Issue & resolution centre

What your issues mean & resolutions for each of them.

  • Breached emails mean that a company you have previously logged on to, for example; LinkedIn or Fitbit have had data taken from their database. These breached emails are then available on the dark web for people to use to gain access to your systems.

    A breached email is often not just an email address, but the passwords and the other information about the individual as well. Having breached emails can compromise your business as often employees will use the same password in multiple places, so if cyber criminals have gained access to a password it may mean they potentially have access or can gain authorisation to a range of your business systems.

    The implications of a breached email:

    1. It personally identifies you;

    2. It may provide other information for a cyber criminal to gain access to your organisation. The level the employee is at does not deter cyber criminals from stealing your credentials, as whatever the level, hackers can use their information to their advantage, such as send emails to internal teams to gain further access to senior members of an organisation.

    Prevention & Remediation Action Plan

    1. Have a work policy that covers the use of work emails and states that they are not to be used for any other purpose other than work related activity;

    2. Do not allow employees to use their work email address to sign up to non work related websites.

    3. In the event of a breach, have a process in place to ensure the passwords are changed immediately. Do not wait any length of time as this allows the hackers a window of opportunity to gain access to your systems through a legitimate

  • Certificates are a method to encrypt data between two machines. For instance, if somebody contacts your webpage the certificate will encrypt the information between the person accessing your server and the server displaying your webpage. This will stop people from looking at any data that is going across the internet. This is now a standard practice and is referred to as an SSL certificate.

    Cyber Criminals can gain access to your organisations sensitive information through expired certificates or weak certificates to perform varied attacks on your system. These will likely be to intercept the communication between a legitimate user and your organisation, or to take over that communication for themselves.

    Example 1: If you run a business that offers a login facility whereby clients can gain special access to view information, it is possible for the cyber criminal by exploiting an expired or weak certificate to gain access and pretend to be a legitimate user. Once they have access, they can view sensitive information and may use further methods to infiltrate your systems. This is one of the ways that attackers gather information and leak it to the internet as we’ve seen with some large high profile businesses.

    Example 2: Your marketing team request your IT team to quickly build a website for an upcoming campaign. Due diligence wasn’t carried out due to the time sensitive nature of the task and as such a security certificate wasn’t implemented leaving your organisation vulnerable.

    Prevention & Remediation Action Plan

    1. Use AEGIS Early Warning System to check for any certificates that may be below grade. Your certificates should be a C grade or above;

    2. Do not allow marketing type servers to use untrusted certificates, as often they’re used on time pressure tasks however they will leave your system vulnerable to an attack and if connected to the rest of your corporate network means your entire corporate network becomes vulnerable to an attack;

    3. Have a register of all of your certificates and the dates they expire with a process to replace them 3-6 months before they expire.

  • A port is a link between your computer and the computer of the person who is talking to your machine, your server.

    Example 1: A client that is accessing your webpage is doing so over a port, common ports are port 80 or port 443 and normally these ports are there to allow bi-directional computer traffic. However, having an open port does mean that you have an entry point into your server. Cyber criminals know this so they often use this to take advantage of that port to gain entry. This could allow attacks such as ransomware to gain entry into your system and attack your machines.

    Example 2: Another attack that can occur via an open port is a DDoS (distributed denial of service) attack which could stop your systems from functioning by overwhelming the server, or could install software so as to then gain a financial advantage. Such as Bitcoin mining, sending spam emails or using your machine to attack another machine.

    Example 3: Open ports could also indicate an internal compromise. Has an employee clicked on a phishing email and downloaded malware by accident? Could this result in more malware downloading and starting to exfiltrate data out of your system? This type of attack will often occur by the attacker misusing or creating a new port to send that information out.

    Prevention & Remediation Action Plan

    1. Use the AEGIS Early Warning System to continually monitor your ports and look for any new or suspicious ports that are currently running on your system;

    2. Have your IT team investigate all of those ports and have them determine if they are needed for legitimate business reasons;

    3. Have your IT team check that the ports that are open for legitimate business reasons are secured appropriately. If you use FTP make sure it has a username and a certificate based authentication system. A password is not good enough on its own;

    4. Start logging your servers and look for anonymous transactions on ports.

  • With server vulnerabilities you have an exposed software defect that can be used by anyone wanting to perform attacks on your system. This weakness can be exploited by an attacker across a privileged boundary and generally refers to software vulnerabilities in a computer system which in this case would be a server. If you have a mail server, used for sending and receiving emails, or a web server which is used to serve up your webpages, if either of them has vulnerabilities these can be an access point for cyber criminals to attack either that particular system on its own or gain deeper access into its network.

    The two main groups of attackers and those that are seen as the largest threats are:

    • Cyber criminals who will try and exploit a software defect to get onto your system and potentially cause damage or to hold you to ransom until you pay a fee.

    • Or an unskilled individual who has come across a defect and wishes to test their skills to gain access to your machines. This helps the individual to become a better hacker but does not necessarily result in a desire to gain any monetary advantage These people are more likely to cause irreparable damage to your system and make it inoperable just for the sake of it.

    Exploiting server vulnerabilities could result in:

    • The loss of your website;

    • The loss of your emails

    • Or a complete takeover of your system which is then used for their own purposes such as attacking other computer systems. This can result in your server being blacklisted.

    Allowing server vulnerabilities to continue, can significantly impact your company brand and may also mean you’re stopped from being able to transact.

    Prevention & Remediation Action Plan

    There are a number of steps to secure your system without having to spend a fortune:

    1. Use AEGIS to continually monitor your infrastructure, discover IT servers and other devices that are exposed to the internet that you haven’t seen before;

    2. Use that information to see how many of these servers have known vulnerabilities;

    3. Motivate IT staff to put a software process in place that patches updates and applies them to your system & the components that your systems run on regularly. Encourage your IT staff to review AEGIS-EW on a daily basis to ensure no new vulnerabilities have been discovered overnight that your system could be vulnerable to.

  • Transport Layer Security (TLS) is used to perform another level of encryption between the client accessing your server and your server's interaction with that client.

    Example 1: Mail servers use encrypted tunnels to send the mail from your machine to a mailbox of another machine. Having a relevant level of security on these TLS tunnels is important to prevent any form of attacks on the transport of your emails.

    An attacker can take advantage should you have weak encryption on your transporting layer. If the encryption is weak, the information that is being transported from your server to your clients can be intercepted. Though this kind of attack is a lot harder to do it is still possible and should be mitigated. Furthermore, modern browsers will now alert a user if you have poor TLS communication, which may in turn cause damage to your brand and reputation.

    Prevention & Remediation Action Plan

    1. Use the AEGIS Early Warning System to alert you to out of date TLS

    2. The current minimum TLS is 1.2. Ensure your IT team has a process in place to ensure that every server is meeting that minimum requirement and any new server will also meet that requirement. A cyber criminal will see a poorly configured server as a potential opportunity to look for other vulnerabilities in your system.

    If we can't connect to a web server with encrypted HTTPS we try non-encrypted HTTP.

    • If there's no webserver responding to either protocol then there's not an issue.

    • If we couldn't connect via HTTPS but there's a webserver serving a non-encrypted HTTP-only site then that’s a security risk. It needs to be confirmed that the site in question never passes private information that requires encryption.

    • If HTTP redirects to HTTPS on a different domain then although there is encryption there are security issues that can arise. The simplest and safest route is to make an initial redirection from HTTP to HTTPS on the same hostname. This allows the HTTP Strict Transport Security (HSTS) header to be applied properly.

    • It's also possible there was a response to the HTTPS request, but an encrypted connection couldn't be negotiated, e.g. because of misconfiguration on the webserver.