The education sector has been in the crosshairs of cybercriminals for years. If anything, it is getting worse. According to a study by Comparitech, almost 1000 schools were affected by ransomware in 2021, impacting about a million students. Total price tag? The estimates of the cost to education institutions is around $3.5 billion in downtime alone, not to mention the ransomware payments themselves.

In many cases, the ransom is paid. Otherwise, schools and colleges face days or weeks of shutdowns, often at critical periods such as during exam or enrollment for the new year. In some cases, these attacks are fatal. Lincoln College, attacked in late 2021 has now permanently closed its doors due to fallout from the attack that led to a lack of enrollments. To make matters worse, the college paid the ransom.

Ransomware payouts from educational institutions vary widely. They range from $100,000 to as much as $40 million. Hackers typically do their homework in advance and have become skilled in knowing the means of the institution and the business impact of being shut out of systems. They set their ransoms accordingly.

Further tactics include double-extortion attempts: hackers encrypt systems and demand a fee to hand over the encryption key. But they also threaten to post sensitive data online. This double-whammy kind of treatment has been meted out to the likes of Broward County Public Schools, Clover Park School District, Somerset Independent School District, Union Community School District, and the Affton School District. Top targets include New York, Texas, Florida, and Arizona.    

Vice Society

The most recent headlines about school cybercrime have centered around a threat group known as Vice Society. It specifically goes after K-12 school systems. It successfully breached the LA County Unified School District (LAUSD) in September 2022. Timed to disrupt the district at the beginning of the academic year, hackers hoped to extort funds due to around 640,000 students being impacted by the ransom attack.

Vice Society targets schools as they are thought to be relatively soft targets. As well as being more likely to pay a ransom due to possessing a strong desire to serve their students, they are also not known to have strong security.

At LAUSD, Vice Society exfiltrated 500 GBs of personal information. They asked for a ransom and threatened to leak sensitive personal data to the public. In this case, the school district decided not to pay up. They reasoned a) there was no guarantee hackers wouldn’t end up leaking the data and b) the money could be put to better use by funding student needs.

That is part of a growing trend. While some organizations continue to pay ransoms, a many others are now refusing to do so.

Schools Need Help

Educational institutions have been late to the cybersecurity party as their focus is always on attending to the needs of their students. But recent events have forced them to pay more attention to security. However, it is not their core competency.

Thus, schools are encouraged to seek outside help in combating cybercrime. Vendor-based Software-as-a-Service (SaaS) security offerings are widely available. Alternatively, managed security service providers (MSSPs) can provide robust security safeguards that combat ransomware, safeguard systems, and free up the IT departments within educational bodies to focus on tools and systems that serve an educational purpose.

Syxsense Enterprise offers the educational sector real-time vulnerability monitoring, automated patch management, instant remediation, and IT management across all endpoints on one console. It can scan for all vulnerabilities on any device, block communication from an infected device to the internet, isolate endpoints, and kill malicious processes before they spread. In addition, it can automatically prioritize and deploy OS and third-party patches to all major operating systems, as well as Windows 10 and 11 feature updates. It offers peace of mind for any and all desktops, laptops, servers, virtual machines, and mobile devices. Syxsense Enterprise is also available to MSPs via our MSP Partner Program.

For more information, visit: www.Syxsense.com

A series of recent incidents has led to debate concerning the value of password managers.

• PayPal sent out breach notifications to thousands of users that had their accounts accessed through credential stuffing attacks that exposed some personal data. Some linked the attack to password reuse across systems. As many people use the same password on multiple accounts, they run the risk of their accounts being breached by bad actors who compromise one account and use that same password to enter other systems used by the user.
• Credential stuffing attacks are becoming more common. Attackers use bots to attempt thousands of logins a second.
• The popular password manager LastPass has been hacked multiple times over the past year or two. This has people wondering whether they should use such a tool or not.

So, should you use a password manager or not? The short answer is yes, they need to be used. Why? According to KnowBe4, the average user accesses more than 170 different sites and services. Each one needs a password. This number may seem excessive. But take a moment to add it all up. Every bank account, all the work-related sites, social media, Amazon and other cloud services, travel sites, hotel sites, and on and on. (I added mine up and came up with over 200 logins). That’s part of the problem. What do users typically do to cope with this ridiculous number of passwords? They reuse passwords over and over and that opens the door to more widespread breaches.

When security policies are implemented forcefully concerning passwords, users are forced to change them every quarter, and in recent times have had to move from 6 characters to eight to ten or more. They have also been required to add capitals, numbers, and symbols. What is the user response? The average person without a password manager has less than 10 passwords (or password patterns) that they use across all the sites they deal with.

To make matters worse, many of these passwords are relatively weak. They can be broken quickly using brute force techniques. The consequence? If a hacker breaks one password, they can try it in many other places. Perhaps they only compromise Facebook at first. From there, however, they can try bank account logins using the person’s email and preferred password. They often strike gold. Crypto accounts, Amazon, and work accounts are also exposed to attack.

Password Manager Failings

Password managers, then, should be used. They provide strong, random passwords that are different for every site or service. Unlike eight-character passwords that can be cracked via brute force in short order, these passwords are unguessable by any known technology. But as the LastPass hacks made clear, password managers are not infallible. Those that store your passwords in the cloud are especially susceptible to attack. Those that store them locally are better such as on a device where you use your password manager. Yet there remains a single point of failure on that local machine. If the bad guys gain access to it, they can get inside the password manager if the user leaves it unlocked. That allows them to see stored passwords and export them. Users are advised to configure password managers to automatically lock after a very short time.

Keyloggers can also be employed to steal the master password used to access any password manager. A good way around it is to require multi-factor authentication to unlock the password manager, such as receiving a text to your phone.

And like any software or system, password managers contain software vulnerabilities. They can be used by attackers to access or exploit password managers, sometimes even when they are locked. Vendors issue patches to fix these exploitable bugs.

Lack of encryption can be another weakness. Choose password managers that use strong encryption of stored passwords, logon names, URLs, and other sensitive data.

There are many other ways that hacking can occur. But like any other online system, the basics still apply:

1. Use a reputable password manager that applies the safeguards noted above.

2. Include multifactor authentication as part of the login process.

3. Update all password managers with the latest fixes and patches to keep them secure.

4. Include password managers in vulnerability scans to ensure no weaknesses are left undiscovered.

5. Keep systems in general fully patched and up to date. Password managers employ browser extensions and interface with other systems. Those other systems and extensions need to be patched, too.

Syxsense automates the process of installing patches, performing vulnerability scans, and remediating any issues found.

For more information, visit: www.Syxsense.com

There is so much news about cybercrime that you might get the idea that it is happening to everyone everywhere – to all organizations of all sizes and across all industries. Certainly, there is some truth to the statement that all are at risk. But it remains a generality.

Orange Cyberdefense’s Security Navigator 2023 report makes it clear that specific industries, company sizes, and architectures are far more likely to be targeted and breached than others. So, should you be worried? Let’s take a closer look at the areas that pose the most risk, and the targets cybercriminals are most likely to go after.

Most Likely to Be Victimized

The report delivered insights from around 100,000 incidents worldwide. Here are the major findings:

• Asia and Europe are surging as hot cyber-extortion destinations, but North America remains a key target. From 2021 to 2022, an increase was observed in the number of victims from Europe (+18%) the UK (+21%), East Asia (+44), and especially the Nordic countries (+138%). North America, too, remains heavily attacked, but a little less so than before. 2022 showed the USA down by 8% and Canada by as much as 32%. 
• Small businesses are under the gun. The study found that 4.5x more small businesses fell victim to cyber extortion than medium and large businesses combined. This indicates a clear shift in tactics by cybercriminals as they have noted the lax defenses that often exist in the SMB sector. That said, large businesses can’t rest easy. In terms of sheer volume of attacks, they suffered by far the most attacks, and were also the most heavily impacted when they did get breached.
• The manufacturing sector is in danger. The report found that manufacturers were the most likely to fall victim to cyber-extortion. It attributed this fact to poor IT vulnerability management among large manufacturers and the fact that they often rely on legacy infrastructure. As a result, they possess a lot of non-IT operational technology (OT) systems that are rarely as well secured as IT infrastructure.
• Malware was the most prominent attack vector, appearing in 40% of all incidents processed. Network and application anomalies were the second highest incident type but dropped in frequency from 22% down to 19%.
• 47% of all security incidents detected originated from internal actors. Whether deliberate or accidental, insider threats are growing. As well as from sheer malice, this can be due to misconfiguration, unpatched systems, or other errors made within companies.

• Criminal groups are evolving fast. From the top 20 actors list observed in 2021, 14 are no longer in the top 20 of 2022. After Conti disbanded in Q2 2022, Lockbit2 and Lockbit3 become the biggest cyber extortion actors in 2022 with over 900 victims combined.

How to Avoid Becoming a Victim

The report laid out a series of key steps that organizations can take to ensure they do not land on the naughty list (also known as the cybersecurity victims list):

• Implement multifactor authentication (MFA) on authentication interfaces
• Frequently backup business-critical assets and complement this with offline backups.
• Test the integrity of these backups regularly by restoring critical functions.
• Implement or upgrade endpoint protection and anti-malware systems.
• Install defenses against Distributed Denial of Service (DDoS) attacks.
• Configure firewalls and other perimeter equipment to allow only the minimum of outbound traffic to the internet.
• Monitor outbound traffic closely for anomalies. 
• Identify trust boundaries and implement tight controls for services and users that want to cross into those zones. Least privilege and Zero Trust concepts can also apply here as well as network segmentation. 
• Identify and patch any internet-facing technologies, especially Remote Access like VNC and Microsoft RDP, Secure Remote Access like VPNs, and other security technologies like firewalls.
• Continuous vulnerability management
• Prioritize patches based on whether vulnerabilities have known working exploits. This is applicable to infrastructure as well as end-user software or devices. Internet-facing services with known vulnerabilities must be patched.

Syxsense Enterprise takes care of the last three points while providing a Zero Trust framework. It offers automated patch testing, deployment, and prioritization, as well as continuous vulnerability scanning, mobile device management (MDM), IT management, and automated remediation.

For more information, visit: www.Syxsense.com

There are hundreds of Common Vulnerabilities and Exposures (CVEs) in existence, some more serious than others. All need attention, yet many organizations have gotten sloppy about how they take care of CVEs. Some take months to deploy urgent patches as covered in CVEs. Sometimes in can take years. In a few cases, there are CVEs unresolved in organizations that are more than a decade old.

Those in IT and cybersecurity that are guilty of ignoring or taking far too long to remediate CVEs are advised to either update their CVs and resumes and start sending them out – or bring in an MSP that can completely take care of patch management and vulnerability management. It’s the easy way to ensure no CVEs are unaddressed anywhere in IT systems.

CVEs in Neglect

Let’s take a look at some of the important CVEs that are largely neglected in many organizations. These are only a few examples out of many that could be lurking:

CVE-2018-13379 FortiGate VPNs: The CVE title includes the year of release. This one from 2018 is still being exploited despite regular alerts being issued about it.  Advanced Persistent Threat (APTs) groups continue to use it in attacks. It is such a severe risk that anyone using this VPN without the patch deployed should assume they are now compromised and to begin incident management procedures. Remediation steps include removing these VPNs from service, returning them to factory default settings, reconfiguring them, installing all patches, and once done, returning them to service. An upgrade to the latest FortiOS version is also recommended. Further action indicated is to scan all hosts and networks that are in any way connected to the VPN to look carefully for any signs of malicious activity.

There are also several high-priority patches from 2019 that are often unpatched in enterprise systems:

CVE-2019-19781 about Citrix NetScaler from 2019 has been used to compromise, among others, an Australian defense database.

CVE-2019-11510 relates to Pulse Secure Connect. It can result in arbitrary file disclosure and leaks of admin credentials. This one has been used in attacks via VPNs and by nation-state actors.

CVE-2019-3396 for Atlassian Confluence is a remote code execution bug.

CVE-2020-0688 for Microsoft Exchange. Dating back to early 2020, it leaves server data unencrypted and open to attack. Nearing its third anniversary, it remains a potent vulnerability for the bad guys to exploit.

This is just a partial list. Others that are deemed serious from 2019 include CVEs related to a Cisco router, Oracle WebLogic Server, Kibana, Zimbra software, the Exim Simple Mail Transfer Protocol. When you factor in the CVEs from 2020, 2021, and 2020, the list is very long indeed.

Watch Your Back

Anyone with vulnerabilities and CVEs unpatched dating back more than a couple of months in 2022 should watch their back as they are open to charge of neglecting their cybersecurity duties. Anyone with un-remediated CVEs from 2021, 2020, 2019, or even as far back as 2018 as in the case of FortiGate VPN, could well be soon looking for a new job. They better dig out their CV and get it updated fast.

Before the axe falls, a smart move would be to draft in help from an MSP to help eliminate these vulnerabilities, institute vulnerability management and attack readiness processes, and fully patch all applications, operating systems, and endpoints including mobile devices.

Syxsense offers managed security services for patch management, vulnerability management, and remediation. These services provide real-time, 24-hour security coverage. Syxsense also offers an MSP/MSSP program with a world-class platform. Both are built on the foundation of Syxsense Enterprise, an automated patch management, vulnerability scanning, mobile device management (MDM) and IT management platform. It detects outdated patches and threats in real time and can be used to implement updates before bad actors can take advantage of exploits. Syxsense Enterprise incorporates Zero Trust practices and includes features such as patch supersedence, patch roll back, and a wealth of automation and configuration features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution.

For more information, visit: www.Syxsense.com