Prevention is better than cure, so why do company's act so negligently?

A year ago this month in May 2020 we commenced a US, Fifty State wide research program to look at their internet security positions pre the 2020 US election. We had already researched dozens and dozens of breached companies and proved the correlation between sub optimal domain security that was public facing and connected to the internet and breaches. The research and findings were alarming confirming our suspicions that when security is systemically neglected, including governments which included the critical voting systems, breaches are the result.

In the summer of 2020 we had completed this research and even assisted the FBI as we literally stumbled, as part of this program, across a Korean DNS within the US Central Vote.gov system. In essence, the majority of the millions of US adult voting population could have been harvested and sent out East. No one, including the FBI had any knowledge of this infiltration.

So what has this to do with Ransomware?

Let's consider why companies are targeted with Ransomware? It is a simple case of criminal activity to gain access (infiltrate), gain plain text data, share the captured data with their victim, then encrypt it and sell it back. If you are a CNI, or HealthCare operator, or a transport organisation or even a government, immaterial of your personal views, Ransomware is all too frequently paid.

So the victim gets their prized possession back and vow never to get caught out again. Out of pocket to stand still and sadly it does not end there. Much of the data is compromised and there are no guarantees that the data isn't marked or some kept for the next attack. It is reckoned only 8% of data in such cases is actually returned and not compromised.

Sadly, very few organisations seemingly understand security, or the root causes for being infiltrated in the first place. The internet is always the best place to check first for security issues as time after time, such sub optimal issues lead to being exposed, vulnerable and exploitable. It still amazes us that companies such as global leaders, regulators and even governments do not understand the implications of being insecure at their public facing and internet connections. The NSA and GCHQ perfected domain admin infiltration some twenty years ago, although clearly it was not in their interest to highlight the issue...

In Autumn last year www.uhnj.org were in the middle of various crisis including Covid-19 and were hit with a Ransomware attack. They had been remiss, overlooked or even negligent of maintaining sub optimal and insecure domains including the cardinal sin these days of their homepage relying upon an obsolete TLS cert. As such, their homepage lacked authentication, data integrity, was totally exposed to numerous known attacks including hijacking, water holing, access, code injection and of course, plain text data, the staple diet of Ransomware criminals.

We wrote to the President and CEO Shereef Elnahal of UHNJ several times and urged them to deal with the TLS issue over a period of 6 months. We even resorted to adding comments on his LinkedIn articles in an attempt to gain his attention, nothing worked and still today, UHNJ unbelievably remain Not Secure on their homepage rendering the organisation, their patients PII data and connected third parties, up and down stream, exposed and vulnerable. Maintaining such a position is more than negligent, it is nothing short of gross incompetence and a major contributing factor to the sectors overall insecure position as well as the country's. Which part of NOT SECURE in the address bar do people not understand?

In May 2020 we alerted Alaska of their insecure position. We emailed and wrote several times, each went unaddressed and ignored, even though they had suffered a PII Data breach the year before. On the 4th December 2020 Alaska announced another breach and once again, our research showed continued systemic lack of remediation and insecurity across the State's domains. This week Alaska were breached again for a third time within two years. The above screenshot from today shows Alaska Court System maintaining a Not Secure homepage due again to an obsolete TLS.

The above internet security Rating of F and 15/100 confirms Alaska's security connected to the internet position which in turn, confirms nothing has been addressed or more importantly, improved to reduce the chances or mitigate the risks of further ransomware attacks.

In a nutshell, Ransomware is one of the simplest of cyberattacks as companies, easily identified by cyber criminals for having easily exploited, vulnerabilities along with plain text data, such attacks can take just hours to set running... Insurance companies don't help. Many insurance companies also do not know what good cyber security looks like or is required to prevent attacks. In fact, many, including some of the world's largest insurers, are totally open to being breached themselves. One only has to look at CNA who suffered a recent attack due to having sub optimal domain security.

Insurers are supposed to mitigate their clients risks, not increase them and yet this breach at CNA has made their clients more vulnerable, including the point of confirming thresholds of claims of ransomware payments...

To be perfectly candid, many companies, insurers and governments are their own worst enemies. A lack of knowledge and discipline is catching out company after company. Much of what we advocate is good basic security hygiene. Ignoring it, as Alaska have, CNA have, UHNJ have and thousands of others who continue to ignore and act negligently is costing them dearly. They will suffer multiple attacks and breaches until they finally either go out of business, or start ensuring internet, publicly facing and connected security. It really is that simple.

As Steve Jobs said, there is no point hiring smart people and telling them what to do. In a very similar way, as you witness breach after breach and often have the same insecure position, if you hire someone smarter, or more experienced people, stop and listen. Equally, when you are alerted of vulnerabilities, because you may not have requested it, or paid for the actionable intelligence at that point, does not mean its validity is any less impactful. Check and then remediate. We also advocate rewarding such intelligence as you would pay a bounty for bugs, why might you refute or deny actionable intelligence as part of a Professional Disclosure that could prevent a full blown breach?

Together we can vastly reduce cyber attacks and ransomware, however we all need to work together to make the internet safe. For you, nowhere is that more important than where you connect to it...

Andrew.jenkinson@cybersecip.com