NEED SUPPORT? CALL (855) 422-8283

Guide to Creating an Effective Incident Response Plan

Guide to Creating an Effective Incident Response Plan

It’s always best to take a proactive, rather than a reactive, approach to almost any problem or potential problem. In a world where breaches and other cybersecurity threats and incidents have become commonplace, it is no longer a question of if your organization will be targeted, but when.

To best safeguard your organization’s digital assets and reputation, you need to develop a robust yet flexible incident response plan tailored to your company’s unique needs. A comprehensive plan allows you to respond to incidents quickly and effectively and is crucial for minimizing damage and recovering from an incident.

If you have experienced or are currently experiencing a security incident, please contact our team right away by calling (855) 422-8283 anytime 24/7/365. You should also consider reviewing our guide: Hacked? Here’s What to Know (and What to Do Next).

What is an Incident Response Plan?

At its core, an incident response plan is a set of instructions developed by your team (and likely with assistance from your managed security services provider) that tells your team how to detect, respond to, and recover from a security incident. Though most incident response plans tend to be technologically centered and focus on detecting and addressing problems such as malware, data theft, and service outages, a security incident can have a widespread impact on all of your organization’s usual activities. As such, a good incident response plan will not only provide instructions for your IT department but will also provide guidance and critical information to other departments and stakeholders, such as:

  • Human resources
  • Finance
  • Customer service
  • Employees
  • Your legal team
  • Your insurance provider
  • Regulators
  • Suppliers
  • Partners
  • Local Authorities

If not handled correctly, a security incident can also tarnish your reputation and damage your relationship with your clients, sometimes irreparably.

Create a strong response plan in order to keep downtime to a minimum

The 5 Phases of an Incident Response Plan

While NIST has drafted a guide outlining how to handle computer security incidents, these general guidelines only offer a starting point. For maximum efficacy, your organization’s incident response plan needs to be both specific and actionable and clearly specify who needs to do what and when. All key stakeholders need to be involved in the plan development process and kept up to date on any changes made to the plan. 

Though your plan will need to be tailored to meet your organization’s unique cybersecurity needs, all VirtualArmour Cybersecurity Incident Response Plans follow the same basic phase format: Hunt, Alert, Investigate, Remediate, Review, and Repeat.

Phase 1: Hunt & Alert

The only way you can respond to a threat is if you know it is there. All organizations should take a proactive, rather than a reactive, approach to their cybersecurity. This includes actively hunting for potential security threats and reviewing your security protocols frequently to ensure they are continuing to meet your organization’s needs. 

To hunt for security threats, you should be internally monitoring all company email addresses to look for signs of trouble such as phishing scams and invest in security tools that will alert you to any potentially suspicious activities. 

Should any suspicious activities be detected, you need to have a process in place to ensure your internal security team or MSSP is made aware of the issue so they can help you determine if the threat is credible. Should you discover a threat during this preliminary phase, you also need protocols in place to: 

  • Assess how serious the threat is
  • Determine whether a breach is imminent
  • Activate your security incident response plan (including alerting all internal and external stakeholders)
  • Allocate resources (including pulling employees away from regular tasks to deal with the threat)
  • Address the threat (ideally before any significant damage has been done)

Why You Should Consider Pen Testing

An excellent way to identify gaps in your security before they can be used against you is pen (penetration) testing. Pen testing involves hiring an ethical hacker to attack your network and other IT infrastructure and look for gaps in your defenses that could be exploited. 

As the hacker stress tests your cybersecurity, the hacker notes any flaws they managed to exploit to gain entry to your system so that you can address these shortcomings and shore up your defenses. Once the test is complete, the ethical hacker reviews their findings with you and offers recommendations to improve your security. Essentially, by hiring a good guy to look for deficiencies in your current security posture, you can address those issues before the bad guys discover and exploit them.

Phase 2: Investigate

During an incident, your top priority needs to be containing the threat and minimizing damage. Once the threat has been dealt with, you should review both the threat and your response to help ensure the same threat cannot be used against you again.

Phase 3: Remediate

Once you have contained and eliminated the threat, it is time to begin cleaning up the mess. Your recovery and remediation process should include notifying all appropriate external entities (including your customers, relevant regulators, and potentially impacted third parties such as suppliers). Impacted external entities should be told the nature of the incident (ransomware attack, DDoS attack, etc.) and the extent of the damage.

The remediation process also needs to involve gathering evidence so that it can be reviewed by your security team, your MSSP, and regulators, as well as law enforcement (if appropriate). Once you have all the evidence, you will need to perform a root cause analysis to determine the primordial problem and determine what steps need to be taken to address the primordial problem and ensure a similar incident can’t happen again. 

The remediation process may also involve:

  • Replacing damaged or compromised equipment
  • Restoring systems from backups
  • Addressing any vulnerabilities the attacker was able to exploit
  • Updating your security controls (changing passwords, installing security patches, etc.)

Phase 4: Review

If you are targeted, one of the best things you can do to best safeguard your organization going forward is to learn from what transpired. As part of your review process, make sure you gather all internal and external team members involved and discuss your response to the incident and identify any shortcomings or oversights that need to be addressed.

As part of this phase of the incident response plan, the VirtualArmour team will help you assess your current incident response plan and offer suggestions for improvements. 

Practice Makes Perfect: The Benefits of Tabletop Exercises

As part of your ongoing security training, you should consider running tabletop exercises with your security team as well as all internal and external team members that are involved in responding to security incidents. 

Tabletop exercises work like fire drills, presenting your team with a hypothetical security incident and allowing them to practice responding in a no-stakes environment. Not only do tabletop exercises give your team valuable practice before an incident occurs, but they also allow your organization to assess the efficacy of your current incident response plan so that any shortcomings or other problems can be addressed before an incident occurs.

Phase 5: Repeat

Just because your team managed to identify and effectively respond to a security incident doesn’t mean your organization is safe forever. Constant vigilance is required to ensure your team is always ready to respond to threats, regardless of what attackers throw at you.

Does My Organization Need an Incident Response Plan?

All organizations, regardless of size or vertical, need to have an incident response plan in place. 

When Should My Organization Begin Developing Our Incident Response Plan?

Because you will never know when disaster will strike, you should begin developing your incident response plan as soon as possible. If you aren’t sure where to begin, we suggest you get started by:

  1. Reviewing the NIST guidelines
  2. Create the living document your plan will reside in and meet with stakeholders to begin fleshing it out. This document should include:
    1. Your incident response mission statement: The job of this section is to outline why you need an incident response plan.
    2. Roles and responsibilities: Explicitly name who is involved in the incident response plan, why they are involved, and their role should an incident occur.
    3. Incidents you are likely to encounter: This section will outline what types of incidents your organization is likely to encounter (ransomware attacks, DDoS attacks, etc.) and how you will respond to them.
    4. Emergency contact details for all relevant parties: This includes both members of the incident response team and regulators. You may also want to consider including contact information for local law enforcement here as well. 

Assembling Your Team: Who Needs to Be Involved While Developing & Actioning Your Incident Response Plan

Who is involved in developing and actioning your incident response plan will vary depending on your organization’s specific needs. However, all organizations should include at least one person from each of the following stakeholder groups.

Your Executive Team

At least one C-suite executive (ideally your CTO) or a similarly ranked decision-maker should be included. This is not only vital to ensure your executive team is kept in the loop but can make it easier to secure resources quickly should an incident occur. 

Your IT Department

Your internal IT department will be integrally involved in any response, so it is vital that they are given a seat at the table. You need to make sure you have a good relationship with your networking team, database team, and developers, though whether you wish to include representatives from these sub-groups will depend on the size and structure of your organization. You should also strongly consider working with your MSSP during the development phase since they will be able to offer valuable insights and approaches you may not have considered.

You should also consider engaging with your hosting providers and service providers, though this may simply involve sharing your finalized plan with them and informing them of any changes, so they are up to date if an incident occurs.

Your Legal Team

Security incidents can become a legal nightmare, so your legal team or company lawyer must be included. During the incident response plan development process, you will need to make decisions regarding what is reported and to whom. Your incident responders should be chosen for their technical skills, not their legal skills, so your legal team must be intimately involved in the development process.

Human Resources

Many security incidents occur because of users (such as an employee falling for a phishing scam), so having a member of your human resources team at the table is critical. Your incident response team needs to be able to handle user-caused incidents delicately and respectfully and ensure your response plan complies with all relevant laws from a human resource perspective. HR can help ensure compliance and should be involved in the incident response plan development process. If an incident occurs, they should also be pulled in on an as-needed basis. 

Your Public Relations Team

Security incidents can quickly become public knowledge, whether you are ready to share the details or not. Like your HR team, your PR team should be kept in the loop during an incident, but their expertise is particularly invaluable during the remediation phase.

Looking for Guidance or Advice? VirtualArmour is Here to Help

Creating an incident response plan from scratch may seem like a daunting task. So much rides on having a robust plan in place that is flexible enough to be quickly updated to ensure your organizations’ evolving needs are met. Many small and medium-sized organizations do not have the bandwidth or expertise to develop a good incident response plan on their own. That is where MSSPs like VirtualArmour come in. 

Our team of security experts has extensive experience working with organizations of all sizes in a variety of verticals, including healthcare, financial services, retail, energy, and service providers. For more information about the importance of having a security incident response plan, or to being work on your own plan, please contact our team today.

search your hardware and processes to make sure your prepared for an incident

Suggested Reading

Cybersecurity is a complex and continually evolving field. To help keep your knowledge up to date, please visit our blog and consider reviewing these suggested educational articles and resources.

Knowledge is Power: Our Cybersecurity Predictions for 2021

Our Predictions for the 2021 Cybersecurity Environment

5 Major Companies Were Recently Breached: Where Are They Now?

5 Major Companies Were Recently Breached: Where Are They Now?

2020 was a record-breaking year in the cybersecurity world, both when it comes to the amount of data lost in breaches as well as the eye-watering number of cyber attacks on companies, governments, and individuals. Ransomware attacks alone have risen 62% since 2019, and this trend doesn’t appear to be waning.

In this article, we will discuss five major companies that were attacked between 2019 and 2021, including the impact of those breaches and how these organizations responded.

If you have experienced, or are currently experiencing, a cybersecurity attack please contact our team immediately for assistance by calling (855) 422-8283 anytime 24/7/365 and consider reading our educational article Hacked? Here’s What to Know (and What to Do Next).

Capital One (2019) 

The Attack

The Capital One hack was first discovered on July 19th, 2019, but likely occurred at the end of March that same year and impacted credit card applications as far back as 2005. The attacker, Paige Thompson, was able to break into the Capital One server and access:

  • 140,000 social security numbers
  • 1 million Canadian social insurance numbers
  • 80,000 bank accounts
  • An undisclosed number of names, addresses, credit limits, credit scores, balances, and other personal information

This devastating attack impacted nearly 100 million Americans and an additional 6 million Canadians. In June of this year, the US Department of Justice announced that they were adding to the charges. Originally charged with one count each of wire fraud and computer crime and abuse, Ms. Thompson now faces six additional counts of computer fraud and abuse and one count of access device fraud.

Capital One’s Response

In an official statement to impacted customers on their website (last updated April 16, 2021, as of the writing of this article), CapitalOne lays out the damage done and the number of individuals impacted. They go on to stress that no login credentials were compromised.

The statement goes on to provide answers to some pressing questions in the Q&A section and offers practical advice about what Capital One cardholders can do to protect their accounts, including additional steps that individuals can take to protect themselves against fraud and identity theft. American cardholders can find additional information on this FAQ page.

The official FAQ page linked above goes on to mention that all affected Capital One customers will be provided with two years of free credit monitoring and credit protection. The FAQ states that impacted individuals should have received either an email or a letter outlining the enrollment process for this service, including an activation code.

The FAQ goes on to discuss what individuals should do if they received a possible scam email, call, or text related to the incident, which indicates scammers are piggybacking on this breach in an attempt to further victimize impacted individuals.

Capital One also agreed to pay an $80 million fine to US regulators over the incident.

Capital One did have a plan in place to recognize and respond to the breach (highlighting the importance of having an incident response plan). The incident was discovered via a vulnerability report, and once the incident was discovered, Captial One responded swiftly and worked hard to ensure impacted individuals were kept in the loop. Ms. Thompson was arrested a mere 12 days after the initial vulnerability report was released.

Facebook (2019) 

The Attack

The Facebook data breach was discovered in April 2019 when it came to light that two third-party Facebook app datasets had been exposed to the wider internet. This database (containing private information on 533 million accounts) was then leaked on the Dark web for free in April of 2021, increasing the rate of criminal exposure. 

The data exposed included phone numbers, DOB, locations, past locations, full names, and some email addresses tied to compromised accounts. In an official blog post, the company stated that “malicious actors” had scraped the data by exploiting a vulnerability in a now-retired feature that allowed users to find each other via phone number.

cybersecurity software that protects you and your business

Facebook’s Response

Facebook chose not to notify impacted individuals in 2019, and according to this NPR article published in April 2021, they still have no plans to do so. According to a company spokesperson, the company isn’t entirely sure which users would need to be notified and that the decision not to contact users stemmed at least in part from the fact that “the information that was leaked was publicly available and that it was not an issue that users could fix themselves.”

Though Facebook claims to have addressed the vulnerability that allowed attackers to access this data, that is cold comfort for Facebook users. “Scammers can do an enormous amount with a little information from us,” said CyberScout founder Adam Levin when interviewed by NPR. “It’s serious when phone numbers are out there. The danger when you have phone numbers, in particular, is a universal identifier.” Phone numbers are frequently used to connect users to their digital presence, including using them as additional identifiers via two-factor authentication text messages and phone calls. 

As a response to the incident, the US Federal Trade Commission fined Facebook $5 billion for violating an agreement the company had with the agency to protect user privacy. Facebook CEO Mark Zuckerberg will also be held personally liable by the FTC for any future privacy violations.

If you are concerned that your personal information may have been leaked during the breach, you can use the data tracking tool HaveIBeenPwned to learn whether your Facebook account or other digital accounts, including email, have been compromised.

SolarWinds (2020)

The Attack

Cybersecurity company FireEye first discovered the back in December 2020. The attackers, which are believed to be affiliated with the Russian government, used a supply chain attack to push malicious updates to FireEye’s popular network monitoring product. 

Impacted FireEye customers include

  • Multiple US government departments
  • 425 of the US Fortune 500 companies
  • The top ten US telecommunications companies
  • The top five US accounting firms
  • All branches of the US military
  • The Pentagon
  • The State Department
  • Hundreds of universities and colleges worldwide 

The total extent of the damage may never be known, but this attack continues to impact affected organizations. For example, in July 2021, attackers were able to gain access to the Microsoft Office 365 email accounts of 27 US Attorneys’ offices. The accounts were originally compromised during the SolarWinds attack.

FireEye’s Response

The larger attack was discovered when FireEye’s internal team of investigators was investigating the original, smaller, FireEye attack. During this investigation, the backdoor within the SolarWinds code was discovered, prompting the FireEye team to contact law enforcement. Though the SolarWinds attack was devastating, the fact that the attackers decided to use FireEye as a vector might have actually lessened the damage. According to Charles Carmackal, senior vice president and CTO of Mandiant, FireEye’s incident response arm, “one silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community, and security partners.” 

FireEye took the crucial step of publicly reporting the attack (instead of waiting for impacted customers to discover the issue), conducted a thorough review of the incident, and made sure to share all their information with law enforcement and the US government. As such, the extent of the attack was learned quickly, so impacted companies and government bodies could take appropriate steps. If FireEye had tried to hide the attack from their customers, the damage could have been even worse.

Keepnet Labs (2020)

The Attack

Keepnet Labs is a threat intelligence company that collects and organizes login credentials exposed during other data breaches. If a customer’s details are discovered, Keepnet Labs notifies impacted individuals and offers advice on steps they should take to best safeguard their data and minimize damage.

The Keepnet Labs incident is a little unusual in that it wasn’t actually Keepnet Labs user data that was exposed. Instead, Keepnet Labs had compiled a database of usernames and passwords that had been leaked during a variety of cybersecurity incidents between 2012 and 2019. Attackers were able to exploit a vulnerability in this Elastisearch database, which was (according to Keepnet) actually maintained by a contractor, not Keepnet Labs themselves. 

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Keepnet Labs’ Response

After discovering the vulnerability, Diachenko published a security report, which was picked up by a variety of cybersecurity news outlets and blogs which were covering the leak. However, Keepnet Labs felt that a number of these publications had made misleading statements and contacted several reporters to ask them to edit their articles. 

Graham Cluley, a popular security blogger, received one such email from Keepnet. Though he felt his representation of the facts was fair, he was willing to give Keepnet the chance to tell their side of the story. However, instead of an official statement or a chance to speak to a company spokesperson, he instead was contacted by Keepnet’s lawyers, who threatened him with legal action if he didn’t edit his article and remove the company’s name. 

This heavyhanded reaction was only one of several failings on the part of Keepnet to manage the fallout of the attack. It took almost three months for the company to release an official statement to set the record straight, and they refused to work with reporters and bloggers like Cluley to provide accurate facts. Though the security incident itself may tarnish Keepnet’s reputation, their poor handling of the aftermath is likely to cause far more damage.

While performing scheduled maintenance, an employee of the contracted company briefly turned off a firewall to speed up the process, inadvertently exposing the sensitive data for about ten minutes. However, in that short window of time, the database had already been indexed by BinaryEdge, a security-focused company that acquires, analyzed, and classifies internet-wide data. The vulnerability itself was discovered by Bob Diachenko, who accessed the data via BinaryEdge.

As such, the leak wasn’t technically as bad as others mentioned on this list since all the data exposed had already been exposed in previous incidents. However, Keepnet Labs’ handling of the incident was far from ideal.

Microsoft Exchange (2021)

The Attack

The attack was first discovered on March 2, 2021, when Microsoft detected multiple zero-day exploits in their on-premises versions of Microsoft Exchange Server, which were being actively exploited by attackers. Over the following days, nearly 30,000 American organizations were attacked using these vulnerabilities, which allowed attackers to gain access to email accounts and install web shell malware to provide attackers with ongoing administrative access to the victim’s servers.

On the day the attack was first discovered, Microsoft announced that they suspected the culprit was a previously unidentified Chinese hacking group dubbed Hafnium. According to the Microsoft Threat Intelligence Center (MSTIC), this group is suspected to be based in China, state-sponsored, and focused on primarily targeting organizations based in the United States that depend on leased virtual private servers (VPSs).

The actual purpose of the attack is more nuanced. According to Garner analyst Peter Firstbrook, the attackers are really looking to test the defences of organizations and discover which organizations are lagging behind security-wise. Most organizations that use Microsoft Exchange Servers have moved away from on-premises models to the online Exchange, which means organizations still using on-premises solutions are likely to be late adopters or less security conscious, making them excellent targets.

It has also been speculated that the attacker’s real endgame is not the on-premises servers they are currently targeting but more of a fact-finding mission to help them set up future attacks on high-value targets with connections to those servers. This may include using these email servers to impersonate trusted individuals and use those email accounts to send phishing emails to sensitive targets such as the Defense Department. Much like the SolarWinds attack, the companies currently being attacked may not be the actual target.

cybersecurity on your laptop

Microsoft’s Response

Microsoft has released security updates addressing Exchange Server versions 2010, 2013, 2016, and 2019 to address the software vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). 

Microsoft has also gone out of their way to try and get everyone to pay attention to this attack, particularly since impacted individuals and organizations may be relying on IT generalists (instead of specialized admins) and may not understand what this attack could really mean. If impacted organizations don’t take action, it could have widespread and devastating consequences for the sensitive companies and organizations (such as the Defense Department) that they do business with. Should someone at the Defense Department or another government body fall for a phishing scam perpetrated using these compromised servers, it could compromise US national security. 

An unfortunate truth about the modern security landscape is that it is no longer a question of if your organization will be targeted but when. Security incidents such as the ones listed above can have widespread consequences for the organizations that have been targeted, as well as the organizations and individuals that do business with them. 

The best thing you can do to safeguard your organization and its digital assets is cultivate a robust yet flexible cybersecurity posture, which starts with an incident response plan.

For more information about cybersecurity, or to get started shoring up your defences, please contact our team today.

Additional Reading

Knowledge is Power: Our Cybersecurity Predictions for 2021

Our Predictions for the 2021 Cybersecurity Environment

The IoT is Really the Internet of Endpoints

The IoT is Really the Internet of Endpoints

In an increasingly digital world, the internet of things reigns supreme. From smartwatches that monitor your health to smart refrigerators that let you check on the milk situation from the office and washing machines that can be started with a text, even mundane items like appliances require network access. 

Unfortunately, constant connectivity is a double-edged sword, bringing both convenience and security concerns that need to be considered and mitigated in order to best safeguard your endpoints and network. 

What Exactly is an Endpoint?

An endpoint is a unit at the end of a communication channel that is accessed via a connected network and includes devices, tools, services, applications, and nodes. Traditionally the term endpoint referred to hardware such as modems, routers, hots computers, and switches connected to the network. 

However, the advent of the Internet of Things has created a world populated by always on, always-connected endpoints such as smartwatches, smart appliances, smart vehicles, and commercial IoT devices. This shift to continual connectivity poses a variety of cybersecurity challenges that need to be considered. 

Are IoT Devices Endpoints?

Whether IoT devices are technically considered endpoints may be up for debate (though Palo Alto networks considers IoT devices to be endpoints), but whether they officially count as endpoints or not, they should be treated as endpoints from a cybersecurity perspective. 

Lady using smart home panel

Whether You Consider Them Endpoints or Not, IoT Devices Pose Serious Security Concerns

Whether you consider IoT devices to be endpoints or not, it is undeniable that unsecured IoT devices pose a security threat. To help safeguard your digital assets (including your network and the data stored on it), you need to be aware of the security vulnerabilities IoT devices introduce to your network so you can make an informed decision about whether or not your organization wants to allow these devices on your network. 

Wearable Technology

While wearable technologies are convenient to use, they bring with them a whole host of security concerns, including:

Providing Easy Physical Access to Your Data 

This is particularly concerning since most wearable tech devices don’t require a password or PIN or use biometric security features, which means if an attacker is able to physically steal your device, there is nothing keeping them from accessing the personal data on the device or potentially using it as a gateway to infiltrate your network.

The Ability to Capture Photos, Video, & Audio 

The always-on nature of these devices means this can happen either with and without your consent, raising serious privacy concerns from both a personal and organization-wide perspective. 

Non-Secure, Continuous Wireless Connectivity

Though most of us protect our laptops, smartphones, and tablets with PINs or passwords, wearable devices don’t typically offer this feature, creating unsecured points of entry to your other devices. Much like investing in a high-quality front door lock and then leaving a main floor window open, unsecured endpoints, including IoT devices, present a serious security vulnerability.

A Lack of Encryption

Most of these devices aren’t encrypted, which means your data is left exposed whenever you sync your wearable technology with another device such as your smartphone or store it on a manufacturers’ or third party’s cloud server).

Minimal or Non-Existent Regulations Leaves Organizations Legally Vulnerable

Most of the security issues posed by wearable devices will need to be addressed by the manufacturers that produce them, which means the legal issue around self-regulation vs. government regulations is an important point to consider. Whether manufacturers self-regulate or fall under the purview of regulatory bodies, companies that suffer a breach because of the security shortcomings of a wearable or other IoT device will likely be held fully accountable from a legal perspective. 

These security concerns should give organizations that are considering allowing wearable technology on their networks reason to pause. Though these wearable IoT devices have become commonplace, organizations should carefully consider the security implications of those devices before allowing them to potentially access sensitive company data and may want to consider keeping these devices off their networks until better security features become available. 

Smart Home 

Though your IoT thermostat and smart refrigerator might seem like odd targets for hackers, like wearable technology, the focus of the attack isn’t necessarily the IoT device itself. Instead, these devices act as a gateway to the rest of your network and the sensitive data stored on it. 

Depending on how interconnected your home or workplace is, cybercriminals may be able to use these IoT devices to turn off your security system, access financial or human resources data, or even spy on your family or employees via your security cameras or nanny cam. 

Attackers may also target these devices for their computing power alone, using your smart lighting system to mine cryptocurrencies (an attack known as cryptojacking, which we discuss in detail in this educational article).

Smart Vehicles

Hacking someone’s car to cause it to crash may sound like something out of a James Bond movie, but with smart vehicles, this movie trope has become a reality. A recent study by a team of security researchers at the New York University Tandon School of Engineering and George Mason University found that car infotainment systems that are connected via protocols like MirrorLink can be exploited to override safety features.

Other research teams discovered similarly troubling results when looking at Mazda, Volkswagen, and Audi smart cars. This study found that MZD Connect firmware in Mazda’s connected cars can be used to run malicious scripts using a USB flash drive plugged into the car’s dashboard. In response to the research, Mazda put out a disclaimer clearly stating that third parties are not able to carry out remote customizations on their connected cars, but the data suggests otherwise. 

Research conducted by Pen Test Partners found that third party car alarms (which often claim to protect against keyless entry attacks) can actually decrease security by allowing cyberattackers to exploit vulnerabilities in the alarms themselves to:

  • Turn off engines (potentially causing the vehicle to crash)
  • Send geolocation data to attackers
  • Allow cybercriminals to learn the car type and owner’s details
  • Disable the alarm
  • Unlock the vehicle
  • Enable and disable the immobilizer
  • Spy on drivers and passengers via the car’s microphone

These security flaws may make it easier to cause car crashes or steal vehicles, a safety and security nightmare neither individual car owners nor organizations corporate fleets want to deal with. 

Third-party apps can also introduce security risks, a startling discovery backed by research conducted by Kaspersky. In this study, the research team tested seven of the most popular apps from well-known brands and found that most of the apps allowed unauthorized users to unlock the vehicle’s doors and disable the alarm systems, and none of the apps were secure. 

Commercial IoT Devices

As we have seen with consumer IoT devices, security remains a seriously under-addressed concern, and unfortunately, this holds true in the industrial and commercial IoT device sphere as well. Common endpoint attacks that can be adapted to target commercial and industrial IoT devices include:

Man-in-the-Middle Attacks

These involve cybercriminals intercepting and possibly altering or preventing communications between two systems. In an industrial IoT setting, this could involve tampering with safety protocols on industrial robots, potentially damaging equipment or injuring workers.

Device Hijacking

Just like it sounds, device hijacking involves unauthorized parties seizing control of a device. Unlike man-in-the-middle attacks, these types of attacks can be difficult to detect because the device’s basic functionality typically remains unaffected. In industrial and commercial IoT settings, attackers may use a single compromised device to either infect other smart devices on the grid or use the device as a gateway to gain access to more sensitive areas of the network. 

DoS, DDoS, & PDoS Attacks

  • DoS: Denial of service (DoS) attacks are designed to render a device or network resource unavailable (denying service) by temporarily or permanently disrupting services provided by a host machine such as a web server. 
  • DDoS: Distributed denial of service (DDoS) attacks involve flooding the host with incoming traffic from multiple sources (often either a group of attackers or a single attacker controlling a botnet of devices). These types of attacks are incredibly difficult to stop because you will need to block all incoming traffic from all malicious sources, turning your defensive actions into a game of cybersecurity whack-a-mole. 
  • PDoS: Permanent denial of service (PDoS) attacks (also called phlashing) are similar to DoS and DDoS attacks, but the goal is not to cause temporary disruption but instead to damage devices so badly that they need to be replaced or have their hardware reinstalled. An example of this type of attack is the BrickerBot malware, which is coded to exploit hard-coded passwords in IoT devices to cause a permanent denial of service. Attacks like BrickerBot could be used to damage water treatment plants, knock power stations offline, or damage critical factory equipment.

DoS, DDoS, and PDoS attacks can be used to target IoT devices and applications, causing serious disruptions, serious injuries, or permanent damage in both commercial and industrial settings.

If you have experienced or are currently experiencing a cyberattack, please contact our team right away and consider reading our educational article Hacked? Here’s What to Know (and What to Do Next).

Hand controlling futuristic interface

Protecting Your Devices (& Yourself) in an Always-Connected World

All of these security concerns may have you tempted to throw out your computer and brush up on your typewriter skills, but there is hope. Here are some steps you can take to manage your IoT device security risks. 

If you choose to adopt IoT technology in your organization, NIST recommends keeping these three goals top of mind in order to address the security challenges posed by IoT devices: 

  1. Take steps to protect your IoT device security by ensuring all IoT devices are fully under the owner’s control at all times and are not being exploited by unauthorized users to access your network or harness devices for a botnet or other illegal activities. To do this, make sure you have protocols in place to actively monitor all IoT devices and look for signs of tampering.
  2. Safeguard your organization’s data by taking steps to ensure that all data generated by IoT devices is not exposed or altered when stored on devices, transferred around the network, or transmitted to cloud-based services (including cloud networks owned by either the device’s manufacturer or provided by third-party cloud companies).
  3. Take steps to safeguard individual’s privacy and organizational privacy by putting alerts in place that will notify you if private or sensitive information is being captured or generated by IoT devices. If that data must be collected, make sure you know where that data is going, how it is being stored, and what it is being used for. This will not only help safeguard your organization’s data but, depending on your industry or vertical, may be required by legislation such as GDPR, PCI, or HIPAA.  

Are you considering incorporating IoT devices in your workplace? The VirtualArmour team is here to help you assess the risks and create flexible yet robust security protocols to help safeguard your organization, your workers, and your data and develop a cybersecurity incident response program tailored to meet your organization’s unique needs. For more information, or to start updating your security posture, please contact our team today.

VirtualArmour Wins $2.8 Million Contract with Global Chemical Manufacturing Company

CENTENNIAL, Colorado, – (August 8, 2018) VirtualArmour International Inc. (CSE:VAI) (3V3:F) (OTCQB:VTLR), a premier cybersecurity managed services provider, has won a new Managed Threat Intelligence services contract with a global chemical manufacturing company and a long-time VirtualArmour customer.
The engagement includes managed services along with software valued at $2.8 million over three years. Splunk® Enterprise Security, an analytics-driven security information and event management (SIEM) solution will be augmented by VirtualArmour’s dedicated managed security service provider (MSSP) solution. This comprehensive solution will enable the ingestion and correlation of large security-related data sets, while providing security monitoring and complete visibility into the threat landscape.
“This long-time valued customer was concerned with overloading their dedicated cybersecurity team, and our MSSP solution was the answer,” said VirtualArmour CTO, Andrew Douthwaite. “We have replaced two incumbent providers for SIEM which were disparate and monitored siloed parts of their network. By utilizing our threat intelligence services, they gained a fully managed SIEM, incident response and threat hunting platform designed to be highly effective in cybersecurity.”
VirtualArmour’s MSSP solution employs a wide range of technologies to manage, monitor and maintain the customer security systems and prevent security breaches. This allows VirtualArmour’s team of expert analysts to actively hunt for security threats before they become a problem, alert the customer to a possible security threat within 15 minutes of detection, and provide through breach analysis.
As part of the services package, the customer will also have access to Cloudcastr, VirtualArmour’s proprietary reporting platform that provides 24/7 security visibility.
About VirtualArmour
VirtualArmour International is a global cybersecurity and managed services provider that delivers customized solutions to help businesses build, monitor, maintain and secure their networks.
The company maintains 24/7 client monitoring and service management with specialist teams located in its U.S. and UK-based security operation centers. Through partnerships with best-in-class technology providers, VirtualArmour delivers leading hardware and software solutions for customers that are both sophisticated and scalable and backed by industry-leading customer service and experience. The company’s proprietary CloudCastr client portal and prevention platform provide clients with unparalleled access to real-time reporting on threat levels, breach prevention, and overall network security.
VirtualArmour services a wide range of clients, which include Fortune 500 companies and several industry sectors in over 30 countries across five continents. For further information, visit www.virtualarmour.com.
 
Important Cautions Regarding Forward Looking Statements
This press release may include forward-looking information within the meaning of Canadian securities legislation and U.S. securities laws. This press release includes certain forward-looking statements concerning a service contract VirtualArmour has entered into with a current client, VirtualArmour’s continued relationship with various suppliers, the future performance of our business, its operations and its financial performance and condition, as well as management’s objectives, strategies, beliefs and intentions. The forward-looking information is based on certain key expectations and assumptions made by the management of VirtualArmour. Although VirtualArmour believes that the expectations and assumptions on which such forward-looking information is based are reasonable, undue reliance should not be placed on the forward-looking information as VirtualArmour cannot provide any assurance that it will prove to be correct.
Forward-looking statements are frequently identified by such words as “may”, “will”, “plan”, “expect”, “anticipate”, “estimate”, “intend” and similar words referring to future events and results. Forward-looking statements are based on the current opinions and expectations of management. All forward-looking information is inherently uncertain and subject to a variety of assumptions, risks and uncertainties, including the success of the Company in performing the IT implementation and migration, performance under the contract by all parties, the ability of VirtualArmour to meet timelines, the continued availability of necessary hardware, the absence of any trade war or tariffs affecting VirtualArmour’s ability to perform, competitive risks and the availability of financing. These forward-looking statements are made as of the date of this press release and VirtualArmour disclaims any intent or obligation to update publicly any forward-looking information, whether as a result of new information, future events or results or otherwise, other than as required by applicable securities laws.
 
Company Contact
Russ Armbrust
CEO
VirtualArmour International Inc.
Tel (720) 644-0913
Email Contact
Investor Relations:
Ronald Both or Grant Stude
CMA
Tel (949) 432-7566
Email Contact
 

VirtualArmour Launches New Investor Relations Website

CENTENNIAL, Colorado, – (August 6, 2018) VirtualArmour International Inc. (CSE:VAI) (3V3:F) (OTCQB:VTLR), a premier cybersecurity managed services provider, has launched a new investor relations section of its corporate website at www.virtualarmour.com. It is available under the Investors tab on the homepage or directly at https://ir.virtualarmour.com.
The new site features detailed financial and stock information, along with access to other investor resources, like corporate governance information and the ability to sign up for email alerts.
“Our new IR section is designed to better support our growing shareholder base and enhance our ability to attract new institutional investors, analysts, investors and financial reporters,” said VirtualArmour CEO, Russ Armbrust. “It also reflects our broader effort to boost brand awareness of our best-in-class cybersecurity managed services, which is demonstrated by our industry-leading 100% customer retention rate and growing client base that includes several Fortune 500 companies.”
Also now available is a new VirtualArmour corporate presentation that can be downloaded from the News & Events section. Visitors can also sign up for timely email alerts under the IR Resources tab.
About VirtualArmour
VirtualArmour International is a global cybersecurity and managed services provider that delivers customized solutions to help businesses build, monitor, maintain and secure their networks.
The company maintains 24/7 client monitoring and service management with specialist teams located in its U.S. and UK-based security operation centers. Through partnerships with best-in-class technology providers, VirtualArmour delivers leading hardware and software solutions for customers that are both sophisticated and scalable, and backed by industry-leading customer service and experience. The company’s proprietary CloudCastr client portal and prevention platform provides clients with unparalleled access to real-time reporting on threat levels, breach prevention and overall network security.
VirtualArmour services a wide range of clients, which include Fortune 500 companies and several industry sectors in over 30 countries across five continents. For further information, visit www.virtualarmour.com.
Important Cautions Regarding Forward Looking Statements
This press release may include forward-looking information within the meaning of Canadian securities legislation and U.S. securities laws. This press release includes certain forward-looking statements concerning the future performance of our business, its operations and its financial performance and condition, as well as management’s objectives, strategies, beliefs and intentions. The forward-looking information is based on certain key expectations and assumptions made by the management of VirtualArmour. Although VirtualArmour believes that the expectations and assumptions on which such forward-looking information is based are reasonable, undue reliance should not be placed on the forward-looking information as VirtualArmour cannot provide any assurance that it will prove to be correct.
Forward-looking statements are frequently identified by such words as “may”, “will”, “plan”, “expect”, “anticipate”, “estimate”, “intend” and similar words referring to future events and results. Forward-looking statements are based on the current opinions and expectations of management. All forward-looking information is inherently uncertain and subject to a variety of assumptions, risks and uncertainties, including the absence of any trade war or tariffs affecting VirtualArmour’s ability to perform, competitive risks and the availability of financing. These forward-looking statements are made as of the date of this press release and VirtualArmour disclaims any intent or obligation to update publicly any forward-looking information, whether as a result of new information, future events or results or otherwise, other than as required by applicable securities laws.
 
Company Contact
Russ Armbrust
CEO
VirtualArmour International Inc.
Tel (720) 644-0913
Email Contact
Investor Relations:
Ronald Both or Grant Stude
CMA
Tel (949) 432-7566
Email Contact

VirtualArmour Solutions

Detection, investigation, and resolution of your security alerts
Prevention and visibility to protect you from a breach.
Support and monitoring of your firewall and overall security
Evaluation of your infrastructure for vulnerabilities and security gaps.
Team of cybersecurity experts that can bolster your existing security team or supplement light IT staff – to manage and monitor networks, devices, & assets.

Level of Need

Essential Services

Requirements for devices, investigations, and tickets are for a smaller IT environment that needs less.

Requirements for devices, investigations, and tickets are for a larger IT environment that needs continuous white glove service.
One time engagement. Single Service Implementation.

Partners

Become a Partner

VirtualArmour partners with companies focused on providing solutions for cybersecurity

Portal Login

About VirtualArmour

Our Team

When people, process, and technology work together, great things happen.

Articles and Resources

Your best resource for articles, tips and best practices for every cyber security situation.

Technology Partners

Learn more about how our team supplies and services, the latest hardware and software solutions.

Careers

Read about life at VirtualArmour and search for current openings.

Industry

Read more about the industries we serve and our solutions to keep you safe.