Tag Archives: Cybersecurity

Cybersecurity for Executives


Looking forward to another local speaking event here in Sacramento:

By invitation only, DSA Technologies is hosting FBI expert Kurt Pipal and licensed Computer Forensics Investigator Michael Reese to discuss the current state of Cybercrime in the Northern California & Sacramento Area. Executives who are responsible for the public perception for their organizations should attend.
This event will feature several security topics frequently seen in the news today, including:
• Financial Fraud
• Intellectual Property Threats
• Ransomware
• Identity Theft
• Phishing/Social Engineering scams
• Attacks on Critical Infrastructure
Where: Morton’s Steakhouse
621 Capitol Mall, Sacramento, CA 95814
When: April 19th @ 11:30AM
Event Partners: FBI, Palo Alto Networks

https://info.dsatechnologies.com/cybersecurity-executives?utm_medium=email&_hsenc=p2ANqtz-87pG_MltR6-NVDUCbEqHXmas6WEnVdPihwf6CQZKXnI7oZBdlSlwOQD-on1JuQWymhLINfPsaZYxcDFufz1yiaEKOklqJGsr8ZnhofQ5pdK4P60aQ&_
hsmi=61681952&utm_content=61681952&utm_source=hs_email&hsCtaTracking=00e12be2-db07-4fe5-8ea2-5a7a5ab18189%7C9cb78923-d767-46b3-bc62-b8a4d0c88fa6

 

Happy New Year 2018: 10 Steps to Improve Cybersecurity

Just a few (10) recommendations to think about in the new year.

  1. Patch the operating system on all PCs and Servers. Windows security updates should be applied and Windows Update should be set to download automatically and install manually. [Preventative]
  2. Update Microsoft Office with all available updates. Set Windows Update to also update any other Microsoft products. [Preventative]
  3. Update all web browsers. Preferred browser would be 64 bit Google Chrome Enterprise as it is fairly secure by default and includes its own sand-boxed Flash player and PDF viewer. [Preventative]
  4. Update Adobe Flash to most current version or remove if using Chrome as advised above. Update Adobe Reader to most current version or remove if using Google Chrome. [Preventative]
  5. Remove Java. If you must run Java, update to most current version but seriously consider removing Java. [Preventative]
  6. Raise the level of User Access Control (UAC) to the highest level – requiring Admin account to install or modify the system. [Preventative]
  7. Users must not be Local Admin on their PC. [Preventative]
  8. Enable Windows firewall on all PCs and servers. Only enable ports and applications both inbound and outbound as required (block inbound by default minimum). [Preventative]
  9. Implement a backup solution for all user data. Restore must be tested periodically. Ideally, versioning or offline snapshots should be enabled to protect against ransomware. [Preventative]
  10. All mobile devices should be updated to latest version of OS and device pass codes must be set (at least 6 digits). [Preventative]

Bonus Items

  1. Install antivirus / anti-malware software on PCs and servers. Any IPS / IDS functionality would be good to apply. Solution should be set to update signatures automatically. [Preventative / Detective]
  2. Bitlocker or other hard drive encryption should be enabled and enforced via GPO.[Preventative]
  3. Application whitelisting using AppLocker with trusted publishers or hashes of known good applications. [Preventative]
  4. Install SYSMON on all PCs and Servers. Configure for logging process creation, command line execution parameters, process creation, optionally network events. [Detective]
  5. Turn on Windows Event logging for critical events see SANS Detecting Security Incidents Windows Event Logs. [Detective]

Have a great New Year and be safe and cyber aware !!

Small Business Cyber Security – MYTH BUSTING

 

These days cybersecurity is a constant headline in the news.  It can be easy to go on with business either feeling helpless or like this doesn’t pertain to my business.  But with recent headlines highlighting crypto-extortion/ransom-ware and hacking of large enterprises by way of their small business partners, cyber threats have become something that affects all our businesses.  But this problem is so-big and so-nebulous, what can we do to stay safe and secure in this ever-changing connected world?

Myth #1 – I’m not a large enterprise, hackers won’t attack me:

Did you know that more than half of the data breach victims are businesses with under 250 employees?1 Hackers are intelligent, and sophisticated, but they’re also often looking for something quick and easy. Small and medium businesses who believe they are not at risk, tend not to invest as much in cybersecurity; thus, making them an easier target. They collect and store a wealth of data, but often don’t realize it’s true value, and therefore don’t put the right measures in place to protect it.

From there, attackers take various routes.  They might just encrypt your systems and hold your business for ransom, preventing order processing and other critical functions – often not restoring service when paid.  Further the attackers might use data or access gained from the small business to leverage an attack on larger partner organizations.  In 2014 Fazio Mechanical Services provided the vector for hackers which lead to Target’s massive breach. What big clients would you lose in this situation?

Myth #2 – Technology will fix everything:

It’s true that professionals use robust technology systems and tools to be prepared against cyberthreats, but technology is only part of the solution and buying and implementing technology solutions without expert configuration and monitoring is a lot like using WebMD.com in place of a doctor to diagnose and treat diabetes.  Might you end up doing some beneficial things and even improving your situation?  Absolutely!  But are you positioned to understand all the complex intersections of causes, tools and treatments, side-effects, etc, to lead to an ideal outcome?  It’s possible, but the truth is that you’re probably busy running your business and family.

Beyond technology, one critically underutilized tool in this fight against cybercrime is employee education.  The number one risk factor since something like 1995 has been and remains human interaction.  According to Verizon’s 2017 Data Breach Investigation Report, 99% of malicious content came from email (93.8%) and web browsers (5.8%).  Though all of these threats are not easily detectible by humans, many are.  As such, one of the most effective things we can do is to teach employees how to identify and avoid these sorts of threats and to pro-actively test them with controlled and measured phishing tests to determine where additional education may be needed.  If employees are properly trained to detect a scam or raise a suspicion, we can prevent many attacks before malware is even in the system.

Myth #3 – I Don’t have funds or resources for cybersecurity:

It might feel like you’re not in a financial position to invest in cybersecurity yet – especially if you believe your business is too small to attract the attention of would-be-hackers.  But have you stopped to think about the cost implications of a breach?  There’s loss of business due to reputational damage, legal fees, loss of competitive edge, and so much more at stake.  

Your local MSP (Managed Service Provider) has an IT Service that can help you.  They will take an in-depth approach to cyber security which has proven highly effective by creating layers of security measures which minimize user impact and cost while maximizing return on investment.  For instance, endpoint protection as a service solution, which is composed of industry leading anti-virus and web defense software married with best-in-class management and response procedures, has been deployed on 1000’s of systems as best practice.

Cybersecurity Ventures predicts $1 trillion will be spent globally on cybersecurity from 2017 to 20212. Ensure you’re a part of that investment, so you don’t get left behind.

Critical Bluetooth Flaws Put Over 5 Billion Devices At Risk Of Hacking


Bluetooth is one of the most popular short-range wireless communications technologies in use today and is built into many types of devices, from phones, smartwatches and TVs to medical equipment and car infotainment systems. Many of those devices are now at risk of being hacked due to critical flaws found in the Bluetooth implementations of the operating systems they use.

Over the past several months, a team of researchers from IoT security firm Armis have been working with Google, Microsoft, Apple and Linux developers, to silently coordinate the release of patches for eight serious vulnerabilities that could allow attackers to completely take over Bluetooth-enabled devices or to hijack their Internet traffic.

The flaws found by Armis are particularly dangerous because they can be exploited over the air without any type of authentication or device pairing. Simply having Bluetooth enabled on a device is enough to make it vulnerable if patches for these issues are not installed.

The attacks can be fully automated and they don’t require any user interaction, as attackers can force vulnerable devices to open Bluetooth connections. In one scenario, the flaws can be used to build a worm-like attack where one compromised device automatically infects others when they come in its Bluetooth range. This can lead to the creation of massive botnets.

The Armis researchers have dubbed this new attack vector BlueBorne and they estimate that it affects over 5.3 billion devices. Furthermore, based on their discussions with vendors, they believe that 40% of the impacted devices will never be patched, either because they’re old and won’t receive firmware updates at all or because updating them is too complicated and users won’t bother.

The vulnerabilities are not located in the Bluetooth protocol itself, but in the individual Bluetooth implementations — or stacks — that are present in Android, Windows, Linux and iOS. Because of this, it doesn’t matter what version of the Bluetooth protocol a device supports — they’re all affected, with the exception of those that support only Bluetooth Low Energy, also known as Bluetooth Smart.

The Armis team first stumbled across one of the flaws during their regular work on the company’s security product, which helps organizations identify rogue or compromised IoT devices on their networks. The team then checked the similar code in other Bluetooth stacks and found additional vulnerabilities.

Four of the eight vulnerabilities were found in Android’s Bluetooth implementation, two in Linux, one in iOS and one in Windows. Their impact varies based on operating system.

“I think this is really just the tip of the iceberg as far as vulnerabilities in Bluetooth implementations go,” the Armis researchers said. “We feel that there are potentially other stacks affected by similar issues, but future research needs to be done to determine this.”

The vulnerability that affects the Bluetooth stack in Windows Vista and later does not lead to remote code execution but allows hackers to launch man-in-the-middle traffic interception attacks. Attackers can remotely force vulnerable Windows computers to set up a malicious Bluetooth-based network interface and route all of their communications through it. In this way, attackers can get all of a victim’s Internet traffic over Bluetooth.

Microsoft released security updates to address this vulnerability on supported Windows versions in July and customers who installed those updates are protected against this attack.

“We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates,” a Microsoft spokesperson said in an emailed statement.

An almost identical man-in-the-middle issue was found in the Android Bluetooth stack. However, Android’s implementation also has an information leak flaw and two remote code execution vulnerabilities.

Attackers can exploit the information leak problem in order to extract sensitive information from the device memory, information that can then help them exploit the remote code execution vulnerabilities and take complete control of the targeted devices. According to the Armis team, this attack would be completely invisible to the user.

“We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe,” Google said in an emailed statement.

Google releases security fixes for its Pixel and Nexus devices every month and also contributes those patches to the Android Open Source Project. Device manufacturers that are in the Android partner program receive security patches a month or more before they’re made public, to give them enough time to integrate them in their own Android-based firmware.

Even so, there are millions of Android devices out there that have long reached end of support and will not get these patches. Those devices will remain vulnerable to these Bluetooth attacks indefinitely.

Please be sure to update all of your devices with the newest firmware or patches.

Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

Social Security numbers, birth dates, addresses and driver’s license numbers exposed.

Credit-reporting company Equifax Inc. said Thursday that hackers gained access to some of its systems, potentially compromising the personal information of roughly 143 million U.S. consumers in one of the biggest and most threatening data breaches of recent years.

The size of the hack is second only to the pair of attacks on Yahoo disclosed last year that affected the information of as many as 1.5 billion customers. It also involves nearly twice the number affected by one of the highest-profile breaches at a financial firm, the cyberattack at J.P. Morgan Chase & Co. about three years ago.

The Equifax breach could prove especially damaging given the gateway role credit-reporting companies play in helping to determine which consumers gain access to financing and how much of it is made available. The attack differs, too, in that the attackers in one swoop gained access to several pieces of consumers’ information that could make it easier for the attackers to try to commit fraud.

Equifax said hackers gained access to systems containing customers’ names, Social Security numbers, birth dates and addresses. The company also offers credit-monitoring and identity-theft protection products to guard consumers’ personal information.

“This is the nightmare scenario—all four pieces of information in one place,” said John Ulzheimer, a credit specialist and former manager at Equifax.

On Friday, shares of Equifax fell 14% to $123.03 in morning trading in New York.

The incident comes at a time of heightened sensitivity to cyberattacks in the political, commercial and personal realms, especially in the wake of presumed Russian interference in the U.S. presidential election last year.

The number of large hacks has increased in recent years—with incidents involving tens of millions of accounts each involving tech companies, banks, retailers and others.

More companies are putting more information online from more users, creating bigger targets for hackers who continually develop and refine their techniques and tools.

Equifax is one of the big three credit-reporting firms in the U.S. and maintains credit reports on more than 200 million U.S. adults. The other two are TransUnion and Experian. Credit reports compiled by such companies include personally identifiable information as well as records of the credit cards and loans consumers have, their spending limits on cards, and whether they are on time with their debt payments.


“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in prepared remarks. “I apologize to consumers and our business customers for the concern and frustration this causes.”

The four pieces of information exposed in the attack are generally needed for consumers to apply for many forms of consumer credit, including credit cards and personal loans. That means that swindlers who have access to this data could have an easier time getting approved for credit in other people’s names and potentially makes it more difficult for lenders to spot a problem. In addition, Equifax said the hackers gained access to some driver’s license numbers.

An added concern is that the breach raises the chances of more fraudulent loan approvals occurring when various forms of fraud are already hitting lenders and contributing to higher losses.

Smaller financial institutions, including community banks, credit unions and online personal-loan lenders, are more vulnerable to the effects of this breach, said Al Pascual, head of fraud and security at Javelin Strategy & Research.

That is because they are more reliant on the four, key pieces of borrower information when determining whether they are dealing with a legitimate applicant, he said. The biggest banks, he added, have in recent years moved to relying on additional information. With online applications, for example, that includes pinpointing what geographic area the applicant is located in to figure out whether they are an actual person or a fraudster.

Equifax said in its statement that while the incident potentially affected approximately 143 million U.S. consumers, “the company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Equifax said an internal investigation revealed hackers exploited a vulnerability in a U.S. website application to gain unauthorized access to files from mid-May through July. The company said it discovered the breach on July 29.

Equifax said it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review. In the days following the company’s discovery of the breach, three top Equifax executives, including Chief Financial Officer John Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange Commission filings. A company spokesman said the three executives who sold a small percentage of their Equifax shares on Tuesday, Aug. 1, and Wednesday, Aug. 2, had no knowledge that an intrusion had occurred at the time they sold their shares.

Equifax also said credit-card numbers for approximately 209,000 U.S. consumers were accessed, as well as dispute documents with sensitive information for another 182,000 people.

With the Equifax attack, banks now will have to reissue cards for the approximately 209,000 credit cards stolen in the breach, but for consumers the theft uniquely identifying information such as Social Security numbers and birth dates could have a permanent effect. Additionally, a limited number of people in Canada and the U.K. were affected, the company said.

Stock of other financial companies weren’t initially affected with shares of credit-card issuers and big banks mostly unchanged or up slightly in after-hours trading.

Equifax said it has set up a website—www.equifaxsecurity2017.com—to help consumers determine if their information has been compromised and to allow them to sign up for a complimentary slate of credit-monitoring and identity-theft protection. The company also has established a dedicated call center for consumers.

This is becoming an everyday occurrence.  When are we going to get the message to tighten up security across this nation !!

How Good Cybersecurity Habits Could Save You Millions

Landlords collect extremely valuable information from residents. What many don’t know, however, is that they are liable if their residents’ information is stolen.
by Meeghan Fuhr | Aug 30, 2017

Landlords collect extremely valuable information from residents, including addresses, credit card numbers, social security numbers and bank account numbers, making the multifamily industry an attractive target for hackers. Prevention and detection are key aspects of cybersecurity. What many small multifamily owners and managers don’t know, however, is that they are liable if their residents’ information is stolen.

Small multifamily owners and managers may think they have limited options when it comes to keeping their data secure, but there are many simple preventative measures they can take, and ultimately, it is their responsibility to take them.

“An identity is worth about $10-$20 on the dark net, but the actual liability stemming from its loss could be $158 or more,” said Michael Reese, chief information officer at USA Properties Fund. Multiply that by however many residents are in a database, and you could be looking at millions of dollars.

So, Who is Responsible for Making Cybersecurity a Priority?

A common misconception among management is that cybersecurity is an IT issue when, in reality, every level of an organization needs to be involved and bringing in an outside cybersecurity firm is recommended.

“It’s very difficult to have your own IT department manage your cybersecurity framework. You must have a ‘separation of duties,’ [similar to how] you can’t audit yourself. Cybersecurity is an executive decision, not an IT decision. You need to have governance, policies and procedures, and continuous training and education,” Reese said.

Many people believe they are protected because they have a good firewall, but that is just the first line of defense. “It’s best to have a layered approach,” said Reese, with firewalls, IDS/IPS (intrusion detection systems and intrusion prevention systems), server and workstation anti-virus, and SIEM (security information and event management) software/hardware. Reese also stressed that when you receive a notice that software needs to be updated, don’t ignore it!

Simple, Inexpensive Ways to Lessen the Risk of an Attack

Requiring employees to have strong passwords that are changed regularly is a simple measure multifamily firms of all sizes can implement. “Poor password practices make it that much easier for hackers to get into a company’s network or email,” Reese said. “Passwords that use a combination of numbers, symbols, upper and lower case letters are much more difficult to break.”

Another good practice is to require that Virtual Private Networks (VPNs) always be used for remote access. “If any of your employees work remotely, or link to a public Wi-Fi network (think Starbucks), they should have a VPN network installed on their laptop, tablet or smartphone. A VPN provides a secure path through the web and protects your activities from anyone trying to get in.” Reese noted that there are many relatively affordable options out there.

Additionally, it is important to control access to your firm’s data. Not everyone in your company needs access to all of the systems and data that you have,” Reese said. “Do sales people need access to personnel files, or do operations people need access to accounts receivable information?” It’s best to limit access to data only to those employees who regularly need it.

Lastly, train employees regularly. More than 75 percent of hacks come through some action by an employee, usually as the result of phishing,” Reese said. Phishing emails typically appear to come from a “legitimate” source such as a company, customer or employee, with the goal of either obtaining private information or getting the recipient to click attachments that allow malware into the network. “You should train your employees to question these emails and even call the supposed sender to confirm.”

Train your people to become good ‘cyber-citizens,’” Reese said. “And support a culture of data security!”

You can read the original article at link below from Commercial Property Executive:

 

Hackers are aggressively targeting law firms’ data

Behind every splashy headline is a legal industry that’s duking it out – helping to support entrepreneurs and big corporations in a power struggle to dominate their industry. From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information.  Because of their involvement, confidential information is stored on the enterprise systems that law firms use.

This makes them a juicy target for hackers that want to steal consumer information and corporate intelligence.

For an example of this, look no further than the Panama Papers – “…an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca.”

This was devastating, but it is only one example among many. Just a few weeks ago news broke that a ransomware attack was successfully executed against yet another multinational firm – DLA Piper. This ransomware attack left the firm, with estimated revenues of $2.5 billion, completely without access to its own data.

“Law firms are the subject of targeted attacks for one simple reason,” says John Sweeney, President of LogicForce. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

These headlines, buried among the others, make it clear that the legal industry is facing an unprecedented cyber-security challenge. And solving this problem starts with helping firms realize they’ve been victims.

40% of firms did not know they were breached in 2016

The Law Firm Cybersecurity Scorecard includes an array of assessments – from cyber defenses, crisis management procedures, and post-hack responses. The report comes to a chilling conclusion: “…40% of surveyed law firms had experienced a data breach in 2016 and did not know about it.”

Part of the challenge is the skyrocketing cost of cybersecurity. Hiring an in-house team simply isn’t feasible for most firms. Instead they rely on consumer-grade technology that is ill-equipped for the threats they are facing.

The solution, as we’ve seen in many industries, is to outsource cybersecurity to trusted firms that can offer heavy-hitting, managed solutions at an affordable rate. SaaS (Software as a Service) is long overdue in this space, and thankfully it’s becoming more and more available.

An evolving threat matrix

Real-time industry expertise is an important part of the solution – something software alone can’t handle.

Today’s hackers hold a strategic advantage because of the growing numbers of devices and associated vulnerabilities. Every access point is a potential breach. A knowledgeable, sophisticated team can create security solutions specially crafted to meet the challenges that law firms face.

One of the greatest challenges in modern security is the Internet of Things (IoT). Everything from the appliances in the breakroom to the smartphones in the pockets of employees create dynamic networks – communicating information in a way that opens up opportunities to hackers.

The threat goes beyond teams. An individual attorney uses a plethora of electronic devices, all networked together to provide a more streamlined work environment. And human intelligence, served up to hackers through social media, only makes targeted cyber-attacks easier.

Preparing for data breaches

There are things attorneys and other legal professionals can do to start upping their defenses.

  1. The American Bar Association has published a comprehensive guide for law firms – including both methods for preventing and responding to cyber-attacks.
  2. Firm managers need to create a data security plan that speaks to every member of their team. Educate employees on strategies for identifying phishing attacks and other dangerous threats aimed at fooling people into compromising networks.
  3. Engage outside IT security experts and have risk assessments completed on a regular basis. If you can identify vulnerabilities, you can put a plan in place to minimize or eliminate them.
  4. Communicate and enforce a password policy that limits access and requires authorized users to regularly change their credentials.
  5. Conduct a weekly check for patches or other updates to computer security software.
  6. Develop a comprehensive breach response plan. After you’ve been hacked, it will be too late to develop a competent response that protects the Firm’s reputation.

It’s my hope that companies will wake up to the realities of cyberthreats.  I’ve witnessed the horrible pain and anguish that comes from the breach of an unprepared company. If you understand the threat, and then use honest assessment to develop improvements and response plans, you will find that operating in the digital age doesn’t have to be a nightmare.

 

 

Network Safety: Experts Weigh In

If you missed our Cybersecurity Session “Cybersecurity for CEO’s- The Game Has Changed” at The NAA Education Conference, no worries. Our friends at Multi-Housing News have published a great article for you. Special thanks to Sanyu Kyeyune for attending our session and writing the article.

At NAA’s recent conference in Atlanta, panelists shared best practices for keeping vital network information safe from attack.

The panel included Chad Hunt, supervisory special agent with the FBI; Dave McKenna, CEO of ResMan; Frank Santini, cybersecurity attorney of Trenam Law; Jeremy Rasmussen, cybersecurity director of Abacode; and Michael Reese, Chief Information Officer of USA Properties Fund, who moderated the session.

Reese opened the talk by underscoring the commercial real estate industry’s vulnerability to cyber-attacks: “Real estate sits on a goldmine of information, including intellectual property, personally identifiable information—things hackers want to go after.”

Understand Data Value

The cost of stolen information for a single customer can fetch $10-20 on the dark net, but the liability to an organization is $158 or more. This greater figure reflects the cost to recover data, the value of this information to competitors and regulatory fines incurred. Multiply this number by 50,000 customers and the cost amounts to $7.9 million—enough to put some property management firms out of business.

C-suite leaders that understand the total costs of cybersecurity are in better shape to manage a firm’s cyber health. “As a leader, you can’t be afraid to raise the red flag. It’s your responsibility to defend your company and your partners.”

Crafting a risk-based approach helps companies decide on what to defend and how much to spend. This plan should include a guide for CEOs interacting with the media and attorneys working with incident response companies. “There is always a tradeoff between usability and security. That’s why you need to engage with a firm that can bake security into a product from chip to the enterprise level,” Rasmussen warned. “Don’t try to bolt it on at the end.”

Improve Network Visibility

Once the value of data has been quantified, the next step to addressing a company’s cyber health is to ask how secure networks currently are, because on average, noted Rasmussen, by the time a threat has been identified, it has been active for up to 270 days.

A majority of clients lack visibility into their own networks,” Rasmussen explained. “In today’s world, it’s not a matter of if, it’s when. And not only that, but, are they already in?

One of the most common software attacks uses ransomware, which encrypts files—effectively eliminating access to important data—and threatens to delete or publish them until the victim pays an agreed-upon sum. However, organization that already has solid system backups in place can combat ransomware by reverting back to previously stored versions. Along with ransomware, phishing attempts, social engineering, attacks on crucial infrastructure, financial fraud and “zero-day” vulnerability (a hole in security unknown to the vendor, typically identified and exploited by hackers over a short time frame) have emerged as some of the most damaging cybersecurity threats.

For some organizations, the expenses associated with downtime and productivity could be crippling. Therefore, advised McKenna, it is crucial to be proactive ahead of time, rather than after a threat has surfaced, to mitigate the cost of recovering from a cyber-attack. “It still comes down to your people not being victims,” he said. “The technology won’t do it all for you.”

According to Hunt, email is the most common point of entry for a cyber-attacker. Because emailing and phone calls already poke holes into a security system, organizations must be vigilant in managing these activities to avoid a breach. One way to do this is by focusing security training on individuals with elevated privileges, such as system administrators and C-suite users, which are hot targets for hackers.

Know Who to Call

An order of operations might be to call your IT people to stop and contain the threat, contact your attorney to find out what the legal implications are around reporting, call your public relations firm to control the event in the media and then to contact law enforcement,” Rasmussen offered.

Company leadership should also rally IT teams to mandate routine password changes for all users and to require people to upgrade software instead of patching outdated platforms. It is also crucial to keep a list of key personnel to contact when an infiltration occurs. “Locally, the FBI is a good place to start, but you can also call the Secret Service in your area,” Hunt advised. “In either case, develop this personal relationship ahead of time, as local law enforcement has little authority at a corporate level.

He also suggested that if a particular individual within an organization becomes the victim of a cyber-attack, then this person should file a police report to avoid being implicated as a perpetrator. When interacting with local authorities, Hunt added, it is most effective to do so in a controlled, documented manner.

Thirteen years ago, there was much less information-sharing with law enforcement, but now it’s more of a two-way street,” Hunt explained. “The FBI can gather information without necessarily having to open a federal investigation.

Santini encouraged leadership to secure a forensic investigator that will supervise the handling of evidence and assist in documentation—actions that can be helpful in the event of legal repercussions—and to ensure that attorney-client privilege keeps these interactions private.

Rally Vendors

Another important questions that C-suite leaders need to ask themselves is, “What are your partners and their partners doing to ensure cyber safety?

McKenna emphasized that having a conversation with vendors and suppliers will help reinforce the company priorities, identify the degree of protection already in place and define a plan for handling an intrusion in the future. “You need to know if your vendor will indemnify you for the cost of a breach, if there is a mutual indemnification clause and what level of insurance the vendor requires of its partners,” Santini encouraged. “Make sure you have written agreements with your cloud provider and other suppliers, and negotiate these terms with the help of a lawyer.

Ultimately, it is up to C-level employees to develop vendor relationships, rather than making cybersecurity a grassroots effort led by an IT department. “There needs to be a separation of duties, just like how a company might hire one accounting team for auditing and another for taxes,” said Rasmussen. “Cybersecurity should be handled the same way.

Prioritize Efforts

The panel discussion concluded with a punch list of items to help C-level leaders put a cybersecurity plan into action. Here are some key features:

  • Detection using 24/7 monitoring and incident response to gain immediate feedback on the effect of a network security initiative
  • Implementation of organizational policy/procedures, which requires a cultural shift and buy-in from all members of an organization
  • Add-in of other annual assessments, such as penetration testing, phishing, etc., to improve visibility into a network
  • Engagement of IT teams to support continuous improvement and governance
  • Understanding of “zero-day” threats
  • Encouraging collaboration across all stakeholders

 

 

 

 

 

Latest Ransomware Hackers Didn’t Make WannaCry’s Mistakes: PETYA

PETYA RANSOMWARE

The latest sweeping ransomware assault bares some similarity to the WannaCry crisis that struck seven weeks ago. Both spread quickly, and both hit high-profile targets like large multinational companies and critical infrastructure providers. But while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.

Originally identified as Petya, a ransomware that first started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it has already hit 2,000 targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.

And while it owes its rapid spread in part to EternalBlue, the same stolen NSA exploit WannaCry leveraged, it lacks several of the traits that made WannaCry—which turned out to be an unfinished North Korean project gone awry—easier to stop.

WannaBreak

“The quality of the code improves from iteration to iteration—this GoldenEye ransomware is pretty solid,” says Bogdan Botezatu, a researcher at the security firm Bitdefender. “We don’t get to catch a break.”

The most important WannaCry pitfall that this current round sidesteps? A kill switch that allowed researchers to neuter the ransomware around the world and drastically reduce the spread. The mechanism was a low-quality, possibly unfinished feature meant to help the ransomware avoid analysis. It backfired spectacularly. So far, GoldenEye shows no signs of containing such a glaring error.

Additionally, WannaCry spread between networks across the internet like a worm, relying almost entirely on EternalBlue to get in and hitting systems that hadn’t yet downloaded Microsoft’s patch for that vulnerability. This new ransomware also targets devices that somehow still aren’t secured against EternalBlue, but can deploy other infection options as well. For example, the attackers seem to be spreading the ransomware through the software update feature of a Ukrainian program called MeDoc, and possibly through Microsoft Word documents laced with malicious macros.

Along with exploiting EternalBlue to gain access when possible, the ransomware can also leverage an additional Shadow Brokers-leaked NSA exploit known as EternalRomance (patched by Microsoft in March) for  remote access. And some researchers have also found unconfirmed evidence that the ransomware may take advantage of yet another tool published by the ShadowBrokers, known as EsteemAudit, that specifically targets computers running Windows XP and Windows Server 2003. Microsoft patched that vulnerability two weeks ago as part of its unprecedented effort to secure its old, unsupported operating systems against leaked NSA exploits.

Once inside the network, the ransomware steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation.

“If a system with enough administrative privileges is compromised, it will simply instruct all other PCs it has access to run the malware as well,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “That is why a lot of system administrators are freaking out right now.”

Smarts, Not Scale

Because GoldenEye appears to take a more targeted approach to infection, rather than barreling around the internet, it has so far resulted in fewer infections: it has affected 2,000 targets versus the hundreds of thousands that WannaCry hit. But don’t read that as a weakness necessarily. WannaCry’s ability to spread over the internet led to out-of-control infections, and its creators were ill-equipped to handle that volume of potential payments.

In fact, WannaCry hackers proved incapable of tracking payments whatsoever. Attackers had victims send ransoms to one of four set bitcoin addresses, instead of assigning each target a unique address. This made incoming payments difficult to track, and left it to the criminals to figure out which victims (among hundreds of thousands) had paid and should be sent a decryption key.

Payment happens to be GoldenEye’s current weakness as well, though not due to WannaCry-level incompetence. It relies on manual payment validation, meaning that when victims pay the ransom they must email proof of payment to an email address, after which hackers send a decryption key. Not only does a manual system make it harder for attackers to get paid, it can reduce victim faith that paying the ransom will result in decryption.

Also? The hackers’ email provider, Posteo, pulled the plug on their account, making payment confirmation pretty much impossible.

No Easy Fix

This latest round of ransomware appears to be here to stay. The diversity of delivery options means that no single patch can necessarily provide complete protection against it. Still, administrators can take some steps to protect their systems. Analysts agree that while patches don’t solve everything in this situation, they are still crucially important and do offer real defense. “Very, very important to patch,” says MalwareHunter, a researcher with the MalwareHunterTeam analysis group.

Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.

Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running.

“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”

All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.

First place to start make sure your systems have the latest patches and updates !!!

How to practice cybersecurity (and why it’s different from IT security)

Cybersecurity isn’t about one threat or one firewall issue on one computer. It’s about zooming out and getting a bigger perspective on what’s going on in an IT environment.

Credit: Thinkstock

Keeping companies safe from attackers is no longer just a technical issue of having the right defensive technologies in place. To me, this is practicing IT security, which is still needed but doesn’t address what happens after the attackers infiltrate your organization (and they will, despite your best efforts to keep them out).

I’m trying to draw attention to this topic to get security teams, businesses executives and corporate boards to realize that IT security will not help them once attackers infiltrate a target. Once this happens, cybersecurity is required.

In cybersecurity, the defenders acknowledge that highly motivated and creative adversaries are launching sophisticated attacks. There’s also the realization that when software is used as a weapon, building a stronger or taller wall may not necessarily keep out the bad guys. To them, more defensive measures provide them with additional opportunities to find weak spots and gain access to a network.

This mentality goes against the fundamental principle in IT security of erecting multiple defensive layers around what you’re trying to protect. By separating what you’re trying to protect from the outside world, you’re keeping it safe—at least in theory. While this works in physical security, where IT security has its roots, it doesn’t really work when you’re facing enemies who need to be successful just once to carry out their mission. Defenders, unfortunately, don’t have this luxury. They need to catch every attack, every time. Don’t take this statement as a knock against these antivirus software, firewalls and other defensive technologies; they’re still needed in conjunction with cybersecurity.

Cybersecurity means looking for attacker footholds, not malware

IT security and cybersecurity also differ on what action to take after an attacker breaks through your defenses. In IT security, when a problem is detected on one computer, it’s considered an isolated incident and the impact is limited to that machine.

Here’s how that scenario typically plays out: Malware is discovered on the controller’s computer, for example. An IT administrator or maybe a junior security analyst removes the machine from the network and perhaps re-images it. Maybe there’s an investigation into how the computer was infected and a misconfigured firewall is identified as the culprit. So, the firewall configuration is changed, the threat is neutralized, the problem is solved, and a ticket is closed. In IT security, where the quick resolution of an incident is required, this equals success.

Now, here’s how that same incident would be handled from a cybersecurity perspective. The team looking into the incident wouldn’t assume the malware infection is limited to one computer. And they wouldn’t be so quick to wipe the machine clean. They may let the malware run for a bit to see where it phones home and how it acts.

Most important, the incident wouldn’t be seen as a random, one-off event. When you apply a cybersecurity lens to incidents, the belief is that every incident is part of a larger, complex attack that has a much more ambitious goal besides infecting machines with malware. If you close a ticket without asking how an incident or incidents are linked (remember, attacks have many components and adversaries commonly carry out lateral movement) or where else attackers could have gained a foothold, you’re not doing your job.

To practice cybersecurity, zoom out

Practicing cybersecurity begins with security teams changing their mindset around how they handle threats. To start, they need to be encouraged to not quickly close tickets and spend time looking for a full-blown attack in their environment. They also need to understand that cybersecurity isn’t about one threat or one firewall issue on one computer. That view is much too myopic. Zoom out for a bigger view.

I admit this approach is a radical departure from how most organizations currently handle security. Further complicating this perspective is the fact that what I’m proposing can’t be learned in classrooms or professional development courses. The notion of experience being the best teacher applies to figuring out cybersecurity. Step one is thinking like a detective and asking questions about the incident like why was this attack vector used, are there any strange activities (however minor) occurring elsewhere in my IT environment, and why would attackers target our organization.

It’s this big picture thinking that separates cybersecurity from IT security. And it’s big picture thinking that will help companies detect and stop adversaries after they make their way into an organization.