January 6, 2020

Dark and Stormy

By Ron Comeau

While on vacation, one of our corporate officers (let’s call her Sue) was settled in for the night with her family while a storm raged outside.  Sue was surprised to receive a text on her cell phone with an Apple ID verification code.  Sue manages the family Apple account, so her kids need to request her permission to download anything.  Sue asked her family members if any of them used her Apple account to try to download an app and they all said they had not.  Thus, Sue identified the event as unauthorized access and immediately changed her Apple ID verification settings.  She thought that was the end of it – just another day of thwarting cybercrime – no big deal.

A few nights later, Sue received another verification text but this time it was from Microsoft.  Sue’s only Microsoft account is the Office 365 subscription that SandTech provides.  She realized that someone had tried to access her SandTech account and successfully guessed her username and password!  Fortunately, SandTech requires its employees to use Two Factor Authentication (TFA) so the system automatically sent her cell phone the verification code which the hacker would need to access the account.  Sue contacted our System Administrator, Bob, and reported the event.

Bob quickly determined that while Sue’s account password obviously had been compromised, the account had not been successfully accessed the hacker (thanks to TFA!).  Bob disabled Sue’s account access.  As a safety precaution, he also forced a one-time system logout from every device (Microsoft allows users to authorize specific devices to stay logged in for 60 days without a TFA challenge).  Thus, Bob was requiring Sue (and ONLY Sue) to log into her account from each device again (cell phone, laptop, work computer, etc.).

For good measure, Bob confirmed that the system admin accounts were still safe and locked down and that no user account had system admin privileges.   Bob’s actions ensured that even if a hacker successfully infiltrated a user’s account, he/she would not be able to pivot to access another users’ account or a system account.  Bob re-enabled Sue’s user account and had her verify that she could connect.

The next day, Bob did an audit on Sue’s account.  He verified there was a large number of unsuccessful login attempts on her account.  However, since Sue had been on vacation, many of the unsuccessful attempts may have been caused by Sue legitimately trying to access her email from her cell phone.  Bob did, however, find a couple of anomalies in Azure that seemed to confirm the hack attempt.

Lessons Learned:

1. Two Factor Authentication works great!  It requires a pre-arranged email or cell phone to text or phone number to call to verify the login attempt.  Since many of our employees work in locations where wireless laptops and cell phones don’t work or are not allowed, it was a challenge to set up the phone numbers for verification.  However, with a little research and effort, our employees are able to receive and input the verification code while on site.  The trouble is WELL worth the security TFA provides.
2. A company must never, ever, EVER allow a user account to be used as a system admin account.  Those roles MUST BE separated.  Where possible, a company should have separated, specific computer systems that are used only manage system admin accounts.  By not segregating user accounts from system accounts, the company’s “crown jewels” are just one hack away from being stolen.
3. Many of the larger software companies provide fantastic tools for auditing.  However, they are as complex and dangerous as they are powerful.  There are huge dividends for a company to invest in a security expert who can learn the auditing tools, set up a workable but secure infrastructure, and address user issues whenever they occur.
4. Corporate officers are the biggest targets.  Just by the nature of their positions, our corporate officers promote the company in public, hand out more business cards, and deal with external partners/vendors much more than the rest of the employees.  Thus, they are routinely targeted for phishing/whaling scams.  They need to be aware that they are targets and be extremely wary of unsolicited emails and links.
5. Have an emergency response checklist for compromised accounts.  At a minimum, companies should:
   1. Force a mandatory, system-wide logout from all devices
   2. Force password reset
   3. Disable a compromised user’s account until their computer system has been sanitized
   4. Conduct system access audit (e.g., with Azure) – it will tell you what systems were accessed
   5. Rebuild/reconstitute users account
   6. Document accessed systems and, if possible, determine which files were accessed
6. Avoid public WiFi access.  Even if you are using a firewall, hackers can still harvest enough information about you and your account to initiate a hacking attempt.  Sometimes, hackers can even capture your login credentials from a WiFi access point.

In summary, good cybersecurity preparation is the best way to avoid panic and significant loss.  One should not assume his network and computer defenses are impenetrable.  Even the best get hacked.  Rather the focus on preparing to defend against and recover from a hack, should it occur, is the wisest application of time and money.