The Private Equity Digital Threat Landscape and How Leaders Can Address It

L

ike other critical economic sectors, Private Equity Firms and their portfolio companies are increasingly facing digital threats. Whether this threat originates from organized criminal enterprises, disgruntled employees, or even careless vendor protections, digital risk stands to significantly impact business operations. Firms that fail to proactively prepare for these cyber threats of today, face profound reputational risks and financial losses, whether internally or through its’ portfolio companies.

With regulatory bodies such as the SEC, now requiring enhanced cybersecurity protections, proactive efforts by senior leadership and boards to combat these threats should not only be seen as good business practices, but a legal necessity.

With all this in mind, you are probably asking yourself, what are the real threats to my business and should I be more selective in the vendors I’m doing business with?  With budget on the mind you’re also likely wondering how do I effectively prepare without breaking the bank?  

We will explore the answers to your burning questions in this ValorrInsight.

What are the real business threats to Private Equity and Venture Capital Firms?

Beyond direct losses in the form of funds, data, or intellectual property, firms that fail to protect their trusted investments and customers best interest, face potential lawsuits, fines, and damage to their brand. In addition, impacted firms may be the focus of follow-on attacks, if bad actors can determine that their actions are profitable enough.

Combine this with the pandemic and ongoing economic lockdowns, many corporations have been forced to pivot to a work-from-home operating model; One is which has significantly increased cyber risk and associated attacks on valued data, and digital infrastructure. In a recent poll conducted by security news organization, Threatpost1[1], a reported 40% of corporations saw a rise in cyber incidents as they shifted to a remote workforce.  These cyber incidents typically fall into the following business risk categories:

  1. Ransomware: The attacker steals and holds data or systems, until a payment is received.
  2. Third Party / Vendor Risk: The attacker typically targets lax vendor security measures, thus being able to access an organizations critical system and data.
  3. Insider Threat: A company insider, typically an employer or contractor, steals valuable company information and monetizes this for their own benefit.
  4. Business Email Compromise: The attackers leverage existing employee email accounts to attempt to intrude on the trust within an organization’s operations. These attacks typically result in moderate to significant losses resulting from unauthorized financial transactions.
  5. Failed Compliance Fines: Fees associated with non-compliance which could negatively impact the company’s financial position.

Portfolio companies must consider that ineffective or lacking Information Security or that have will make them less attractive to potential buyers or investors. This impact can not only decrease the value of a private equity firm’s investment but can also tarnish the firm’s reputation and negatively impact future fundraising efforts. Ultimately, the proactive resources invested today, to enhance company cybersecurity, will pay dividends in the long run.

A strong commitment to data and digital security starts at the top and requires significant buy in from key stakeholders. While some private equity firms have been slow to adjust their focus beyond the traditional valuation metrics of companies within their portfolios, there is a shifting awareness of the need to understand and address cybersecurity risk across their organization.

Despite this growing recognition, the private equity industry has lacked a practical approach to address the cybersecurity issues and concerns of their portfolio companies. The reality is that formulating a tailored cybersecurity strategy for each company in a portfolio is an inefficient prospect; one that would saddle the companies as well as the private equity firm with undue investment in time and costs. While the typical firm’s approach to focus cybersecurity efforts on their most highly valued investments, lower valuation companies may pose the greatest risk.

With constrained resources and focus on building the business, portfolio companies may not consider vendor risk as a priority. As such, it is in a firm’s best interest to quantify the third-party risk profile of investing in portfolio companies.  Portfolio risk management and vendor due diligence must continuously be considered as top priority for leaders in the private equity space, going forward. 

So, what vendors should a firm be worried about?  We take a deeper dive into vendor selection and associates risks in the section below:

“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”

What vendors should PE/VC firms be concerned about and why?

The best approach for managing vendor risk is to identify critical and non-critical vendors. While all vendors may play a meaningful role, prioritized focus should be given to those critical to business operations. Firm should routinely assess critical vendors to ensure that they remain a good steward of your data and to understand how they will respond in the event of an outage or cyber-attack. Below, we have identified key vendor dependencies that we are consistently seeing in the private equity space, as well as how these are utilized to execute targeted attacks.

Email and Productivity Tools

No other tools expose organizations to as much opportunity risk as productivity platforms such as Microsoft 365, Google Suite (GSuite) and others. Firms rely on toolkits like spreadsheets (Excel / Google Sheets), PowerPoint Presentations, and Word Processing Software to collaborate, innovate and close deals.  

Attackers are commonly using phishing campaigns to get users to login to fake Microsoft Websites. This may be in the form of ‘password reset’ emails or text messages to smartphones. The ultimate goal is for compromise the user account and gain unauthorized access. With hundred if not thousands of emails flowing through account boxes, the opportunity for stealing information and extending phishing campaigns become endless.

Another common attack we are seeing are ‘Malicious Macros’ whereby a user is sent what appears to be a benign Microsoft File (i.e., Word Document). The user opens the file, and it runs a series of malicious commands, all hidden from the user’s screen. What typically results in the installation of malware, which can steal your computer files, monitor your web browsing history, or even worse record your keystrokes. There’s good news however, Microsoft typically enables Macro Protections against attacks such as these, so make sure to keep your office software up to date!

Finance/accounting + portfolio management

As with all companies, PE firms use software tools, such as AllVue, to track their finances and accounting. Because their finances are very tied with those of their portfolio companies, firms will often use a package that combines portfolio management and reporting with its own finance/accounting.

Typically, we see more focused phishing attacks against these platforms, targeted as business executives, commonly known as ‘Spear Fishing’. The primary goal is to gain access to user accounts, such as senior accounting leads, who have higher level access to financial documents.  

Investor portal

Most PE firms will have an online portal set up for their LPs / investors to send secure messages, access important investment information and get timely notifications.

Investor portals are commonly used for Business Email Compromise Attempts, with the goal to disrupt the integrity of communications, so that unauthorized financial transactions may be made. Access may be obtained through several measures, but is commonly sourced through Phishing Campaigns.

3rd party databases

Most PE firms lean heavily on data from subscription databases. Sites like CapIQ and PitchBook provide data on recent financial transactions and funding, which helps the firms establish comps and get a sense for movement in the market.

These 3rd party databases are targeted through a variety of methods. To stay out of the technical weeds, attackers typically target vulnerable code to gain access and steal data. Once the integrity of this data is ‘broken’, firms can no longer rely upon the information to make informed business decisions.

Deal & Relationship Management

Most PE firms also use a system to keep track of the opportunities for investment that they’re evaluating. Common solutions include a custom Excel sheet or a more traditional Customer Relationship Manager (CRM) like Salesforce.

Because many of these operate on complex databases, Deal and Relationship Management systems are targeted like other subscription software. These platforms are ripe for stealing internal firm, as well as customer data. Personal contact information taken from these platforms can be instantly sold on Dark Web forums or given to competitors for gaining a competitive edge.

How PE/VC firms can effectively protect themselves and their investment portfolio?

At a time when cybercrime is growing at an unprecedented rate, private equity firms need to illustrate that they are proactively governing their portfolio companies to meet the evolving risk landscape. This requires a holistic approach, whereby people, processes, and technologies are assessed to determine existing cybersecurity proficiency. Gaps in cybersecurity knowledge and protections of critical data should be addressed with an action-based and prioritized strategy to reduce risk to investments.

Firm executives must lead the charge on building and fostering a strong security culture, starting from the top down. A culture that promotes consistent conversations across leadership, on how the organization is tackling business and connected technology risk. By firms taking steps to drive these initiatives forward, they will demonstrate to investors and partners that they are committed to securing trusted relationships now and into the future. Thus positioning

In the section below, we have highlighted actions, that firms of all sizes can implement to better secure their connected ecosystem and business.

  • Establish an Information Security Policy: Outlining how the organization is addressing digital and IT-related risks.
  • Identify critical systems: Document those systems, vendors, and data which are critical to the core of your business operations. Typically, these systems are productivity tools, Customer Relationship Manager (CRM) Tools, and Financial/Accounting platforms.
  • Control access to critical systems and software: Individuals’ access to critical systems, should be continuously reviewed to ensure that it aligns with the business role within the organization. Commonly known as the ‘Principle of Least Privilege’, individuals should only be given access to the data, systems, and files necessary to successfully perform their role within the organization. We have typically seen individuals change roles within an organization, however, access to files and folders related to their previous role(s) remain in place.
  • Security Awareness Training: To address how bad actors continue to evolve their attacks, security training should be completed monthly. As an industry best practice, training should be aligned to threats targeting the specific industry vertical. For example,
  • Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested. Your business depends heavily on real-time data and system access, when a crisis hits these relationships will propel you through.
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption; this proactive planning will literally save you millions.
  • Back up your data: Back up your data within resilient infrastructure and test those backups frequently.

Firms should consider their individual needs, size, and business locations when comparing backup options. It is valuable to know that data storage facilities/services are not typically one size fits all, and costs may vary.  

The Valor Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our Expert Cybersecurity Valor Insights page at Insights – Valor Cybersecurity

Why PE/VC General Partners Have Growing Concerns Around Cybersecurity and What They Can Do About It

C

yber crime has skyrocketed in recent years and several corporate giants have endured catastrophic breach events.  Cyber attacks targeting behemoths like Target, Home Depot and Talk Talk have triggered a contagion effect that impacts organizations spanning all industries, regardless of scope, 

Authors: Greg Tomchick, Partner, C|CISO; Jeff White, Chief Security Officer, CMMC-RP 

Many small and mid-sized financial firms (wrongly) consider themselves too small to be of interest to cyber criminals and choose to ignore the threat, leaving them open to attack. 

Private equity firms are particularly vulnerable as most operate with small cybersecurity budgets and limited IT staff.  However, recent news headlines have emphasized the real risk that all firms face.  It is not surprising, therefore, that the whole financial industry is coming under increased pressure from governing authorities to do something concrete about it, especially with the Russia-Ukraine developments, crypto-currency surges and investment at an all time high.  

Regulatory associations – among them the US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE), the Financial Industry Regulatory Authority (FINRA) and the UK’s Financial Conduct Authority (FCA) – have already delivered detailed reports exposing how unprepared and ill equipped firms currently are to defend against threats.

In these reports, the authorities have also set out their expectations on the benchmarks, measures and procedures that firms need to implement in order to identify, prevent and respond to possible future attacks.  As regulatory associations work to fully define and outline these expectations, it is essential that firms gain an understanding of governance analysis to better prepare themselves for the continuous program and posture evaluation and audits that lie ahead to demonstrate their efficacy.  

As a leading cybersecurity advisor in the Private Equity and Venture Capital industry, Valorr is continuously aligns with the regulatory associations driving change and remains committed to delivering essential services to help firms in the sector stay ahead of governance requirements.  

As we continue to work with our partners to protect their businesses from cyber threats, we notice three main trends: 

  1. The absence of current cybersecurity programs.
  2. Unmonitored and unsecure data environments, applications and devices.
  3. Lack of the requisite expertise among staff to develop effective cybersecurity protocols

There Is A Shift Taking Place

In the private equity (PE) space, cyber risk and threat awareness among General Partners (GPs) is on the rise.  A strong driver of this shift is Limited Partners (LPs), who want a better understanding of how firms are securing their own environments and also how firms are addressing cyber risks with their portfolio companies. 

In November 2021, the Institutional Limited Partners Association (ILPA), a global organization dedicated to supporting the interests of limited partners, issued a new standardized due diligence questionnaire (DDQ) with added cybersecurity components. 

According to the ILPA website, the purpose of the revised DDQ is “to standardize the key areas of inquiry posed by investors during their diligence of managers.”  A primary area of concern is PE firms’ cybersecurity policies and procedures. 

Such due diligence is crucial in the PE space.  

“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”

How could General Partners be better prepared?

The best approach for managing cyber risk is to develop an informed perspective by way of a streamlined and manageable process that treats cyber risk as equally as other types of risk, for example, market risk, counterparty risk, and legal risk. 

Formal practices for managing cyber risk should align with other risk management approaches that are in place, where cyber risk is treated as just another risk. The SEC has encouraged developing a “reasonably” designed approach to managing cyber risk, such as one that reflects the following characteristics: 

Informed – supports and promotes an awareness of today’s cyber risks, including regulatory and legal considerations 

Manageable – risk evaluation, if performed in a manner that is manageable, does not overwhelm the business, and does not negatively impact day-to-day operations.

Digestible – reporting “in plain English” is generated that can easily be consumed by a firm’s risk leads, including COOs, deal teams, and boards of directors 

Actionable – reporting is clear and includes reasonable next steps to address key identified cyber risks 

Should a PE firm or one of its portfolio companies be impacted by a serious cybersecurity event, the reputation of the firm among investors, regulators, and other stakeholders may be on the line. 

We advise that you take the following actions: 

  • Establish an Information Security Policy: Outline how the organization plans to and is currently addressing cyber and IT-related risks.  
  • Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested.  Your business depends heavily on real-time data and system access, when a crisis hits these relationships will propel you through.  
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption, this proactive planning will literally save you millions.  
  • Back up your data: Back up your data within resilient infrastructure and test those backups frequently.  Not all backup and data storage facilities/services are created equal! 

As cyber threats continue to proliferate, anticipating and managing them at all organizational levels will remain vital during 2022 and beyond.  As recent events have proved, PE firms are vulnerable on a variety of fronts, from their vendors and third-party suppliers to their portfolio companies.  Taking steps now to ensure proactive protections and risk management practices can help reduce these risks and help ensure that portfolio companies generate profits—not headaches—for PE firms. 

The Valor Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our additional Valorr Insights at Insights – Valor Cybersecurity

The San Francisco 49ers Football Team Make Superbowl Headlines, But Not As A Contender

D

espite the San Francisco 49ers not making it to the big game this year, they still made Superbowl headlines.  On Sunday, February 13th, the 49ers front office confirmed that they were the latest victim of a Blackbyte Ransomware Attack.

While not confirmed by the football club until February 13th, the cyber-attack reportedly took place one day prior based on BlackByte’s online postings.  On February 12th, BlackByte took to underground (Darknet) Ransomware Forums claiming to have stolen financial data from the team’s servers. The group posted what appeared to be approximately 300 MB of team documents from a folder called ‘2020 Invoices’.

Author: Greg Tomchick, Managing Partner, CCISO & Jeff White, Chief Security Officer, CMMC-RP

Ransomware groups, like BlackByte, typically post some evidence of the successful compromise. It should be noted however, that this advertised data may not represent the true extent of the attack, in terms of the amount of data theft.

Since the incident, neither the 49ers nor the perpetrators have made any public mention of a ransom payment.  Following the attack, the 49ers did disclose that they incurred a temporary disruption to parts of their network, however mentioned that the threat actors failed to impact stadium, ticket operations, and ticket holder information.  

Some security experts believe that the attack was a means for BlackByte to attain mainstream credibility, pulling off an attack to make headline news.

The 49ers have yet to release an updated statement regarding the full impact of the Ransomware.  The incident remains under investigation by external support parties and law enforcement. We will update this article as we learn more.

Blackbyte Analysis and Potential Motivators

This attack came to surface just two days after the FBI and U.S. Secret Service issued a joint cyber advisory on the BlackByte Ransomware Group. Law enforcement sources alerted that BlackByte had “compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors” since November 2021.

Ransomware gangs have continued to cause widespread havoc to a variety of businesses over the last year.  High-profile attacks ranging from the world’s largest meat-packing company to the biggest U.S. fuel pipeline, have led to significant financial impacts, supply chain and operational disruptions.  Despite Western Governments pledging to crack down on cyber criminals, their efforts have yet to fully disrupt the activities of Ransomware actors. 

Like similar Ransomware Gangs, Blackbyte operates under a subscription model known as ‘Ransomware as a Service’ (RaaS). RaaS allows affiliates to enter into an agreement with ransomware operators to use their prebuilt tools and platforms to launch attacks against targets, typically in return for a profit share of the ransom.  The presence of Blackbyte first became known in approximately July of 2021. The group typically operates in a ‘Double Extortion’ fashion where compromised data is encrypted, and unless a defined ransom is paid (typically in a form of cryptocurrency), the organization’s data is offered to the highest bidder.  Ransom notes are left by the threat actor, in the encrypted directory, identifying what necessary steps must be taken to unencrypt the businesses data. Interestingly enough, Blackbyte and other notable ransomware groups offer email support and calling hotlines to support and expedite their victim’s payment.  Blackbyte’s typical attack methodology is to exploit vulnerabilities in Microsoft Exchange known as ‘ProxyShells’. 

For technical reference, the three vulnerabilities successfully used by Blackbyte to gain internal access, have been listed below along with their assigned ‘CVE’ (Common Vulnerabilities and Exposures) number.  Links to patch information has been provided for each vulnerability with accompanying ‘KB’ (Knowledge Base) number.

Steps to protect your business

To minimize your business’s exposure to Ransomware Attacks, general security guidance has been provided below:

  • Patch Management: Keep systems and applications patched with the latest security updates, with a prioritized focus on those critical to business operations.
  • Critical Data System Protection: Restrict sensitive organizational data to specific servers/systems, with enhanced security controls/monitoring around these systems. Ensure that these systems are remotely accessible.  When possible, restrict local system downloads of any sensitive organizational information. For example, users are able to download employee rosters to their local machines from Microsoft 365.
  • Network Segmentation:  Create separate communication networks for internal and external devices (to include any guest devices).  This practice is commonly referred to as ‘network segmentation’. Ensure that critical data systems and those systems accessing them are assigned to a specified network segment(s).  Closely restrict access and monitor activities on these systems.
  • Access Control: Enforce the principle of least privilege security, by providing all users the least amount of access to systems/applications necessary to perform their job duties. Ensure Multi-Factor (MFA) authentication is turned on for all applications.  In alignment with best practice, remove any local administrative accounts, where applicable.
  • Protection of Virtual Machines: In alignment with security best practice, do not expose any corporate virtual machine (such as Citrix), directly to the internet.
  • Perform Regular Back-ups: Ensure regular data backups are performed, with a prioritized focus on critical data systems/applications. Backups should be tested, once a month to ensure backups operate as intended. the backup plan is in place and tested periodically.
    • Establish Backup and Recovery Plan: Document procedures to execute backup/recovery efforts, and any lessons learned from previous backup test exercises. Ensure that all key stakeholders (internal and external) involved in backup activities are identified along with corresponding roles/responsibilities and contact information.
  • User Awareness Training: Establish a formalized cybersecurity education and awareness program. Provide all users with training modules to educate them on what cyber threats may look like, and steps they can take to protect your organization.  Continue to engage in discussions with team members, on why cybersecurity is important for the growth and success of everyone.
    • Phishing Exercises: In concert with formal training modules, users should be tested on lessons learned through phishing simulation exercises. This will allow the organization to have a better understanding of the effectiveness of training content, and to further prevent malicious activities from occurring. It is important to note that any follow-up training from these exercises, should be non-punitive when possible. This will enable the organization to continue to have security advocates now and into the future.

The Valor Team looks forward to providing additional updates on this incident. We look forward to helping you and your organization avoid being a victim of cybercrime. Stay tuned!

For other tips and tricks in staying cyber informed, please visit our additional Valor Insights at Insights – Valor Cybersecurity

Log4J: What you should know and how you can proactively protect your business

O

n Friday November 10, 2021, critical vulnerability was publicly disclosed in the Java based logging library, Log4JAlso known as ‘Log4Shell’ this vulnerability enables a threat actorto preform Remote Code Execution (RCE) across a slew of connected devices ranging from computers, home and enterprise routers, VPN’s, internet of things/smart devices (IoT), and web servers.  

Author: Jeff White, Chief Security Officer, CMMC-RP

For context, this vulnerability has been assigned a criticality rating of ‘10’, the highest score for an industry recognized vulnerability scale. Remote Code Execution essentially allows an attacker to preform malicious commands, without authentication (login), on an internet connected device. To put this in perspective, the flaw requires minimal technical prowess. It can be exploited simply by running one command against an internet connected and Log4J vulnerable device.    

What makes this vulnerability even more troubling is that Log4J has been used for years in some of the best-selling consumer products. Some of the world’s biggest companies have used some flavor of Log4J to include the likes of Microsoft, Amazon, and Apple.  In fact, it has been reported that some 3 billion connected devices currently use a version of Java.  

While the full scale and impact of this vulnerability has yet to be determined, it is currently being exploited ‘in the wild’. Both stateside and state sponsored actors are currently scanning network devices, in an effort to locate unpatched systems. Publicly available web sites such as Shodan.io, have helped attackers and threat groups identify these vulnerable network resources. It’s important to note that secondary cyber-attacks can be launched following initial exploit of Log4J including but not limited to installation of crypto currency mining malware, data exfiltration, and potentially even ransomware.  

Are you impacted? Steps you can take to reduce your business risk.

If any of your systems are currently running Log4J versions 2.0 – 2.14.1, you are vulnerable to this Log4J exploit. Apache however, has since reported that this issue has been resolved in updated version 2.15 which is currently available for download on the Apache Website link below: 

 https://logging.apache.org/log4j/2.x/security.html   

The following is provided as general guidance in mitigating the Log4J Vulnerability, and related risk to your organization:  

  • It is recommended that organizations first update all web facing applications and systems to the latest version of Log4J (Version 2.15).
  • If possible, organizations should block external access to applications until they can be patched. Organizations should then preform a full inventory and fix/patch of any remaining internal systems impacted by the above.  
  • In addition, it is recommended that organizations also implement a Web Application Firewall (WAF) if possible, for additional monitoring capabilities.
  • If your organization can afford a dedicated Managed Security Service Provider, or MSSP, it is highly recommended to do so. While Valorr remains vendor agnostic, partnering with the right MSSP provider will provide layered insight into those threats/bad actors actively targeting your network.  
  • While vendors are working diligently to address this, it is recommended that organizations stay up to date with 3rd party responses. Typically, vendors will send emails on how and to what extent customers may be impacted by this, and other security vulnerabilities. Customers may also check vendor blog updates for similar information.
  • If you have an existing Security/Threat Intelligence Provider, you may also receive direct vulnerability related correspondence from a Customer Success Manager 
  • While information continues to be released on this critical vulnerability, organizations should continue to update all endpoints, and network connected devices whenever possible.   

For further technical information regarding this vulnerability, please visit MITRE’s CVE-2021-44228 at the link below:  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 

Please also visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for the latest updates and actionable guidance, as more information becomes available. Through ongoing public-private partnership, U.S. CISA provides community sharing initiatives to help businesses secure and defend against the ongoing cyber threat.   

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability (CISA Director, Jen Easterly’s statement on Log4J)  

https://www.cisa.gov/uscert/ncas/current-activity (CISA Current List of Cyber Related Activity)  

https://www.cisa.gov/known-exploited-vulnerabilities-catalog (CISA Known Vulnerability Catalogue)  

 

Update: 12.30.2021

Since initially posting, security researchers continue to discover new vulnerabilities in java-based logging library, known as Log4J. Previous industry and Apache guidance1 were to update any known vulnerable versions of LogJ (including versions 2.0-beta9 through 2.15.0; except for update 2.12.2) to version 2.16.0.

Additional Log 4J security loopholes have led Apache to issue the most recent upgrade through version, 2.17.1. A summary of vulnerabilities found in previously updated Log4J versions, 2.15.0 – 2.17.0 have been provided below for reference:

  • Mitre CVE-2021-45046 – With a severity score of 9, this vulnerability in version 2.15.0, allows for potential information leak and remote code execution. Updated version 2.16.0, corrected this vulnerability.
  • Mitre CVE-2021-45105 – With a severity score of 5.9, this vulnerability in version 2.16.0, allows for potential Denial of Service (DoS) to an application. Updated version 2.17.0, corrected this vulnerability.
  • Mitre CVE-2021-4104 – With a severity score of 8.1, this vulnerability in version 2.17.0 allows for deserialization attacks. Updated version 2.17.1, corrected this vulnerability.

Actionable Steps your business can take to ensure the best protection:

  • It is recommended that organizations upgrade to the latest version of Log4J (Version 2.17.1), for all web-facing applications and systems. If possible, organizations should block external access to applications until they can be patched.
  • For Systems that cannot be patched, it is recommended to disconnect these systems from the network.
  • If possible, implement a Web Application Firewall (WAF) solution for further security/activity visibility into web application activities.
  • If not already in place, consider implementing a trusted managed security service provider to proactively monitor for network traffic anomalies and irregular system activity.
  • Ensure all endpoints (computers) and endpoint monitoring tool (i.e., Anti-Virus or EDR) are continuously updated to the latest versions.
  • Continue to monitor vendor statements and communications, for updates on how their products are addressing these vulnerabilities.

Additional Resources/Tools:

  • Valor recommends organizations continue to visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for ongoing actionable guidance, based on potential threats they are seeing.

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance (CISA Guidance updated 12/28/2021)

  • Organization may also visit the NIST National Vulnerability Database, which provides a list of known vulnerabilities and related technical details across impacted systems, and applications. All vulnerabilities in the CVD are provided a CVE (Common Vulnerability and Exposure) Number for universal sharing purposes.

https://nvd.nist.gov/vuln

References: 1https://logging.apache.org/log4j/2.x/security.html (Apache list of known vulnerabilities and fixes and Log4J Version 2.17.1 download)

If you found value out of this article, please check out our other Valor Insights for how you can protect your business.  

Back To The Basics: How awareness and basic cyber safeguards can protect your business

C

ompanies across the U.S. continue to fall victim to cyber attacks that can be prevented by awareness and basic safeguards.  In this ValorrInsight, we dive into common attack methods and some simple actions you can take today to protect your tomorrow.  

Author: Jeff White, Chief Security Officer, CMMC-RP

Picture this…… Sarah, your corporate controller receives a text message three days before Christmas, from Jean, her CEO.  In this message, Jean mentions that due to time constraints in her meeting schedule, Jean is unable to get gift cards for her family.  As a result, Jean kindly asks that Sarah purchase three (3) three-hundred-dollar gift cards and provide the gift card codes upon completion.  

Sarah, a last-minute shopper herself understands hectic work schedules and last-minute gift giving.  In the spirit of helping her boss out, Sarah purchases the gift cards with her corporate credit card.  Sarah immediately texts her Boss the gift card codes, however Sarah receives no response back from Jean.  Two days later, Jean calls Sarah asking about a $900 transaction on her corporate card.  Bewildered, Sarah mentions that she was just doing what Jean had asked her.  Upon further investigation, Sarah was ultimately scammed by someone impersonating her boss.  Sound familiar? 

How about Tim, a tech savvy and successful Entrepreneur, with a knack for spotting fraud from a mile away.  Upon finishing a long day’s work, Tim receives an odd email from his bank.  The email reads “We have recently noticed suspicious banking activity, which require your transaction verification.”  In this email, Tim was told to click on the included link to validate the transactions.  The sender looked legitimate in every regard; it came from the bank’s fraud department, included a link to the banks webpage and even included the last four of Tim’s checking account. 

In a rush to leave the office, Tim attempted to resolve the bank matter; Tim clicked the link, but was unable to login to the website receiving a message “404, the website you are trying is unavailable at this time” …In pushing this immediate concern aside, Tim let the weekend past by before any follow up action with his bank.  Monday morning, Tim was distraught when he was told by the Banks Fraud and Investigation team, that Tim had incurred $9,000 dollars in unauthorized charges.  How could this happen, Tim thought, I’m a tech savvy expert with an eye for detecting these things?

Think that these same scenarios can’t happen to you?  Don’t be too sure. 

Cybercrime: Exposing The Human Element

While the above stories are fictious, they serve to represent the clear and present danger to you, your business, and your company assets.  Let’s look at how the threat actors featured above leverage the ‘human element’ for financial gain. 

In the first scenario, the criminal used a position of power coupled with a sense of urgency to get Sarah to perform the requested actions.   Naturally, an employee would listen to their CEO for direction, primarily due to their position of leadership.  Having knowledge that her bosses’ task was of importance and time sensitive, Sarah trusted that purchasing the gift cards, as instructed, was the right thing to do.  Intertwined in example is also an element of relatability.  As many of us can relate, meetings run long and well, sometimes there just aren’t enough hours in a day to complete the little ‘To-Do’s’.  Sarah too understood that the holiday rush leaves little time to check off those last-minute items. 

Like our first scenario, our threat actor #2 used trust and immediacy to elicit the intended actions.  After briefly inspecting the emails for what he knew as elements of fraud, Tim knew he needed to act quickly to stop any additional fraudulent activities on his bank account.  If anyone were to notify him of suspicious banking activity, it would have been the banks internal fraud team.  After all, the email came from an internal company email address, or so he thought. 

In incorporating these lessons learned, its important to remind ourselves that no matter one’s education, level of successes, or even tech savviness we can all fall prey to a cybercrime.   

Reducing Cyber Risk At The Ground Floor: Simple Steps To Protect You and Your Business.

It is with this in mind, that we stress the importance of returning to the ‘Basics of cybersecurity’.  Those somewhat meaningless safeguards can make the difference between being a curtain of security for your business or being a victim of cybercrime.  Below we highlight some simple steps you can immediately implement to reduce your likelihood of cyber exposure:

  • Verify then trust:
    • Individuals should consistently operate with a ‘Verify then Trust’ mindset when connected to the internet. Whether you are checking email or reading an article, you should perform effective due diligence in researching what’s in front of them, before trusting its accuracy.  For example, if you receive a message and it seems suspicious, take a second to pick up the phone and call the sender to verify.  A second wasted through a follow-up call could prevent hours/days of future headaches for you and your business. 
  • If it’s too good to be true it probably is!
    • Most of us have seen the show ‘Who Wants to Be a Millionaire’. After all who wouldn’t want free money right?  Emails promising you to be the next heir of a fortune, better known as get-rich-quick schemes, almost never pan out.  As such, if someone promises you something to good to be true, trust your gut…it probably is.  In keeping with this theme, never provide any sensitive information about you, your finances, or your business dealings over unsecured email, especially to someone you don’t know.
  • Password Security
    • Long passwords are hard to create and even easier to forget; we get it! As a result, we recommend using a trusted ‘password vault or password manager’.  While we remain vendor agnostic, some product considerations may include Last Pass and 1Password.  These tools allow you to create, store and protect sensitive information including passwords and safeguard this information through one long password.  As always, any passwords should be:
      • At least 8 but recommended to be 12 characters: the longer the better. Cybercriminals hate guessing games
      • Never write your passwords down. While your office manager may be trustworthy, we don’t truly know who everyone inside their office is.
      • Enforce Multi-Factor Authentication (or MFA) whenever possible. From bank accounts to email logins, this safeguard provides layered protection, if indeed your password is compromised.  With MFA enabled, criminals now need to know both your password and your multi-factor ‘token’ or ‘number’ (this rotates typically once every 30 seconds).
  • Avoiding unsecured wireless networks
    • When connecting to a ‘Wi-Fi’, ensure that a password is required to connect. Typically displayed as a lock symbol (  ) secured networks reduce the likelihood that unauthorized individuals can gain valuable information regarding your online activity.  Security on these types of networks applies a certain level of masking or ’encryption’ to your internet browsing. 
  • Utilize a VPN when performing sensitive transactions
    • Under no circumstance should any individual conduct any sensitive transactions such as online banking, through the use of only a public network. To perform such online activities, users should instead utilize a VPN service, such as NordVPN or PIA while on any public network (including secured networks).  VPN allows for greater privacy, in most cases, through the application of enhanced encryption techniques.
  • Don’t click untrusted links or attachments
    • If you come across a suspicious message (email or text), don’t click any link or open any attachments. Instead proceed to verify the message contents with either the sender directly or by contacting your IT support staff (when applicable). 

The Valor Team looks forward to providing additional cyber tips to keep both you and your business secure now and in the future. Stay tuned!

*For more tips and tricks to remain cyber informed, please visit our additional Valor Insights at https://valor-cybersecurity.com/insights/