Comparing Zix Layered Protection With a Recent Breach

Reflecting on the recent SolarWinds breach and exploitation of the Microsoft Exchange 0-day, the associated threat actors started from the beginning of the Cyber Threat Cycle. They needed to run reconnaissance to identify the right target and instigate the initial attack.

This is key to the first part of Zix Layered Protection. Preventing the initial attack takes the least amount of resources and can save the organization the biggest headache. Further, many fail to realize that the majority of successful attacks are rooted in well-established techniques. Similar to the principles of their security counterparts, threat actors balance sophisticated techniques with ease of use. If there is an easy way to infiltrate a target, they will always go that route. The SolarWinds breach was years in the making, as sophisticated as the technique was to drop malware into the SolarWinds Orion system, the breach was almost certainly started with an email. We can make this assumption given the evidence that has been discovered.

Inside the SolarWinds breach

Reconnaissance and attacking the target

There are numerous ways to collect reconnaissance from a target to determine the right attack, and in the SolarWinds case it would appear that email was a primary research tool and ultimately the attack vector.

Points of evidence:

  • According to the SEC filing, email was a primary attack vector during the initial SolarWinds attack and APT29 are known to launch phishing attack campaigns as a tactical strategy.
  • During the Malwarebytes breach, their investigation uncovered that the, “attackers leveraged a dormant email protection product within their own O365 tenant.”
  • Microsoft reported to Crowdstrike that a reseller account was being used to read emails that were linked to Crowdstrike.

Infiltrating the target and evading detection

With a spear phishing attack the technique most likely to have been used to initially compromise SolarWinds, there was still no guarantee that the threat actors would be able to move within the environment without the right privileges and ensuring that their activities were going undetected.

Yet according to published details:

  • Hackers gained privileged access to restricted systems
  • Hackers were communicating via Command and Control infrastructure
  • Hackers were altering file systems to prevent detection

Considering these key points, an effective advanced email threat prevention and encryption solution must be part of the layered security framework.

Read more about the cyber threat cycle

Break the Cyber Threat Cycle Part II

The cyber threat cycle

Start out with Part I of this series

Prevent the initial reconnaissance and attack with an effective advanced threat protection and email encryption solution coupled with enforcing multi-factor authentication for user logins.

97% of users are still not able to detect a sophisticated phishing attack. SolarWinds is just another reminder that email continues to be core to the Cyber Threat Cycle. It is the most difficult to secure and the easiest to exploit. While security organizations validly discuss new attack techniques and the potential of these being used, there is a never-ending list of evidence that:

  • Email is a treasure trove of reconnaissance information
  • Email attacks are very cheap for the threat actor to execute
  • Employees are no more effective at detecting a phishing attack intended to steal their credentials or malware intended to compromise their endpoint today than they were years ago.

Detect the presence of a threat actor with a security audit or monitoring solution

Highly effective email defense with a better than 99.9% effectiveness rating against phishing and malware will close 95% of your prevention gap. We are aware that threat actors will figure out other ways to get into your network, so developing approaches to protect other vectors will be necessary. However, you can quickly close this gap while evaluating other tools by leveraging a security auditing service. Particularly a solution that focuses on:

  • Identifying weaknesses in user login and authentication
  • Identifying suspicious behavior related to mailbox rules and email communication

As the SolarWinds breach proved, the threat actors needed to gain access to secured development environments. In that context, monitoring for weaknesses in simple policies like regularly changing passwords, or where a user may be logging into a system from a remote location, can be a clear indication that someone not employed by the organization has made it into your network.

Furthermore, we know in every case of a major breach, when the threat actor has infiltrated the business, they must communicate to something on the outside to retrieve further instructions, files, or exfiltrate internal intelligence. Monitoring for email forwarding rules or activity such as immediately deleting sent messages on an automated basis should set off a red alert.

Therefore a security audit or monitoring tool to detect internal suspicious behavior is a must for the layered protection strategy.

Zix Layered Protection

Act on any suspicious behavior through containment and remediation to prevent attacker success.

As you put in place the two main components to prevent and detect malicious behavior, the third motion must be in response to what may have failed. As we’ve indicated, businesses can implement every security solution pitched to them by the hundreds of security vendors available, but Zix Layered Protection is intended to keeping your security as simple as possible while maximizing your time and investment. To complete this goal, the response to the potential breach must be immediate. The goal should be to maintain business productivity even in the face of an attack. Most growing businesses may not have the time or expertise to immediately triage the incident, but they can begin their response and remediation process at no risk. Those tasks at a minimum should be:

  • Immediately remove any malicious email that may have landed within the targeted employee’s inbox.
  • Scan the targeted employee’s login activity and require any vulnerable passwords to be changed immediately (enforce MFA if disabled).
  • Immediately clear their file systems and provide the targeted employee with a clean working copy of their data.

Zix Layered Protection enables organizations to maintain productivity through Zix Backup and Recovery services. Coupled with message retraction and account lock-down, latent threats can be rapidly eliminated.

How does Zix Layered Protection break the Cyber Threat Cycle?

Zix Secure Cloud turns a complex plan into a simple operational model.

Zix Secure Cloud turns a complex plan into a simple operational model

Protect

Advanced Email Encryption

The gold standard of encryption secures the email channel so that threat actors cannot hijack the SMTP conversation via a man-in-the-middle attack. With Zix’s Best Method of Delivery regardless of who the organization communicates with, business insights are fully protected from inbox to inbox.

Advanced Email Threat Protection

Today’s top attack technique continues to be advanced phishing and malware-based attacks. Zix Advanced Email Threat Protection is rated one of the most effective solution in 3rd party testing:

  • Phishing Detection Rate: 99.9%
  • Threat (Malware, ransomware, etc.) Detection Rate: 100%
  • Accuracy Rate: 99.994%

With Zix acting as the first layer of defense the initial compromise is mitigated exponentially.

Azure AD Multi-factor Authentication

Relying on users to detect a phishing URL is a recipe for allowing cybercriminal access to their endpoint. By enforcing multi-factor authentication that is built into every M365 bundle, security teams can close this gap and solve the protection need.

Detect

Security Audit (Detect & Alert)

While the protection components exponentially reduce the attack surface, the risk for internal negligence does exist. Continuous monitoring and detection within Zix Security Audit adds a layer of scanning that quickly identifies suspicious activity that bypassed the security gateway. With compromised credentials being the key to establishing a foothold, being able to detect suspicious user activity such as low-end employees having administrative access, or Finance employees suspiciously forwarding work email to a personal email address becomes essential to containing the threat.

Advanced Email Threat Protection Threat Analyst Support

Combined with insights from the Zix Security Audit, customers can work directly with Zix Phenomenal Care and Threat Analyst to immediately develop and implement a mitigation strategy to stop subsequent attacks. This is a unique value-add that is essential to making Zix Layered Protection effective.

Respond

Security Audit (Detect & Alert)

Integrated within the Security Audit are actionable response steps to stop threat actors in their tracks such as locking the user out of the environment.

Advanced Email Threat Protection (Message Retraction)

An additional response step to take once a threat is discovered is to remove any existence of malicious email that may have been launched internally from the compromised account. Message retraction provides the ability to immediately reduce the risk to anyone else that may have been targeted.

Backup & Recovery

Any response goal must keep employee productivity in mind. With Zix Backup and Recovery services, even if the attacker’s goal was to corrupt corporate data or hold the data for ransom, the business has peace of mind knowing that they have a clean copy of their data to keep their business going.

Advanced Email Encryption (DLP)

Insight into what the attacker may have been after can provide an advantage to keeping this data secure. With Data Loss Prevention policies within Zix Advanced Email Encryption, security personnel are notified if key information is attempted to be extracted via email.

Enabled by Zix Secure Cloud

Enabled by Zix Secure Cloud

Zix Secure Cloud plus Azure AD Multi-factor Authentication encompasses layered protection. With these foundational pieces in place, growing businesses can focus on their productivity without being exposed to significant gaps. We recognize that the threat landscape is constantly changing and no growing business should stand still, as their business matures so will the threats targeting them. With assistance from our security partners, we can help guide you through your maturity path while keeping the strategy simple and straightforward.

Break the Cyber Threat Cycle Part I

Break the Cyber Threat Cycle with Zix Layered Protection Part I

Achieving robust security does not have to be hard work. However, with the multitude of ways organizations are targeted, coupled with the hundreds of security companies pitching different approaches, choosing and implementing the right security solution can be daunting.

Endpoint security vendors will highlight the many risks of bring your own device (BYOD) and the need to install security directly on the endpoint. Security awareness vendors will tell you that your people are the weakest link. Web or email gateway security vendors will recommend that securing the gateway is your best bet. Finally, a threat hunting expert will tell you it is too late because you’ve already been compromised!

What can you do?

If you evaluate your security strategy through the lens of the security vendor, they all make valid points and the need for every single solution makes sense. Unfortunately, most growing organizations neither have the money, expertise, or time to implement and integrate such a complex strategy. Therefore, what is the most straight forward yet robust security strategy? To answer this question, let’s first review the Cyber Threat Cycle.

The Cyber Threat Cycle

The cyber threat cycle

The Cyber Threat Kill Chain or Cyber Threat Cycle was first articulated by Lockheed-Martin. Many security organizations have developed their own interpretation of this kill chain but, at its simplest form cyber threat actors commence in 5 major activities:

Activity 1: Identify a target

Threat actors will use a variety of methods for reconnaissance based on their mission goals to identify a target. Tactics can range from company and user profiling via LinkedIn or other social media platforms, through to conducting internet-wide vulnerability scans or snooping communication traffic via man-in-the-middle attacks. Yet, the most widely and easily accessible method has always been email. By sending a seemingly innocent email, threat actors can collect a lot of information, from the type of security gateway in place to whether the user actually exists and willing to engage.

Activity 2: Attack the target

Once a target has been identified, the threat actors will launch their initial attack. The attack can spawn multiple steps but the end goal is the same – gain access to an endpoint or internal server. From analysis of hundreds of thousands of breaches over recent years, email has been the easiest way to gain initial entry in the majority of instances.

Activity 3: Infiltrate the target

Gaining access to a single system does not automatically result in a completed mission. Often the compromised system doesn’t have the right access to move within the organization. Threat actors will attempt to establish a foothold through a number of steps including:

  • creation of a back door
  • set-up a connection to a command
  • and control (C&C) server
  • download an exploit
  • launch phishing attacks internally
  • infiltrate communication channels to establish their reconnaissance.

It’s often increasing or elevating the credentials they already have that helps establish a foothold. often increasing or elevating the credentials they already have that helps establish a foothold.

Activity 4: Evade and move

Once a threat actor has infiltrated their target, they can act methodically to gain more information and evade detection. At this point, it is important to remember that the breaches that make headlines are often years in the making. The threat actor often laid dormant, closely researching their victim, and waiting for the perfect time to execute the mission goal. Compromising a user’s inbox is a common technique to gaining more information about the business processes and personnel within an organization. Yet, threat actors are cunning enough to augment mailbox rules so that their presence is never detected.

Activity 5: Complete mission

The last activity is execution of the mission goal. Is the goal to exfiltrate sensitive data? Is it to force the victim to execute a wire transfer due to ransomware or carefully crafted Business Email Compromise (BEC) attack? Is the goal to wreak havoc by corrupting or making the victim’s data inaccessible? At this point, it is a matter of mitigating or containing the execution before the breach makes headlines.

Alignment with industry-known security frameworks ultimately should be the right approach, but to reach that point takes a heavy investment of money, personnel, and time. Further, the deeper the organization finds itself within the cycle the more business interruption will occur. With that in mind, we can begin to formulate a tactical, simple layered protection strategy that initiates a move towards a security-mature goal.

Check out part II of this blog series

Can HIPAA Information Be Emailed?

Women standing with a laptop near a server room.

Can HIPAA Information Be Emailed?

According to the CDC: “while the HIPAA Privacy Rule safeguards protected health information (PHI), the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This information is called ‘electronic protected health information (e-PHI).”

In order to comply with the HIPAA Security Rule you must:

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information
  • Detect and safeguard against anticipated threats to the security of the information
  • Protect against anticipated impermissible uses or disclosures
  • Certify compliance

But what does this mean for those working in the healthcare industry emailing HIPAA information? Let’s start with why email communications should be secure first:

Understanding how cybersecurity and email are connected begins with a breakdown of the path that an email follows. Email follows the following path:

  1. Created by sender on their workstation
  2. Sent from workstation to sender’s email server
  3. Sender’s email server sends email to recipient’s email server
  4. Recipient’s workstation pulls the message from their server

Every time the email is sent it could be at risk for malicious interference. In addition, a copy of the email is stored on each workstation it travels through. Breaking that down, that means there’s a copy on:

  • The sender’s workstation
  • The sender’s email server
  • The recipient’s email server
  • The recipient’s workstation 1

This path alone illustrates the risk a single email can pose – both in transit and at rest. So can emails be HIPAA compliant?

Emails can be HIPAA compliant, but requires IT resources and a monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.2

What IT resources and monitoring processes are available? Beyond our in-house security solution, we also recommend email encryption.

Encrypted Email

Encryption is a way to make data unreadable at rest and during transmission. CIT partners with Zix for email encryption and they partner with more than 1,200 U.S. hospitals to help maintain HIPAA compliance. As cyberattacks continue to grow exponentially, Zix provides you with efficient methods to optimize your IT security effectiveness while better securing PHI in and out of their organization.

To learn more check out A Case for Email Encryption.

So now that we’ve talked about the path of an email, HIPAA compliance, and our recommended solutions we want to make sure all types of emails are secure.

What different kinds of emails need to be secure?

In the healthcare industry, it is important to avoid security risks, meet compliance standards, and secure multiple types of emails. Cybersecurity and compliance solutions should include securing:

  • In-office emails
  • Doctor-to-doctor emails
  • Personal emails
  • Mass emails 
  • Reply emails
  • Patient emails

Additional email security considerations

Start with a HIPAA Compliance Checklist or learn more about a Cybersecurity Gap Analysis for your business. Want to chat with one of our experts? Contact us here. 

  1. https://www.securitymetrics.com/blog/how-send-hipaa-compliant-emai
  2. https://www.hipaajournal.com/hipaa-compliance-for-email/

How Can I Recover Lost Data? Your Guide to Data Recovery

How Can I Recover Lost Data? Your Guide to Data Recovery

We’ve all been there – the moment you hit delete and the panic sets in. Data protection is a key component of IT and can be simple with the right solution. Many times the focus of the protection is to just have a backup but the real focus should be on the ability to recover. Having a copy of your data without the ability to restore it in the time required is often not discovered until it is too late. 

Your data recovery plan should start with a solution that includes:

  1. Your recovery time (how fast do I need to back up and running).
  2. Your recovery point (how far back in time can the business afford to lose data).
  3. The ability and is tested on an annual basis.  
  4. The solution should also take into account different types of recovery from a single file recovery, entire system recovery, or entire site recovery.  

Solutions are available that can provide reliable backups that also include offsite replication and resources that allow for recovery both locally and remotely. 

CIT is Blue Diamond Partner Status with Datto

Providing Business Computer Backup for Minnesota and Wisconsin

WHY DOES CIT PARTNER WITH DATTO?

Together with Datto, we provide Total Data Protection from IT disasters, human error, and malicious activity — making your business invincible, secure, and instantly restorable at any time.

Datto gives you complete backup, recovery, and business continuity solutions that are built for businesses of every size, regardless of infrastructure. Datto products are built specifically for the Channel with scalable storage options, predictable cloud pricing, and 24/7/365 support.

Datto products feature award-winning technology, includingDatto’s purpose-built cloud, Instant Virtualization, Inverse Chain Technology™, Screenshot Backup Verification™, and End-to-End Encryption.

Datto defines innovation, once again.

WHAT ARE THE BENEFITS OF CIT BEING A DATTO BLUE DIAMOND PARTNER FOR YOUR BUSINESS?

You can expect:

  • Priority handling of support cases
  • Opportunity for more efficient ticket resolution
  • Advanced customer experience with CIT connected to a dedicated Datto Blue Diamond Support Team

Darktrace Partner of the Year 2020

darktrace and cit security solutions

Darktrace Partner of the Year 2020

Why Does CIT Partner with Darktrace as a Cybersecurity Solution?

“Darktrace provides us peace of mind, allowing us to better sleep at night because we know that our customers and our own internal systems are protected. With Darktrace Antigena constantly running in the background—on nights, weekends, and holidays—we are secured against even the nastiest zero day exploits.”

– Todd Sorg, CISO & vCIO, CIT

What is Darktrace?

World leaders in Autonomous Cyber AI

The Darktrace Immune System is the world’s leading autonomous cyber defense platform. Its award-winning Cyber AI protects your workforce and data from sophisticated attackers, by detecting, investigating, and responding to cyber-threats in real-time — wherever they strike

Click here to learn more about Cybersecurity Solutions!

Computer Integration Technologies (CIT) & Darktrace

darktrace and cit security solutions

Webinar recording on Changing Cyber: The Battle of Algorithms. Click here to view.

Computer Integration Technologies (CIT) & Verkada

Protection against Hacking Malware Ransomware Scareware

Webinar recording on The Future of Physical Security: Leveraging the Cloud and AI to Secure Your Organization. Click here to view.

DarkTrace is Real Intelligence in the Cybersecurity Arms Race

Technological ecosystems for businesses are growing more rapidly than ever. The majority of our business communications, transactions, and data are all stored in various clouds or exchanged online. For all their usefulness, these evolving technologies and the business systems that rely on them have become increasingly difficult to manage. If they are not meticulously maintained, they can be risky and create vulnerabilities for you and your business.

A CRITICAL ALLY IN THE CYBERSECURITY ARMS RACE

Keeping your information safe from hackers is stretching security teams beyond their capabilities. A recent report gathered input from 200 Chief Information Security Officer’s describing how, for years, businesses and hackers have been locked in a cybersecurity arms race. The only thing that seems to have kept pace with technological advancement is the hackers’ impressively creative and persistent dark tactics to gather your sensitive information.

The cybersecurity arms race for businesses just got a critical ally with Darktrace, the leader in behavioral cyber platforms. Darktrace adds Artificial Intelligence and Machine Learning (AI and ML) protection to an already robust and cutting-edge portfolio of CIT leading a new era of fighting cybercrime.

MAKING COMPLICATED (LOOK) EASY

While the workings of AI and ML are incredibly complicated, the role of AI in cybersecurity is quite simple: AI aggressively deciphers a user’s behavior and uses patterns to detect with lightning speed any irregularities within those patterns. By tracking and analyzing all your data and different use patterns, Darktrace cyber AI can raise alerts to address problems before any damage can be done.

Offering Darktrace is just one of the ways we provide our clients with the very best in securing sensitive data and systems. Think of Darktrace and Securities Information and Event Management (SIEM) logging solutions as the two components of an airtight cybersecurity plan:

  • Darktrace is a behavioral leader in the recent innovations of Artificial Intelligence that pinpoints abnormal activity on a network and reports that information back to AlienVault.
  • SIEM logging solutions are all about compliance, securing your systems proactively to meet the technology of the day, and the hackers who threaten that technology.

CIT IS THE BEST CYBER DEFENSE FOR YOUR BUSINESS

Simply put CIT, now armed with Darktrace AI, is the best cyber defense for your business. Whether you need to answer a compliance audit, or your business needs iron-clad cybersecurity in a rapidly changing technological ecosystem, CIT has you covered. Our new products and services are making cybersecurity technology work for your business.