Cybersecurity Week in Review: 10/12
Posted by: GuidePoint Security
One thing can be said for cybersecurity and cybercrime—it’s never without some form of drama, and this past week was no exception. With Cybersecurity Awareness Month in full swing, let’s dive in and look at some of the more newsworthy situations that showed up over the last seven days.
Dangerous Misconfigurations
A cybersecurity news outlet that specializes in vulnerability disclosure announced this past week that it had discovered a prominent digital marketing agency publicly exposing client “environmental configuration files” (.env) via a Git. As the primary configuration file for web applications, .env files often contain sensitive information such as application programming interface (API) keys, and database and email provider credentials.
At the core of the problem for this digital marketing company appeared to be two issues. The first was that they had stored the .env files within a Git, a source code repository that is often accessible by numerous individuals, many of whom do not need to access API keys or usernames and passwords. The other (and perhaps more significant) issue was that the .env files were misconfigured, enabling relatively easy public access to sensitive client information. Because of the misconfiguration, the external cybersecurity researchers could access file transfer protocol (FTP) usernames and passwords, Twitter API keys, My SQL usernames and passwords, and an Amazon Web Services (AWS) access key and ID, as well as other types of API keys and database credentials.
We recently discussed corporate system vulnerabilities and the importance of proper security configurations here. For many companies, it’s hard enough to keep up with the countless application and software security patches and updates that appear almost daily, let alone scour systems for misconfigurations. In this particular instance, the cybersecurity news outlet alerted the digital marketing company to the problem. The marketing company reported that the issue had been corrected on the same day. But, as the cybersecurity news outlet reported, the significant risks associated with misconfigurations could’ve been avoided altogether by:
- Limiting access to .git and .env files
- Avoiding the storage of sensitive keys and credentials in these types of repositories; and
- Regularly checking online accounts for unusual activity
You can read more about the vulnerabilities detected, the companies involved and the type of data exposed in this article.
Tricking the Notorious TrickBot
In a story reminiscent of how the federal government brought down the infamous racketeer and murderer Al Capone through the use of forensic accounting and the application of tax fraud law, Microsoft set a new and significant legal precedent in a court case last week against the notorious operators of the TrickBot botnet, through the use of a detailed forensic analysis of TrickBot malware and the creative application of copyright law.
By successfully arguing in federal court that TrickBot used Microsoft’s SDK code for malicious purposes, thus infringing on the copyright, Microsoft succeeded in getting a United States federal court to grant it control of TrickBot’s various command and control servers located in the U.S. in order to shut them down. According to a blog article by Microsoft:
“As we observed the infected computers connect to and receive instructions from command and control servers, we were able to identify the precise IP addresses of those servers. With this evidence, the court granted approval for Microsoft and our partners to disable the IP addresses, render the content stored on the command and control servers inaccessible, suspend all services to the botnet operators, and block any effort by the TrickBot operators to purchase or lease additional servers.”
This court case’s significance should not be understated since previous attempts by both law enforcement and Microsoft to either halt or curtail botnet operations required evidence that the malware distributed by the botnet resulted in financial damages to victims in a particular federal jurisdiction. This, in turn, meant identifying and contacting actual victims in each jurisdiction.
With this newer approach, not only is copyright infringement easier to prove, but it is also simpler to apply since the legal tactic can be used in any United States Federal court without the added complexity of locating victims. Also, Microsoft believes that this legal approach will be applicable in many other countries with similar copyright laws in place.
Most researchers agree that this was just round one of the TrickBot takedown process, emphasizing that the initial phase was more of a “kneecapping” than an actual decapitation since TrickBot remains partially operational.
You can read more about the TrickBot takedown activities and Microsoft’s efforts here.
Calling All Security Professionals
A new research report cites the cybersecurity skills shortage as directly related to both the inability to improve IT security protection and IT security professionals’ overall attitude and professional confidence.
The survey of 5,000 IT decision-makers found that more than 80% of those interviewed cited the ability to find and retain skilled staff as either a “major” or the “single biggest” challenge in their IT security delivery. To combat the staffing challenge, respondents also reported that they were more likely to outsource their IT security, with more than 70% stating that they expected to outsource some or all of their IT security by 2022.
While the cybersecurity skills gap is a well-known and much-discussed topic within the industry, this report demonstrates that the staffing problem has further implications than simply demand outstripping supply. Survey participants stated that falling victim to a cyberattack had a notable impact on their professional confidence, making them feel significantly behind the curve when it came to a better understanding of cyber threats. And according to the study’s principal research scientist, this general frustration was directly attributable to the scarcity of skilled cybersecurity professionals.
With Cybersecurity Awareness Month in full swing, it is essential for companies and IT professionals to not only focus on threats themselves but also the necessity to promote the cybersecurity profession among students and young people, to highlight cybersecurity training and professional development opportunities, and to both cross-train and appropriately set applicant qualifications.
Additional insight into this research study can be found in this article.
Final Words
Cybersecurity Awareness doesn’t end when “Awareness Month” ends. And, vigilance isn’t always the answer to every problem. As these recent news stories suggest, regulatory and legal creativity and a continued focus on successfully closing the cybersecurity skills gap can significantly impact the fight against cybercrime.
When it comes to cybersecurity, the importance of the ‘group effort’ can’t be overstated. Combating cybercrime isn’t just up to the IT security staff. Legal professionals can play a significant role in leveraging regulations to put a big dent in criminal activity. Recruiters and HR professionals can work to more broadly cast their applicant net to identify not just specific skills but also cross-functional skills. All employees can educate themselves on applying some basic and easy cybercrime awareness tips, such as not clicking on links and attachments in suspicious emails.
We need to “all” remember that Cybersecurity is a team sport. Today’s team is comprised of everyone that works for an organization—from management and sales staff to legal and HR—being committed to winning the fight against 21st-century cybercriminals.
As always, security is an action. We get out what we put into it.