Business Email Compromise (BEC): Hidden Danger in Legacy Protocols

Attempts to compromise business email accounts are much more common than you might think, and when they’re successful, criminals are able to make off with large sums of money. Typically they aim to gain control over the email account of an executive or administrative assistant with the authority to direct or execute financial transactions. They masquerade as that person and inject themselves into an email thread, to initiate a transaction or re-direct a transaction, tricking the business into moving the funds into a bank account controlled by the criminal.

We’ll describe how criminals often gain access to account credentials, and then explain how to close the vulnerability. But first, a few words about just how pervasive these account hijackings are. Proofpoint conducted a six-month study of this kind of attack and found that:

  • Approximately 60% of Microsoft Office 365 and G Suite tenants were targeted
  • Roughly 25% of Office 365 and G Suite tenants were breached as a result
  • Criminals achieved a 44% success rate in breaching an account at a targeted organization

Account Takeover Technique: IMAP Password Spraying

Email services typically enforce a lockout when a password is mis-entered multiple times, which is considered a telltale sign that some unauthorized person is trying to access the account. Password spraying is a brute-force technique that aims to get around the account lockout. Instead of focusing on a single account at a time with a large list of possible passwords, the criminal does the inverse. The attacker starts with a relatively short list of common passwords, and “sprays” them across multiple email accounts at multiple organizations, taking care that the attempts on each individual account and organization are spaced far enough apart that they don’t trigger a lockout. In fact, on the access logs, each attempt looks like a routine login failure rather than part of a coordinated attack.

Here’s the other important thing to know about these attacks. They commonly access the mail server using the Internet Mail Access Protocol (IMAP) — a standard that’s been around for more than 30 years. The criminals use this route because it’s enabled by default on most servers, it’s easy to write scripts for it that automate the attack, and most of all, it doesn’t support more secure methods of authentication beyond simple usernames and passwords.

Sprayproofing the Environment

Business email compromise (BEC) has become such a huge problem that we routinely recommend that every business that uses Office 365 or G Suite implement multi-factor authentication (MFA), and require it any time a user connects from a new location or device. Here’s the rub, though: the IMAP protocol doesn’t support MFA. When IMAP is enabled, it gives criminals a way to access the server that bypasses MFA, leaving it wide open for password-spraying.

So, we recommend disabling the IMAP protocol and its older cousin, post-office protocol (POP3). POP3 isn’t used as often for spraying attacks, but it has the same vulnerabilities as IMAP. Very few users should be using IMAP or POP3 to access their email. For those that do, we recommend they connect to Office 365 with Outlook Anywhere, which is more secure.

If you’re reluctant to disable IMAP and POP because it might inconvenience a few users, realize that both protocols are on the way out. For example, Microsoft has announced it will stop supporting simple username/password authentication for IMAP and POP3 in October 2020.

At FIT Solutions, we make it our business to stay on top of vulnerabilities like this to keep our clients’ businesses safe. It’s a great example of the value-add you get with our managed IT services. If you would like to know more, give us a call at 888-339-5694.

PointClickCare or MatrixCare: Which for Senior Care?

If you’re considering an electronic health records (EHR) system for your LTPAC or assisted living facility, our experience with senior care clients tells us that there are two popular choices: PointClickCare and MatrixCare.

Which should you choose for your facility? Well, it depends.

First, let’s get the basics out of the way. Both are built with a strong LTPAC focus, which separates them from EHR systems such as Epic or Cerner that are more often found in hospitals and integrated health systems. Both are strong on HIPAA security compliance. Both include electronic medication administration record (eMAR) functionality. Both are delivered through a software-as-a-service (SaaS) model, which means you don’t have to maintain an onsite server, and updates, patches and data backups are handled for you. In our experience, both companies offer great support.

They differ in a few ways as well, and while we can’t recommend one system over the other, we’ll share those differences. Which system you choose depends on which of these issues matters more to you.

  • Device support. MatrixCare is a Microsoft partner, and that’s reflected in the operating systems and devices it supports. The clinicians’ devices must run the Windows operating system and Internet Explorer. MatrixCare supports non-Windows client devices via either a Citrix virtualization client or Windows Terminal Services. While those scenarios are well-documented and supported, running the Citrix or Windows Terminal Server is the responsibility of your IT team. On the other hand, PointClickCare supports desktops, laptops, tablets and smartphones that run Windows, MacOS, ChromeOS or Android, and all of the popular web browsers (although not all modules support all combinations). If you want to run PointClickCare in a virtualized environment, it’s not technically supported by the company, but some facilities are doing so successfully.
  • User Interface. The MatrixCare user interface is sleeker and more modern, but in our opinion, this is mostly a matter of aesthetics. Both are equally functional.
  • Reporting and Analytics. PointClickCare offers reporting, but creating custom reports and analytics requires using a feature called Data Relay. It allows you to copy most of the data onto another server for running analytics. By contrast, MatrixCare has an Analytics Suite module that lets you make use of Microsoft Azure and PowerBI to develop analytics and create custom dashboards. Both of these scenarios require some degree of knowledge by your users and IT team.
  • Audit trails. Our clients report that MatrixCare is stronger in this area, particularly at survey time.
  • Redundancy. Both systems recommend that facilities have two Internet connections in case one connection goes down. However, in the event of an outage, PointClickCare suggests hourly backups of the eMAR records so clinicians can revert to paper charting. MatrixCare provides a mobile app that can work offline, and syncs the records back to the eMAR module once the connection becomes available again.

At FIT Solutions, we’re familiar with both of these senior-care EHR systems and our IT specialists are happy to support you, regardless of your choice. If you would like to know more, give us a call at 888-339-5694.

Ransomware Wakeup Call: 4 Tips to Protect Yourself

It’s a sad fact that criminals often prey on the most vulnerable. This was proven true in the ransomware attacks that impacted LTPAC facilities during November. Not only were the facility operators victimized, but sudden lack of access to medical records profoundly impacted their ability to care for patients and residents.

This incident was first reported by journalist and investigative reporter Brian Krebs. More than 100 facilities were impacted, and the ransomware cut off access to critical systems, including access to patient records, client billing, phone systems, internet service and email. The scope of the attack was audacious. The threat to peoples’ lives was deplorable. But most galling to us, as IT service providers, is that the incident was so preventable. More on that below.

Why Healthcare is Such a Tempting Target

In this case, the perpetrators were identified as a Russian gang, an adversary well-known among security experts. What’s clear here is that criminals don’t care that their actions could actually endanger peoples’ lives. They go after healthcare because lives are at stake, and they know that many healthcare organizations don’t have extra dollars around to invest in security.

Smaller and mid-size organizations are often the targets of choice. Health systems serving smaller communities, community hospitals, group medical practices, specialty centers, rehabilitation providers and dental practices have all been ransomware targets. Some have even had to close their doors after an attack.

A Few Ounces of Prevention Can Go a Long Way

Here are some of the ransomware prevention measures that we recommend and put in place for our clients. These are standard security practices, and aren’t necessarily more expensive than what you’re doing right now.

  1. Enact an anti-ransomware group policy on computers. Use a Windows Group Policy Object that prevents unknown executable files from running in temporary folders or in the AppData folder. Almost every single ransomware variant we have seen runs from one of these locations.
  2. Segregate cloud resources. Use a provider that can deliver a private hybrid cloud — not a public cloud where your data and applications are pooled with those of other companies. That protects your company in case another becomes infected with ransomware. You don’t want their problem becoming your problem—and everybody else’s.
  3. Separate backups from network shares. The ultimate protection against ransomware is maintaining regular and up-to-date backups so you can restore from them if an attack encrypts your data and makes it unreadable. But don’t store your backups on your network, accessible through a mapped drive, or the attack could compromise your backups, too.
  4. Bolster your endpoint protection. We’re presuming you already have antivirus in place. Because ransomware is a targeted attack, the criminals take care to alter their executable files, so signature-based antivirus isn’t very effective. Consider switching to an endpoint protection product that employs a “defense in depth” strategy rather than just relying on signatures.

At FIT Solutions, we supply IT services to many senior care organizations including assisted living and LTPAC facilities. We urge you to implement the tips above; you can do them yourself. Of course, if you’d like help, you can always call us at (888) 339-5694. We’d be happy to partner with you to protect your organization from ransomware.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!