-based-tools/d/d-id/1341394

qawawhttps://www.infradata.com/news-blog/edr-ndr-xdr-mdr/

Amazon Prime Day Phishing Scams

June 21, 2021/in Cybersecurity, Cybersecurity Advisories /by Kelsey Sarff

Amazon Prime Day Phishing Scams

Ah, Prime day. The glorious feeling of scoring deals (tablets, air fryers, and clothes, oh my!). As the deals heat up for us, so do the cybersecurity threats.

In the last 30 days, over 2300 new domains were registered about Amazon, a 10% increase from the previous Amazon Prime Day, where the majority now are either malicious or suspicious
Checkpoint

If you get any Prime Day offers in email, your phone or social media remember these three things:

Look out for any misspellings on any emails, ads, and domain names. Start on Amazon.com.
If you’re asked to provide additional details (e.g. your birthday or social security number) it is most likely a scam.
Make sure to have a strong password created before Amazon Prime Day, and use a Credit Card instead of a Debit Card.

Last year during Amazon Prime Day, Checkpoint noted that 20% of domains registered containing the words “Amazon” and “Prime” that were malicious. This year, almost half of the domains were seen as malicious with new related domains being 32% malicious sites.

With phishing techniques constantly getting more innovative, there are newer and easier ways for victims who are shopping for the latest deals to fall for these types of attacks. Below is an example researchers at Checkpoint found:

Cyber criminals have created hundreds of fake domains with the words “Amazon” and “Prime” so watch out for scams during these two days!

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.