ISACA International Board/Committee/TF and Chapter Officer Participation – Certificate of Attendance
Krebs: Ransomware Getting More Targeted, Expensive
Editor’s note: The following is an excerpt of a recent blog by Brian Krebs that first appeared in KrebsonSecurity.com. Krebs is an investigative journalist, founder of Krebs on Security, and a former Washington Post reporter with a passion for computer security. He will be the opening keynote speaker at CSX 2016 North America, which takes place in Las Vegas 17-19 October. Krebs will share unique insights gained from years of research and writing, as well as his unprecedented access to some of the smartest and most innovative cyber minds on the planet. He shares how it is important to take risks, make mistakes and learn from them. After the presentation, Krebs will autograph copies of his bookSpam Nation, a New York Times best seller.
I shared a meal not long ago with a source who works at a financial services company. The subject of ransomware came up and he told me that a server in his company had recently been infected with a particularly nasty strain that spread to several systems before the outbreak was quarantined. He said the folks in finance didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, my source confessed, the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.
This anecdote has haunted me because it speaks volumes about what we can likely expect in the very near future from ransomware — malicious software that scrambles all files on an infected computer with strong encryption, and then requires payment from the victim to recover them.
What we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.
In an alert published today, the U.S. Federal Bureau of Investigation (FBI) warned that recent ransomware variants have targeted and compromised vulnerable business servers (rather than individual users) to identify and target hosts, thereby multiplying the number of potential infected servers and devices on a network.
“Actors engaging in this targeting strategy are also charging ransoms based on the number of host (or servers) infected,” the FBI warned. “Additionally, recent victims who have been infected with these types of ransomware variants have not been provided the decryption keys for all their files after paying the ransom, and some have been extorted for even more money after payment.”
According to the FBI, this recent technique of targeting host servers and systems “could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”
Today there are dozens of ransomware strains, most of which are sold on underground forums as crimeware packages — with new families emerging regularly. These kits typically include a point-and-click software interface for selecting various options that the ransom installer may employ, as well as instructions that tell the malware where to direct the victim to pay the ransom. Some kits even bundle the HTML code needed to set up the Web site that users will need to visit to pay and recover their files.
To some degree, a variance in ransom demands based on the victim’s perceived relative wealth is already at work. Lawrence Abrams, owner of the tech-help site BleepingComputer, said his analysis of multiple ransomware kits and control channels that were compromised by security professionals indicate that these kits usually include default suggested ransom amounts that vary depending on the geographic location of the victim.
“People behind these scams seem to be setting different rates for different countries,” Abrams said. “Victims in the U.S. generally pay more than people in, say, Spain. There was one [kit] we looked at recently that showed while victims in the U.S. were charged $200 in Bitcoin, victims in Italy were asked for just $20 worth of Bitcoin by default.”
In early 2016, a new ransomware variant dubbed “Samsam” (PDF) was observed targeting businesses running outdated versions ofRed Hat‘s JBoss enterprise products. When companies were hacked and infected with Samsam, Abrams said, they received custom ransom notes with varying ransom demands.
“When these companies were hacked, they each got custom notes with very different ransom demands that were much higher than the usual amount,” Abrams said. “These were very targeted.”
Which brings up the other coming shift with ransomware: More targeted ransom attacks. For the time being, most ransomware incursions are instead the result of opportunistic malware infections. The first common distribution method is spamming the ransomware installer out to millions of email addresses, disguising it as a legitimate file such as an invoice.
Editor’s note: To read the entire blog at KrebsonSecurity.com, click here. For more on CSX 2016 North America click here. There will be two additional CSX conferences this year, including the inaugural CSX 2016 Europe conference 31 October-2 November in London, and the inaugural CSX 2016 Asia Pacific conference 14-16 November in Singapore.
Brian Krebs, Investigative Journalist, Author, Krebs on Security
[ISACA Now Blog]
Cloud Security Alliance Announces Annual Ron Knode Service Award Recipients
Contributions from Six Dedicated Individual CSA Volunteers Recognized in Honor of the Late CSA Member and Volunteer Contributor Ron Knode
SAN JOSE, CA – CSA Congress US – September 15, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announced the recipients of its fifth annual Ron Knode Service Award, recognizing six members from the Americas, Asia-Pacific and EMEA regions for their excellence in volunteerism. The honorees were selected by the CSA executive team and chosen based on their valuable contributions towards fulfilling CSA’s mission of promoting best practices to help ensure a secure cloud computing environment.
Ron Knode was an information security expert and member of the CSA family who passed away in May 2012. He is remembered as an innovative thinker with endless energy and humor to guide his volunteer contributions. He also was the creator of the CSA Cloud Trust Protocol, which today remains an important asset for the continuous monitoring and auditing for cloud assurance and transparency certification. Established in 2012, the Ron Knode Service Award is awarded to CSA members on an annual basis whose contributions reflect Ron’s passion for volunteerism and embody the spirit for which this award was established.
“The six individuals that we are recognizing today epitomize Ron’s spirit of tireless efforts and commitment to volunteerism. In his honor, we congratulate and thank them for their vast commitment to promoting and defining best practices in the cloud to help ensure a secure cloud computing environment globally,” said Jim Reavis, CEO of the CSA. “We will always remember Ron’s energy, humor and incredible generosity. CSA is grateful for his hard work and dedication, and we continue to benefit from his commitment and passion.”
This year’s six recipients are:
Juanita Koilpillai, CSA Americas: Juanita Koilpillai is the Founder and CEO of Waverley Labs, elevating IT Security to C-level executives and managers to ensure on-line business processes are trusted and helping small technology companies develop their product potential. She is a member of the CSA Software Defined Perimeter Working Group and contributed to Spec 1.0 and 2.0. She is currently leading the open source software defined perimeter effort after securing funding from DHS to launch the effort specifically for distributed denial of service attacks, with the first version of the open source software defined perimeter now available to the CSA members. Juanita presented “An Open Source Software Defined Perimeter” at the Cloud Security Alliance Federal Summit in May 2016 and at the Berlin Conference in November 2015.
Brian Russell, CSA Americas: Brian Russell is a Chief Engineer focused on Cyber Security Solutions for Leidos. He oversees the design and development of security solutions and the implementation of privacy and trust controls for customers. Brian leads efforts that include security engineering for Unmanned Aerial Systems (UAS) and Connected Cars, the design of secure next- generation energy systems (microgrids) and the development of high assurance cryptographic key management systems. He supports the Center for Internet Security as a member of the 20 Critical Security Controls Editorial Panel and represents the Cloud Security Alliance (CSA) on the FCC Technological Advisory Council on IoT. He also serves as Chair of the CSA Internet of Things (IoT) Working Group and lead author of the report ‘Designing and Developing Secure IoT Products’ and the ‘Practical Internet of Things (IoT) Security.’
Anthony Lim, CSA APAC: Anthony Lim is the Director of Marketing Strategy for Asia Pacific at Cloud Security Alliance and an independent cybersecurity professional services consultant, advocating, researching, lecturing and auditing various cloud security and smart cities opportunities. He has led various initiatives and activities at CSA including speaking at numerous seminars and conferences in Asia Pacific in 2016 and acting at the first CCSP instructor in Asia Pacific. He previously was on the Board of Directors for CSA’s Singapore Chapter, was a member of the CSA-ICS2 JTA committee that build the CCSP, chaired Trend Micro at CloudSec 2016. Anthony has also appeared on several TV news shows representing CSA including Singapore Chinese Channel and the BBC.
Eric Wang, CSA APAC: Eric Wang is the current CEO of TanoSecure Inc., a holding company supporting emerging technology companies founded by visionaries in the ICT industry. He currently serves as the cybersecurity advisor to the Taiwanese government and has played an instrumental role in the development of multiple technology start-ups. He is the current Co-Chair of the CSA Mobile Application Security Testing Working Group leading efforts on the design and development of a mobile application development certification program.
Bruno Huttner, CSA EMEA: Bruno Huttner is the Product Manager for Quantum Key Distribution Products at ID Quantique, where he develops next-generation encryption, and especially quantum key distribution systems. He is also responsible for a project aimed at providing secure communications with satellites and high altitudes platforms. Bruno is Co-Chair of the Quantum-Safe Security Working Group at the CSA. Leading the group over the past 18 months, he has contributed heavily to the four papers published from the working group. He has been very active at various conferences, including presenting the Safe Security Working Group material at numerous CSA events. Bruno has also participated in CSA’s EMEA Congress in Berlin last year and RSA in San Francisco this past March, where he organized and chaired a panel session.
Andreas Fuchsberger, CSA EMEA: Andreas Fuchsberger is the Regional Standards Officer for Central and Eastern Europe in Microsoft’s Corporate Standards Group. Andreas participates in the internationalal standards community, predominantyly attending ISO/IEC JTC 1/SC 17 (Security) as an invited expert. Currently for SC 27 he is the editor of two international standards on network security and SIEM. He is a member of the (ISC)2 Application Security Advisory Board where he also chairs the International Standards Committee. He Co-Chairs the CSA Internatiional Standards Councils where he is liaison officer to ITU-T SGs 13 and 17 and chairs the CSA’s Open Certification Framework (OCF) working group.
About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.
Contacts
Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com
[Cloud Security Alliance Research News]
EFSS Spreads Ransomware; Endpoint Backup Guarantees Recovery
Instead, I thought I would illustrate a situation in which it’s painfully obvious why it’s important to have modern endpoint backup. Every organization today is facing ransomware. No matter how sophisticated your defenses, ransomware invariably finds a way through.
For example, Jeff, a recruiter from the Human Resources team, is reviewing resumes to fill a new position. He receives an email with a link to download a resume in Microsoft Word. As part of his process, he downloads the resume to his OneDrive “Job Postings” folder which is shared with his HR co-workers. The document is automatically uploaded to OneDrive and synchronized to his co-workers’ devices.
Unfortunately, this is no ordinary resume. It contains a crypto-ransomware. When Jeff opens the resume, the ransomware takes hold and begins encrypting the files on his local device as well as network shares. Because Jeff saves a lot of files in his OneDrive folder, as the ransomware encrypts those files, OneDrive then syncs them to the cloud. And for any shared/team folders he has, the encrypted files are synced to his co-workers as well as to any publically shared files/links. And even though Jeff is supposed to save all of his files to OneDrive, he keeps a bunch on his desktop where he likes to work. He’s also got a big .PST email archive sitting on his device as well. All of those files are being encrypted by the ransomware to lock out access.
Because Jeff saved the file to a shared HR folder, the ransomware file now appears on his co-worker Julia’s laptop. Julia takes a peek at the resume and now the ransomware starts attacking her device.
At this point, Jeff tries to open one of his files and gets the dreaded ransom note. For just one bitcoin, he can get his data back. He contacts the help desk to let them know what happened and get help. OneDrive keeps previous versions, so no problem, right? Help desk then informs Jeff that he can get his earlier file versions, but he has to do it file-by-file! And for those files that were saved outside of OneDrive, he’s out of luck. Next up is Julia who calls up help desk and is in the same boat as Jeff. Not only did EFSS not help with recovery, it actually spread ransomware!
Well, that’s when it becomes clear that EFSS is not a true backup solution. EFSS leaves it up to the user to pick the right spot to save his data. And when it comes time to remediate from an event like ransomware, EFSS is not equipped to handle large restores. Even EFSS vendors themselvesrecommend having a true backup of the data to recover from an event like ransomware.
Hopefully this real-world scenario makes it easier to distinguish the differences between file sync & share and modern endpoint backup—and the advantages of true endpoint backup when recovering from ransomware.
Kyle Hatlestad, Principal Architect, Code42
[Cloud Security Alliance Blog]
Always Check the Boxes!
Let me take you back to the late ’90s when I was a novice IT auditor in a multinational organization. I had just made the switch to the audit profession after having been a systems developer for a few years.
An Army of Programmers to Fix Y2K
The biggest challenge at that time was the so-called “Year 2000” (or “Y2K”) problem. Many applications in those days used a two-digit representation of the year field (“99” was used to represent the year 1999, for instance). If not remediated properly, it was feared that when the year switched from 1999 to 2000, the year field may become “00” (or something meaningless), leading to processing errors in critical systems. There was a real possibility of nuclear reactors going haywire, patients being administered the wrong dosages, and aircraft not being able to fly or land—a perfect doomsday scenario.
It took an army of programmers, testers, project managers and other IT professionals to fix systems so that no erroneous processing occurred when the date switched from 31 December 1999 to 1 January 2000.
As an auditor, I was to review the Y2K compliance of certain key applications for my organization. As part of this remit, I used to receive a package of tests and documentation from the IT owners that annotated the test results showing date-related processing. Also included was an attestation from IT and the users to certify that the system had been thoroughly tested for Y2K. Upon reviewing the documentation, the auditors made a call whether the system had shown enough readiness for Y2K or if additional documentation or clarity was needed for the scenarios tested.
First Week, Two Packages, Two Systems
In my first week on my job I received 2packages belonging to 2 different systems, which the auditors would use to perform their Y2K certification:
- System 1: The test details came in a large brown envelope containing loose papers. Many of these showed system diagrams, test results and some handwritten comments on several computer printouts. There was no index of what was being provided. It took me several hours to ascertain the name of the system, let alone the nature of the functionality tested. For the purpose of this article, we will call this application “The Loose Leaf System (LLS).” After a preliminary review I concluded that, at a minimum, the documentation quality was poor. I could not establish for sure if the documentation was complete or accurate. This system was a winner if documentation sloppiness was the evaluation criterion.
- System 2: This documentation came in three neatly packed boxes. Inside each of the boxes were 3 to 4 labeled binders. I did not have any difficulty ascertaining the name of the system or the nature of its functionality. The first binder also had an index that clearly explained what the various binders contained. To keep matters simple, we will call this system the “Three Box System (or TBS).”
As I started my analysis of the documentation for LLS and TBS, it seemed quite obvious who was going to get top marks.
As TBS had all the hallmarks of a well-tested system, I wanted to quickly finish my review of this application first. The first binder contained an index that pointed to other binders labeled 2 through 6. As I lifted the binders to make a nice vertical stack, I noticed that there were only 5 binders in all. The fourth binder was missing. TBS had not supplied the documentation for a key piece of functionality, technically resulting in a case of incomplete documentation. When I called the IT audit manager to trace the missing binder, no one could locate it. I had my very first audit observation on my hands as a result of this discovery. The final audit result for TBS…“Failed audit” and my comment was to revise and resubmit the documentation for audit approval.
LLS also required follow-ups with its IT manager. I was, however, able to establish, to my satisfaction, that the system tests were indeed carried out and the loose sheaf of papers did contain the necessary evidence to point to a complete and accurate set of test results. Notwithstanding this, it too was a case of bad documentation quality. The audit result…“Passed audit” with minor comments on documentation.
Which System Worked Best?
Just so you are all not kept in suspense about the fate of TBS, after several weeks, I received a replacement for the missing fourth binder, as the team had to retest the functionality since they could not locate the original test documentation. During the retest, the IT manager told me they found other bugs that were not uncovered the first time around. So, my discovery of the missing binder actually helped the IT team further strengthen the TBS system.
This experience led me to coin my own principle: “Always check the boxes”—the audit equivalent of never judge a book by its cover.
Over the years, I have found many uses for and identified several deficiencies as a result of this principle. It instilled in me the discipline to open and verify every binder, data file and artifact received from my clients. The act of thoroughly checking the boxes, or the relevant audit artifacts, has often me helped me find problems. A purist may point out that this is, after all, an application of the well-established audit dictum, Trust, but Verify. Hopefully, there is no argument over that.
Editor’s note: Subramanian Annaswamy, CISA, CAMS, CSQA, has several years of audit experience in leading financial services organizations. He is currently a technology audit director in a leading bank in New York. The opinions expressed above are his personal views and do not represent the view of his current or former employers.
Subramanian Annaswamy, CISA, CAMS, CSQA
[ISACA Now Blog]
