Citrix, an American software company, disclosed a security breach in which hackers potentially exposed customer data. On March 6, 2019, the FBI contacted Citrix to advise they had reason to believe that cyber criminals had gained access to the internal Citrix network.
In many cases when dealing with these types of security breaches, one may never receive the full story. Usually, the only time that all of the information for a breach or other security incident has to be released is if it involves credit card information or HIPPA regulations. At least this is the case in the United States. It can be extremely difficult to get accurate numbers and information because there are not a lot of stringent requirements on what information is released and how in-depth it is. We know from a few announcements and trustworthy sources that at least part of the attack was completed from something that’s called a “spray attack”. This is a slang term and these types of attacks are becoming more and more common.
The spray attack is an attack against common passwords used on many different systems that are attacked simultaneously. It’s a parallel attack against systems using the most commonly used passwords by users to see if they can get a hit. In fact, Cadre uses this technique on behalf of our clients when conducting a penetration test, which is a planned, simulated cybersecurity attack to see what barriers can be breached. The spray attack is starting to replace an older and slower type of attack called a “brute force attack,” where hackers guess thousands and thousands of passwords over time until finding the correct one. A spray attack does not do this. It simply takes the most common passwords that people use and throws it in like a shotgun against as many systems as it can. While this strategy might seem very basic, it works surprisingly well. Hackers using this technique usually achieve a 75% success rate.
What might surprise you most about the Citrix Breach is the fact that the hackers attempted roughly a thousand of the most common passwords used by people. The results are like playing the lottery: unpredictable. The hackers may be able to login as the CEO or they may be to login as the receptionist. In any case, once they get one or more logins, then they’ll see what sort of rights and permissions that access gives them and will attempt to branch out from there.
What does this mean for me and my company?
There are the obvious reasons to be aware of these types of attacks. They can be detrimental in terms of costs to your company, both in monetary terms and reputation. There are also other costs such as violation of compliance standards and a hit to your security credit score. A security credit score is similar to your personal credit score. If you have two people and one has a score of 850 and the other has a 150 credit score, which of these two people has the better advantage when getting loans for a house or car? Obviously, the person with the score of 850 has the advantage. This type of scoring is now developing in the business community. Organizations can now have a reputation of how “good” their security is. How do you check your score? You can use tools to see what kind of reputation a partner or someone you plan to do business with has. If you’ve had a breach and have not publicly stated that you have security policies in place, your security credit score will be reduced. This can hinder your business in significant ways.
On the other hand, a good security posture is a business advantage. Not only do you reduce your chances of having a kind of breach that could severely damage your company, but being able to tell people that you have a good security score as an outgrowth of your proactive stance can increase your business, make better partnerships and help you become a trusted partner.
The final reason to be aware of these types of attacks is that recently there has been a trend toward fines and even personal lawsuits directed toward c-suite employees and boards of directors due to lack of due diligence and lack of care in these breaches.
The takeaway? These attacks not only make your company vulnerable, they potentially endanger your career and even your property.
How Can I Protect My Company and Myself?
Luckily, there are several things you can do.
1. Get help from a trusted security advisor. If you don't have a CISO, look into getting one. However, if you aren’t at that stage, look into getting a consultant or a virtual CISO that can assist you on the road to building a security culture and creating a mature security model.
2. Conduct a password audit.
3. If you have employees connecting remotely (and who doesn’t, at this point), implement multifactor authentication.
4. Only allow trusted source log-ins. For example, only allow remote connections from company computers.
5. Implement security awareness training. Security awareness training has the most impact for the least amount of cost. It can move your organization forward on a number of different things by improving your passwords and your security hygiene and enabling you to start analyzing and implementing frameworks for security. Find a company that will tailor these trainings your specific needs and audiences. For example, c-suite employees often are the most targeted by hackers and also have the worst security hygiene.
6. Take into consideration the new NIST 2018 password framework recommendations, which recommends dramatically different guidelines than in the past.
A good security posture is not only about being proactive about preventing a breach. You can also turn it into a business advantage that makes you more reputable. You can leverage this advantage to increase your business by presenting yourself as a trusted partner.
If you’d like to talk through any security questions or concerns, please reach out! We’d love to be of service.