Craig discusses problems that businesses can face when using VPNs and why you should be looking to a Zero-trust network if you are running a business today.
For more tech tips, news, and updates, visit – CraigPeterson.com
Automated Machine-Generated Transcript:
Craig Peterson: [00:00:00] We’re seeing more and more malware-free attacks. We’re also seeing attacks that are completely evade are signature-based pieces of antivirus software. If you have antivirus, you think you’re protected. You’re you really aren’t.
Hey, you’re listening to Craig Peterson. Thanks for joining me here today.
Well, we were just talking about malware attacks declining, but what’s really happening is that they are becoming more and more evasive. That is a scary, scary world out there right now.
These hackers are no longer just using regular old viruses to try and get into your systems. Time was, the good old days, there might be a macro virus that comes in on one of your Microsoft Office document. You might’ve gotten a virus from some software. You downloaded some free software from a warez site, but in reality, what is happening right now is the attackers are getting smarter.
Malware is designed now to circumvent completely, antivirus signatures. So that signature software that you had that you bought a few years ago that came with your computer, that junkware that was installed, that came up and said, Hey, you need to, to pay for it now. You had your 30, 60, 90-day free trial. It just isn’t gonna work anymore. The antivirus signature code that you bought and paid for and have been using just isn’t going to work.
So what do you do? That’s a really good question. What is the right thing to do? Well, first of all, we’ve got to make sure that we’re no longer just using antivirus signatures. We’ve gotta be looking at the behavior of the software. There are companies out there that use white lists. In particular. I can think of PC MATIC, and I’ve got to get them on the show and talk a little bit about this. The way they do it is interesting. There are drawbacks to white lists as well.
The way we do it is a little bit different because we’re doing it the Cisco way. We have antivirus signatures. We also have behavioral and analytics. So if. It’s an old piece of malware and an antivirus signature is going to pick it up. Well, our advanced malware platforms are going to pick it up, right? That’s what Cisco does, and some others do as well.
But if it doesn’t have a signature that’s recognized it watches it’s behavior and depending on what happens with the behavior, it might do a few different things.
So for instance, this week, we got a call from a client because what had happened was there was they got an email that had something that was flagged as suspicious by our software. Immediately that software was uploaded so that Cisco Talos. Talos has been around a long time they are true experts in cybersecurity. There’s a couple of hundred people that sit there and examine it. So that our software automatically sent this thing to Talos to be examined.
We called up the customer and said, Hey, there’s something suspicious in your email box. We are heavily filtering all of their emails as well before it even gets into the box. They said, okay, what email was it? The subject matter was an invoice, a specific invoice. We said, look for this and this invoice and they couldn’t find it in their inbox.
Our technician had a look and said, Oh, wait a minute here.
Now what had happened is our software had automatically sent it to Talos for an examination. Telos will look at it and said, wait a minute this is something that looks very malicious.
So it automatically puts it into a kind of a lockbox and examines it there.
It looked malicious and so they retroactively pulled that piece of email mail out of that email box all automatically. Joe, our client had no idea. We didn’t realize it had happened either until after it had happened. But the idea is if it’s in question they can remove it.
The way it works, as well as the anti-malware platform that we have is if your computer gets some of the software on it and it starts to do something malicious, we can roll your computer back. So the malicious activity might be that your computer is now starting to probe other computers or probe other server servers that are there in your network. So we noticed that attempted lateral spread and our software will automatically shut off the network port that the computer is attached to. It’s just phenomenal what you’re able to do nowadays.
Now, one of the security vendors that are out there called WatchGuard. Analyzed some of the malware attacks that were going on and it looked at 42,000 firebox appliances that were at customer locations worldwide.
Now, part of the reason I like Cisco is it’s using billions of data points every day to figure this out. Right.
So WatchGuard has 42,000. But they found that the devices were blocking 28 million malware samples representing 410 unique attack signatures, which is an increase. But there are all kinds of tools that are available now on the dark web for as little as $50 that can be used in attacks.
When we delve into this a little bit more and look at some of the incident report data that came out of CrowdStrike, we see some very interesting things for the first time in CrowdStrike’s research. They found that so-called malware-free attacks edged ahead of the malware based tool. 51 percent, in 2019, of attacks that were analyzed here by CrowdStrike, 51%, did not have malware.
Now we’ve talked a little bit about this before I go into this in quite a bit of detail in my courses, in my more advanced cybersecurity stuff, but what’s happening is the bad guys are using information that’s being harvested from the dark web.
You know, how I’m always getting on your case about making sure you’re using one password or last pass, right. I think it’s important. Well, part of the reason for that is you should use a different username. I don’t like websites that make you use it an email address. Cause that’s currently insecure. But you should use a different username at every website and for sure you should be using a different password and use one password is great at generating them so’s LastPass. Those are the only two that I recommend. If you’re a business, you really should be using 1Password.
The bad guys are now taking the information they find from the dark web, which is copies of your email addresses, copies of your passwords. They are using them to log in as a regular user in your network. If you have VPNs, for instance, that your business people, your employees are using to connect, they will find the VPN through a scan, the VPN access point, or the remote desktop access that you might be providing the old terminal services from Microsoft. Then they will do a credential stuffing. They will try and use a username and password from your organization.
We just had this last week happening and this was a government subcontractor. They did some work for DOD prime contractors and there were people who were trying to use credentials that were found on the dark web to get in. It’s happening all of the time but now they’re getting on.
They have these hands-on keyboard methods. They’re trying to use usernames and passwords that they have found on the dark web and they are using PowerShell. Now, PowerShell is a rip off that Microsoft made from the Unix world, and Microsoft of course, messed it up pretty badly and there are all kinds of major security problems with it. Microsoft Windows was not designed with PowerShell in mind.
Nowadays you have to use PowerShell to do certain things. Microsoft has finally figured out, Oh, wait a minute. Command-line interfaces are wonderful. Maybe we should use them more. So what happens is they use PowerShell.
They start it up and now they use it to exploit your network, exploit your systems because it’s not a virus, it’s not a program, very hard to spot and they’ll hide files and directories, and they will use these tools like PowerShell and act just like a regular system administrator acts nowadays on a windows machine. System administrators on Windows machines, they’re using PowerShell, aren’t they? Now, most organizations don’t have the technology to be able to differentiate between a legitimate user and a legitimate employee or contractor or an attacker who has stolen credentials.
This is about a very, very big problem out there that’s been seen by Cisco, by CrowdStrike, Rapid seven is another one they’re using. They’re seeing hackers using valid credentials or reusing credentials from other breaches ie., credentials that are found on the dark web. So what do you do? How do you do this? That’s our really big question right now.
The bottom line, do not ever reuse passwords. If you’re a home user, it’s true. If you are a business, it’s true. One of the things we do for our customers and you can do for yourself is to go out to the dark web and search. Use tools, like Have I Been Pwned, very basic tools, and see if your users username slash email addresses are out on the dark web. Also, see if the password that’s associated with that account out on the dark web is still in use by them.
Just this week we found another one of our customers where one of their primary users, one of the C-level people, Paul was using the same email address and password for the business applications as he was in for one of these hacked accounts out on the dark web. So be very, very careful.
All right. I appreciate you listening to me today.
You’re listening to Craig Peterson.
Stick around. We’ll be right back.
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text: