IT services firm Cognizant hit with Maze ransomware

Cognizant, a multibillion-dollar IT services company with clients in the banking and oil and gas industries, said Saturday its computer systems had been disrupted by Maze ransomware, a strain of malicious code that has been used in cyberattacks in the U.S. and Europe in recent months.

“Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident,” the New Jersey-based company said in a statement. “Cognizant has also engaged with the appropriate law enforcement authorities.”

A Fortune 500 company with over a quarter of a million employees worldwide, Cognizant possesses a wealth of data that would make it a target of hackers. Cognizant’s software and consulting services are used by major pharmaceutical firms and restaurant chains, according to its website.

Earlier this week, the company had notified clients of the incident and shared  “indicators of compromise” — forensic data such as IP addresses and malicious files — so that they could defend against the malicious activity.  The attack caused “service disruptions for some of our clients,” the company said.

“The integrity and availability of our systems are of paramount importance to Cognizant and we are working diligently to minimize any disruptions,” a company spokesperson told earlier on Saturday.

One of the malware samples that Cognizant shared with clients is detected by multiple anti-virus products as Maze ransomware. Hackers affiliated with Maze reportedly denied involvement in the attack to Bleeping Computer, but the forensic data suggests that Maze infrastructure was used in the attack. Nearly all of the malicious IP addresses reported by Cognizant have been previously used by hackers to deploy the Maze ransomware, according to advisories from the Department of Homeland Security and the FBI.

The hackers behind Maze gained notoriety last year by stealing sensitive data from victims, encrypting it, and threatening to publish the information if they aren’t paid a ransom, leading the FBI to privately warn U.S. companies about the threat in December. A spate of attacks has continued since then.

The cyberattack on Cognizant is the latest sign that ransomware gangs are not holding off on targeting companies amid the novel coronavirus pandemic.

Reference: CyberScoop

COVID-Themed Phishing Messages Fill Phishing Filters on Gmail

In the past week, Google says it identified more than 18 million daily phishing messages featuring coronavirus themes.

When you block 100 million phishing email messages every day, you get plenty of data to see trends. Google has seen a big one in recent weeks: Nearly one-fifth of all phishing email messages identified on the Gmail platform now feature coronavirus or COVID-19 as part of their content.

According to Google, last week saw roughly 18 million email messages rejected per day because they were identified as phishing messages preying on fears around the coronavirus pandemic. Typical messages used fear or financial incentives to create a sense of urgency in the recipient and claimed to be from authoritative government agencies or credible NGOs.

Phishing messages frequently ask the recipient to download a file containing a form to be filled out (along with, all too frequently, a malware payload) or to visit a malicious website to fill out a form before a government subsidy or other payment can be delivered.

The 18 million COVID-19-related phishing messages were, according to Google, in addition to more than 240 million coronavirus-themed spam messages sent to Gmail accounts every day.

10 Ways to Avoid Phishing Scams

1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at a much lower risk of getting snared by one. For IT administrators, ongoing security awareness training and simulated phishing for all users is highly recommended in keeping security top of mind throughout the organization.

2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website. The email may ask you to fill in the information but the email may not contain your name. When in doubt, go directly to the source rather than clicking a potentially dangerous link.

3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.

4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well. If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals. 

5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.

8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

9. Never Give Out Personal Information – As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams. When in doubt, go visit the main website of the company in question, get their number and give them a call. Most of the phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.

10. Use Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system.

What Can a Hacker Do with Stolen WiFi Credentials?

Recently HTC acknowledged a vulnerability that can expose a user’s WiFi credentials, including the WiFi SSID and security passwords to a malicious app running on some of its Android phones. The vulnerability was discovered by the security architects Chris Hessing and Bret Jordan, and is published on the US-CERT Website also.

The vulnerability is due to an issue in certain Android models that allow an Android application with basic permissions (particularly ‘android.permission.ACCESS_WIFI_STATE’) to access all the stored WiFi credentials, including the respective SSIDs, user names and security passwords, belonging to various WPA/WPA2-PSK/802.1x based Wi-Fi networks. On the top of this, if an application also has internet permission (‘android.permission.INTERNET’), it can transfer the accessed list of WiFi credentials to a remote server.

Exposing the list of WiFi credentials to an unintended party or person without the user’s knowledge can have serious security implications if the former has malicious intent. Some of these include:

Unauthorized access to private WiFi networks: Gaining access to the list of WiFi credentials from a user’s mobile device, the simplest for a hacker to do is to intrude into corresponding private WiFi networks. The private network can be a home, campus or a corporate WiFi network. The intrusion will allow a hacker to carry a host of malicious activities on the network, such as installing malware on the network and scanning the network for confidential information/security vulnerabilities. Many corporates are adopting the BYOD (Bring Your Own Device) initiatives nowadays, giving access to corporate WiFi to the employee’s personal mobile devices. But, since personal devices lack strict corporate controls, vulnerabilities similar to this recently discovered one can be a serious security threat for corporates adopting BYOD schemes. All WiFi networks requiring a security passphrase (in case of WPA/WPA2-PSK security) or a combination of username and password (in case of WPA/WPA2-802.1x) can suffer intrusion by the potential exploitation of discovered vulnerability. In contrast, WiFi networks requiring digital certificates or SIM based authentication (in case of WPA/WPA2-802.1x) are potentially safe to intrusion attacks launched via vulnerability exploitation. 

Eavesdropping/Session hijacking on secured WiFi networks: Loosing the WiFi credentials of a WPA/WPA2-PSK WiFi network can be more damaging compared to WPA/WPA2-802.1x Wi-Fi network, because in the former all the WiFi clients of a particular network share a common security phrase. Therefore, an attacker having gained the SSID and security passphrase through the discovered vulnerability can sniff all the private encrypted WiFi communications happening over the associated WiFi network (using easily available hardware and software) and decode the same afterward or simultaneously using the available credentials. With the decoded traffic that can potentially reveal browser cookies, a hacker can potentially hijack an authorized user’s web session also. WPA/WPA2-PSK networks are popular among home and SOHO users, and therefore user’s online traffic, even though encrypted, is susceptible to eavesdropping and session hijacking when a hacker has gained necessary credentials illegally by exploiting the discovered vulnerability. 

Man-In-the-Middle attack on WiFi users: Loosing the WiFi credentials also enables a hacker to launch man-in-the-middle attack on connected users of affected WiFi network. The attack can potentially hurt the users due to leakage of confidential data or malware implantation. Although WPA/WPA2-PSK networks are more susceptible to man-in-the-middle, but exploiting the Hole196 Vulnerability, one can also do this attack on WPA/WPA2-802.1x networks too.

Potential loss of personal information: People often use WiFi hotspots for broadband access on their devices while they work, travel or visit various public places. And, many WiFi hotspots contain identity of their location in their SSID, therefore loosing the WiFi credentials also, including the SSID details, can potentially reveal a lot of information about a user to third-parties like company name, travelled places, etc. The personal information details can motivate crimes such as stalking. 

Looking at the damages of loosing out the list of WiFi credentials, the vulnerability discovery is very important from user’s security perspective considering the growing usage of Android-based mobile devices and WiFi networks across the world. Moreover, considering the open nature of Android market, malware exploiting the vulnerability can be easily developed and targeted toward the users of affected devices, posing a greater security concern for them. A fix for the vulnerability is already available and HTC has already said that many phones have received the fix through regular updates, but some users may need to manually update their phones. 

Hopefully, acknowledging the list of potential damages of the discovered vulnerability, mobile device users would be a bit more careful while selecting and installing an app on their device.

Almost Half A Million Delhi Citizens’ Personal Data Exposed Online

A security researcher has identified an unsecured server that was leaking detailed personal details of nearly half a million Indian citizens… thanks to another MongoDB database instance that company left unprotected on the Internet accessible to anyone without password.

In a report shared with The Hacker News, Bob Diachenko disclosed that two days ago he found a 4.1 GB-sized highly sensitive database online, named “GNCTD,” containing information collected on 458,388 individuals located in Delhi, including their Aadhaar numbers and voter ID numbers.

Though it’s not clear if the exposed database is linked to the Government of National Capital Territory of Delhi (GNCTD), Diachenko found that the database contains references and email addresses with “” domain for users registered with “senior supervisor,” and “super admin” designations.

Based upon the information available on Transerve Technologies website, it is a Goa-based company that specializes in smart city solutions and advanced data collection technology.

The company’s data collector, precision mapping and location intelligence tool help businesses across various sectors and Governments agencies to utilize Geo-location data to make smart decisions intelligently.

The leaked database contains the following tables:

  • EB Users (14,861 records)
  • Households (102,863 records)
  • Individuals (458,388 records)
  • Registered Users (399 records)
  • Users (2,983 records)

Analyzed by Diachenko, one of the database tables containing registered users includes email addresses, hashed passwords and usernames for administrator access.

delhi database leak
delhi database leak

“The most detailed information contained in ‘Individuals’ collection which was basically a pretty detailed portrait of a person, incl. health conditions, education, etc.,” Diachenko said.

“Households collection contained fields such as ‘name’, ‘house no’, ‘floor number’, ‘geolocation’, area details, ’email_ID’ of a supervisor, ‘is the household cooperating for survey’ field, ‘type of latrine’, ‘functional water meter’, ‘ration card number’, ‘internet facility available’ and even ‘informan name’ field.”

“It remains unknown just how long database was online and if anyone else accessed it,” Diachenko said.

When Transerve didn’t respond to the responsible disclosure sent via email, Diachenko contacted Indian CERT, which further coordinated with the company to take its exposed database offline immediately.

“The danger of having an exposed MongoDB or similar NoSQL databases is a huge risk. We have previously reported that the lack of authentication allowed the installation of malware or ransomware on thousands of MongoDB servers,” Diachenko said.

“The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place, criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.”

This isn’t the first time when MongoDB instances are found exposed to the Internet. In recent years, we have published several reports where unprotected database servers have already exposed billions of records.

None of this is MongoDBs fault, as administrators are always advised to follow the security checklist provided by the MongoDB maintainers.

Adobe Re-Patches Critical Acrobat Reader Flaw

Adobe has issued yet another patch for a critical vulnerability in its Acrobat Reader – a week after the original fix.

A week after Adobe fixed a critical zero-day vulnerability in its Acrobat Reader, the company issued another patch after a researcher dug up a way to bypass the original fix.

This previous vulnerability (CVE-2019-7089) was fixed in Adobe’s regularly scheduled security update last week. But Adobe said that its recent patch for the sensitive data leakage vulnerability, which could enable information disclosure, had a hole.

“Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS,” said Adobe in its unscheduled Thursday update. “These updates address a reported bypass to the fix for CVE-2019-7089 first introduced in 2019.010.20091, 2017.011.30120 and 2015.006.30475 and released on February 12, 2019.

The zero-day vulnerability in Adobe Reader, disclosed by Alex Infuhr from cure53 in a Jan. 26 post, enabled bad actors to steal victims’ hashed password values, known as “NTLM hashes.”

The vulnerability allowed a PDF document to automatically send a server message block (SMB) request to an attacker’s server as soon as the document is opened.  SMB protocols enable an application or user of an application to access files on a remote server. Embedded in these SMB requests are NTLM hashes (NTLM is short for NT LAN Manager).

The critical vulnerability was temporarily patched last week by 0patch before Adobe issued its official patch. “This vulnerability… allows a remote attacker to steal user’s NTLM hash included in the SMB request,” said Mitja Kolsek with 0patch in a Monday post. “It also allows a document to ‘phone home’, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.”

And while Adobe patched the flaw last week, a bypass for the fix, tracked by CVE-2019-7815, exists and can ultimately lead to information disclosure: “Successful exploitation could lead to sensitive information disclosure in the context of the current user,” according to Adobe’s update.

Impacted are versions of Adobe Acrobat and Reader for Windows and macOS – specifically, Acrobat DC and Acrobat Reader DC continuous, versions 2019.010.20091 and earlier; Acrobat 2017 and Acrobat Reader 2017 Classic, versions 2017.011.30120 and earlier; and Acrobat DC and Acrobat Reader DC Classic 2015, versions 2015.006.30475 and earlier.

The update received a “priority 2” rating, meaning that it resolves vulnerabilities in a product that has historically been at elevated risk – but that there are currently no known exploits.

Infuhr, who discovered the proof of concept for the original vulnerability, was also credited with reporting the issue.

19-Year-Old WinRAR Flaw Plagues 500 Million Users

Users of the popular file-compression tool are urged to immediately update after a serious code-execution flaw was found in WinRAR. 

Popular Windows data compression tool WinRAR has patched a serious 19-year-old security flaw that was discovered on its platform, potentially impacting 500 million users.

The path-traversal vulnerability, which WinRAR fixed in January, could allow bad actors to remotely execute malicious code on victims’ machines – simply by persuading them to open a file, researchers with Check Point Software said on Wednesday.

“We found a logical bug using the WinAFL fuzzer and exploited it in WinRAR to gain full control over a victim’s computer,” said Nadav Grossman with Check Point in the analysis. “The exploit works by just extracting an archive, and puts over 500 million users at risk. This vulnerability has existed for over 19 years(!) and forced WinRAR to completely drop support for the vulnerable format.”

WinRAR is a popular file-archiving utility for Windows, which can create and allow viewing of archives in Roshal Archive Compressed (RAR) or ZIP file formats, and unpack numerous archive file formats.

Researchers specifically found a path-traversal vulnerability in unacev2.dll, a third-party dynamic link library in WinRAR used for parsing ACE (a data compression archive file format) archives.

A path-traversal attack allows attackers to access directories that they should not be accessing, like config files or other files containing server data that is not intended for public.

When taking a closer look at unacev2.dll, researchers found that “it’s an old dated dll compiled in 2006 without a protection mechanism. In the end, it turned out that we didn’t even need to bypass them,” said Grossman.

Due to the lack of protections and support for unacev2.dll, researchers were able to easily rename an ACE file and give it a RAR extension within unacev2.dll. When opened by WinRAR, the fake ACE file containing a malicious program is extracted to the system’s startup folder – so the program would automatically begin running when the system starts.

Ultimately, if a bad actor used spear-phishing tactics to send an unknowing victim a disguised ACE file, and the victim opened the file in WinRAR, the file would automatically extract in the victim’s startup folder and malware could then be quickly planted on the system.

The PoC makes use of a chain of vulnerabilities (CVE-2018-20250, CVE-2018-20251, CVE-2018-20252, CVE-2018-20253).

After researchers informed WinRAR of the issue, the vulnerability was patched in a new version of the software on Jan. 28, 5.70 . beta . 1.

A WinRAR spokesperson told Threatpost: “We have removed support for the ACE file format from WinRAR in the new Beta version 5.70.”

On an update on its website, WinRAR said: “WinRAR used this third-party library to unpack ACE archives. unacev2.dll had not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect security of WinRAR users.”

File-compression flaws have piqued the interest of exploit vendors such as Zerodium, who earlier last year offered up $10,000 for zero-day vulnerabilities in WinRAR and other compression platforms.

Are SMBs unprepared for cyber extortion?

In the past decade over 50 million Micro, small, medium enterprises (MSMEs) business are formed in India.  These MSME firms fueling the economy and contributing to economic growth. They are also a ripe target for cyber attackers, as most of them are connected to the internet than ever before, yet their cyber security capabilities are more limited than businesses elsewhere.

Many MSMEs lack the technology, knowledge, and expertise required to deal with even relatively modest cyber security threats. One threat that stands out above the rest, which is the Ransomware attacks.  In the recent days, Ransomware attacks are commonly seen and once infected the companies (esp the MSME) are brought down to its knees.   These Ransomware attacks impacts the MSMEs more than larger enterprises, just for the fact that larger enterprise are generally more immune to handle such unforeseen event than the MSMEs.

Who is at risk? The short answer: Everyone with a computer on the internet. Ransomware attackers often target essential and highly sensitive information from a wide range of data-centric businesses and industries including health care, law firms, KPO, BFSI and energy organizations.

Ransomware often infects its victims via the web or email. Web-based attacks tend to use drive-by exploits that target browser, platform or system vulnerabilities, or rely on malicious URLs that may redirect users to sites that host exploit kits. Email-based ransomware is generally used in targeted attacks, and relies on a variety of methods including phishing, spear phishing, malicious attachments, and URLs.

Online virtual currencies such as Bitcoin are the preferred methods of payment because they are not easily traceable. Yet paying the ransom offers no guarantee that the files will be unlocked, leading to loss of both data and money.

Traditional security solutions rely on static analysis and signatures to detect and block known threats. Ransomware attackers can easily bypass those defences. To reduce the chance of a ransomware attack succeeding, organizations need visibility into their internal system security levels and a strong understanding of the attackers’ tools, tactics, and procedures:

  • Email security as first line of defence to block ransomware distributed through email attachments and embedded malicious links.
  • Network security solutions such as advanced endpoint technology can identify an attack in progress and block further damage.
  • Backup strategies should be tested and evaluated regularly to ensure recovery is successful.
  • Copies of backups should be stored offsite in case onsite backups are targeted.

Disruptive attacks have become a legitimate issue and businesses must plan and prepare accordingly. The best way is to prevent the ransomware attack is have the right set of controls in place – Security Awareness Training People, Stringent Security Process and Robust Technical Controls.

Cyber Security on IoT and SCM

In the recent days Internet of Things (IoT) has a pivotal influence on multiple sectors and would lead to the dawn of an unprecedented era of automation when billions of devices would be connected to the internet and would be able to share information. This would undoubtedly provide a boost to technological innovations and foster path-breaking developments. It is estimated that by 2020 over 24 billion devices connected to the internet would be installed.

The supply chain is no exception when every aspect of product development and delivery is being transformed, facilitated, and made more efficient through automation and integrated intelligence.

IoT empowers supply chain and logistics management

IoT Technology has been a major differentiation in the supply chain and logistics. Whether it is warehouse management, fleet management, delivery or shipment, IoT has majorly made its impact on this field.

Today, many firms are extending Internet of Things (IoT) devices into their supply chain to improve productivity and customer service. Sensors, communication devices, analytics engines, and decision-making aids are being employed to improve the efficiency of fleet management services, schedule optimization, routing, and reroutes due to adverse conditions. The IoT provides real-time tracking solutions and instant inventory visibility.

Risks in Supply Chain Management

However, as firms use the IoT to expand their reach into the supply chain, so too does it increase their attack vectors and potential loss of proprietary and sensitive data. Information System stores data and passes it between potentially thousands of devices that may have exploitable vulnerabilities; a poorly designed architecture could provide hackers the ability to disrupt, destroy, or steal vast and valuable stores of corporate and personal data.

The major security risk associated with the IoT comes from interactions with physical processes and its content leakage.  Specific to the supply chain is the issue of data leakage, where content becomes visible to hackers either through malicious or unintended means and with manufacturers making devices to different standards, problems could include a lack of device-interoperability, devices interacting unintentionally and even representing a risk to user safety, devices constructed from cheap or inferior hardware posing a cybersecurity risk by containing malware.

Also, IoT sensors are most susceptible to counterfeiting (fake products embedded with malware or malicious code); data exfiltration (extracting sensitive data from a device via hacking); identity spoofing (an unauthorized source gaining access to a device using the correct credentials); and malicious modification of components (replacement of components with parts modified to generate incorrect results or allow unauthorized access).

Risk Mitigation

Cyber security measures should be considered throughout the lifecycle of an operation—including planning, architecture and design, implementation, testing and migration.

There are several international and national standards documenting cyber security capabilities, policies and practices. Its recommended by experts these three as essential to creating a good foundation in the development of an IoT/cyber security strategy.

  • International Electrotechnical Commission (IEC) 62443: Industrial Automation & Control Systems Security
  • National Institute of Standards and Technology (NIST) 800-82: Guide to Industrial Control Systems (ICS) Security
  • Industrial Organization for Standardization (ISO) 27002: Information Technology—Security Techniques—Code of Practice for Information Security Controls

WordPress – WooCommerce Security Flaw

Up to 4 million online merchants who use the popular WooCommerce WordPress plugin are vulnerable to a file deletion vulnerability that could allow a rogue “shop manager” to escalate privileges and eventually execute remote code on impacted websites.

Researchers at RIPS Technologies trace the bug to an un-patched design flaw in the privilege system of WordPress which can lead to an attack. While the flaw impacts many plugins on WordPress, one of the bigger impacted plugins is WooCommerce, an open source e-commerce plugin designed for small to large-sized online merchants using WordPress.

WooCommerce establishes “roles” for users ranging from customer, shop manager to admin. The shop manager role allows a user to manage all settings within WooCommerce platform, such as creating and editing products.

A bad actor in the “shop manager” role could open the vulnerable log manager in WordPress and inject a payload to delete the WooCommerce plugin. By deleting this, it disables runtime restrictions on the plugin and the attacker can then edit and takeover the admin account.

An admin account takeover by shop managers occurs because WordPress assigns filters to different roles – in this case WooCommerce roles. Roles are independent of one another and exist even if a plugin is inactive. The roles are stored in the database as a core setting of WordPress – however, it means that they only get executed when the plugin is active.

That would allow shop managers to update the password of admin accounts and take over the entire site.

A potential attacker could access the shop manager role via XSS vulnerabilities or phishing attacks, and then exploit the flaw to take over any administrator account and execute code on the server.


Cyber Security Best Practices for SMB

The India Risk Survey report ranks ‘Information & Cyber Insecurity’ as the biggest risk facing Indian companies. Indian organizations, both public and private, had witnessed over 27,000 incidents of security threat. 

Phishing, scanning/probing, website intrusions and defacements, virus/malicious code, ransomware, Denial of Service attacks, and data breaches are some ways in which hackers attack business websites, which can cause operation.

Let’s look at some must-have cyber security measures for SMEs: 

Back to Basics: It is always best to have the basics right.  It is still the best defense from various viruses, malware and other online threats. Prioritize your assets based on its business criticality and address the risks accordingly.  Ensure that the systems, web browsers and operating systems are updated with the latest security patches. Implement firewall security and run antivirus software after each update. 

Security Policy and Procedure: Define Information Security policies and procedure which would be guiding light for the organization and the employees on the Security Best practices.  The organization shall enforce the implementation of such policies and procedure, with appropriate security controls to safeguard their assets.

Security Awareness: Security awareness plays a very critical role in an organization.  Conduct secure awareness training to employees, contractors and vendors on the organization information security policy and procedure. The organization shall ensure all their employees, contractors and vendor understand and adhere to he security policy and practice of the organization. 

Need for BCP: Ensure regular backup of all critical data – whether stored in-house or on the cloud. Perform Disaster Recovery drill at a regular time interval to test the integrity of the BCP plan.

Cyber insurance: After the WannaCry ransomware incidents, small businesses have learnt the potential harm and legal ramifications of an attack. Consider investing in cyber liability insurance to help cover liabilities arising from theft, loss of data, breach of security and privacy. 

Vendor management: With many of a businesses’ assets either being hosted or managed by external service providers – be it your web hosting service or cloud hosting service – working closely with your vendors on a comprehensive plan for risk mitigation is critical. Take the time to understand the vendors’ security certifications, encryption measures, business continuity plans, emergency contact information, etc., to know exactly the level of risk your business is exposed to.

Continuous Assessment and Improvement: As the organization business evolves, so do the IT systems, network and softwares.  IT should be brought under strategic focus are of the organization and it need to be continuously monitored and assessed against new threats and weaknesses.  Appropriate corrective action should be taken to remediate the weaknesses at the right time.