Do you know if your business is under a cyber attack?
A few years ago, I provided an IT manager with the very first Intrusion Prevention System report they had ever encountered. This IT manager didn’t think too much of it at the time, but come 9:00 PM on Friday, he finally sat down and digested it. Shortly after we received dozens of panicked phone calls requesting urgent assistance with the tens of thousands of attempted attacks on their infrastructure.
This sounds like a horror scenario or gross negligence, but you would be incorrect. This is in fact business as usual for almost every company that has an internet connection. To most people, the wider internet is a relatively friendly place. A multitude of useful information, services, etc. We seldom consider who might be connecting to us. To the average user at home with no webcams or IoT devices, it is not much of a concern. They are not hosting services that others can connect to. However, for businesses, this is a very different story.
Automation and cloud technology is making it easy for businesses to fall victim to a cyber attack
The fact of the matter is that there are hundreds and thousands of servers, bots, scripts, and services that are systematically scanning and attacking the wider internet. One of my favourite services that scans and catalogues information, Shodan, provides this in a searchable manner.
Consider for a moment the image stream below:
This is 20 of 1,410,084 webcams and remote desktop logins. Some are servers, office desktops, home PC’s, home surveillance, and even some small business surveillance. There are two things in common here. One, they are all internet-connected devices. Two, no “hacking” was performed here. These devices are all just sitting there to either be logged into or viewed. In some cases, there are exploits available to them.
So, this is a bit scary but as a business, it is necessary to provide services to your customers and staff. Your business needs VPNs, remote desktop, and websites, yet the problem can quickly get out of hand. No typical IT staff will remember the now insecure web server they spun up 6 years ago. Conversely, the Internet will not only remember, but make it searchable.
Below is a map that Shodan has generated using their scan data of Australian IP ranges:
Australia Internet Exposure Dashboard – Source: https://exposure.shodan.io/#/AU
A lot of this is no doubt legitimate, however, 7.3 million ports are open. So, what does this mean exactly? This is 7.3 million programs running on security cameras, servers, desktops, network equipment, IoT devices. They are all running on Australian networks that will accept connections from the wider internet. 1,591 of these are industrial control systems. Think traffic lights, power grids, sewage treatment, and industrial machinery. 443 of these devices are vulnerable to Eternal Blue, the same exploit that allowed WannaCry and Petya to remotely install ransomware on hundreds of thousands of machines just like these. Another 1,084 are vulnerable to BlueKeep, a similar attack that allows an attacker to run code on these machines from anywhere in the world.
Most importantly though, a handful of these ports are your organisation’s webservers, its remote logins, its VPN, and whatever else you are presenting.
So, what can you do as an organisation to make this a little more secure?
- Review exactly what ports are forwarded on your firewall.
- Review your cloud infrastructure and trim the fat.
- Install patches and updates. I know this one is standard advice but seriously, break things and fix them if you must, but install your patches and updates.
- Review your DNS Records and get a feel for exactly what is internet-facing outside of your organisation’s perimeter.
How to keep your business secure from a cyber attack
So, what can we do to help your organisation to make this a little more secure from a cyber attack?
- Map out your attack surface.
- Find your long-forgotten infrastructure.
- Provide automation and advice for patching and updates.
- Give you an idea of just how many of your DNS Records are available online.
The big take away here is that your infrastructure is constantly being poked and prodded, and the only difference between a service that is secure and one that is not is whether an exploit comes out next month or not.
