As a visa services provider for government clients around the world, data security is an essential component of our daily work. Facing ever evolving cyber threats, we have made significant investments to protect our IT systems and applicant data. In this article, the first in a series, our Head of Cyber Security, Opeyemi Ore, explains the actions we took recently in reaction to the discovery of ‘PrintNightMare’, a new vulnerability relating to the print function on all Windows-operated computer systems.
Cyber security researchers often have the ability to assign ‘fright-inducing’ names to serious computer system weaknesses, known as vulnerabilities in IT jargon. As a security professional, I have come across some interesting ones, such as Heartbleed, Shellshock, EternalBlue and Meltdown. Each of these provides hackers with mechanisms to gain access to critical business systems for malicious purposes.
Arguably, the most spine-chilling of all computer weaknesses is named ‘PrintNightMare’. As the name suggests, it relates to the printer functionality on Windows systems. The ease at which this vulnerability can be exploited, and the potential resulting damage, literally gives me nightmares. It is extraordinary to me how a service implemented to allow users to print documents has become the method of choice for attackers. This basic functionality can give hackers located thousands of miles away the ability to gain access to a system for malicious purposes. The frightening thing is that every organisation is vulnerable as long as it uses the impacted versions of Windows operating systems. Even if you outsource all your technologies, you are still not safe if your third-party suppliers use the same Windows services.
Rapid response to the ‘PrintNightMare’ threat
News of this vulnerability started spreading like wildfire in July 2021 and everyone sprung into action. Hackers started looking for ways to capitalise. Security product vendors started the usual scaremongering in order to sell more products. Microsoft started working on a fix. Cyber Security teams the world over started to frantically look for a way to protect their systems.
At TLScontact, we were also concerned about the potential consequences for our business. Our daily activity involves us handling large quantities of personal and sensitive details about our visa applicants: their biometric data, passport information, payment details, financial history, crime records etc. Imagine the exposure of this sensitive data by a hacker and the negative impact that this would have on our business, our government clients and applicants.
This became a real test for our Cyber Security team. Despite COVID-induced limitations, we have made significant efforts in recent years to modernise our cyber security capabilities. Investments in next-generation anti-malware, cloud migration, web-content filtering, network segmentation, endpoint security and email security solutions have really moved us from our legacy state into this new world. Our newly developed world-class Security Operations Centre has also provided us with the capability to use these new security technologies to maximum effect. We now have real-time advanced insights on potential new threats, and proactive mechanisms in place to block attacks.
When the ‘PrintNightMare’ vulnerability became known, we were able to scan our environment within seconds and determine that around 30% of our servers might be at risk. This low number of vulnerable systems is testament to our ‘hardening’ efforts: a security practice of turning off all unrequired services on systems to reduce the amount of ‘attack space’ available to a bad actor. Whilst waiting for Microsoft to release a fix, we invoked our incident response process and used it to manage the immediate rollout of new security policies on the impacted systems. This allowed us to disable the print functionality on all these systems within 24 hours. We also reviewed our endpoint detection and response tools for any indications of rogue access, and heightened our monitoring abilities. We focused in particular on any remote connections from the internet targeting any of the systems within our Visa Application Centres, Cloud environment or our data centre facilities. Thankfully, no suspicious events were detected.
Once Microsoft released a fix a few days later, we quickly moved to test and deploy this across all our systems, not just those where the vulnerability was present. This provided us with comprehensive coverage across all our processing environments.
Investing in cyber security to protect our systems and applicant data
Investments in cyber security can be difficult to justify to business executives and other stakeholders who may not appreciate the ‘invisible’ protection offered. Incidents like this one help to demonstrate just how important – and valuable – these protections are. It has been particularly satisfying for me as a security professional to see how the resources and efforts that we have committed over the past year have allowed us to roll out an effective response to this threat in record time, protecting our business and the data of our visa customers.
Unfortunately, the cyber security journey is never complete. In fact, shortly after finishing the exercise described in this article, a new, thankfully less virulent, variant of PrintNightmare was announced. In the cyber security world, the threat landscape is continually changing. Our protective mechanisms must therefore continually evolve to address the threats of the future.
Article written by:
Opeyemi Ore, Head of Cybersecurity