This Spooktober, beware the cybercriminal…

The arrival of October has everyone preparing for ghosts and goblins at their door, but there are scarier things from which you need to protect your organization: cybercriminals.  These bad actors continue to evolve their tactics to infiltrate systems and extract data, money, or both.

Malware as a Service

As previously reported, there has been a significant increase in the use of Malware as a Service (MaaS) – where bad actors sell their toolsets as a subscription service so even more perpetrators can launch attacks on organizations.  Sadly, public entities are a prime target of these efforts.

Multi-Factor Authentication & Virtual Private Networks

One of the more recent trends is for bad actors to exploit systems that are not using Multi-Factor Authentication (MFA) to steal user credentials.  Virtual Private Network (VPN) systems are a significant target as they can allow the bad actor to steal credentials which allow remote access to systems.  One example is Cisco’s VPN which was a recent target of these attacks.  While MFA does not protect against all types of intrusion, it is an excellent method to mitigate many attack vectors – particularly against VPNs.

VRSA recommends the following best practices to help protect your VPN system:

  • Enforce MFA for all VPN users.
    • For added security, consider MFA that uses an application (such as Microsoft Authenticator, Google Authenticator, or Duo Mobile) rather than SMS text messages.
  • Configure account lockout policies for failed login attempts for VPN and on-premises connections.
  • Enable logging on VPNs and regularly review logs for suspicious login attempts.
  • Disable default accounts that are not used by your organization or change default passwords on accounts you do use.
  • Review and validate access policies to ensure the correct users are granted VPN login rights and with the minimum access necessary to perform their jobs.

Social Engineering

Using social engineering to gain access to systems is another growing technique for bad actors to steal credentials.

MGM’s systems in Las Vegas were compromised by gaining information on a user from social media and then using that information to trick the help desk into giving them access.  While this was clearly a failure of the help desk to follow procedures, it also highlights that information shared online becomes public information to be mined and used against organizations.

Users should be reminded to limit what they share on social media – even business networking sites like LinkedIn – to minimize the likelihood of that information being used by bad actors.

Cyber Resources

VRSA has added new papers to our Cyber Resources page, providing additional guidance on best practices to implement Multi-Factor Authentication and protect your organization against Business Email Compromise.

As always, cyber awareness training for end users is the best way to protect your data and systems.  Be sure to check out the free, unlimited training courses available to members at VRSA’s Online University.

As methods evolve to cause disruption or exploit victims, entities should remain vigilant to adapt controls and defenses. We recommend subscribing to updates from the Cybersecurity & Infrastructure Security Agency here.