ICS/SCADA Sales Training Curriculum – Certificate of Completion
Leveraging UAS Technology: Time is of the Essence
In June 2016, the Federal Aviation Administration (FAA) took an important step toward achieving this reality. After a nine-month delay, the FAA released its long-awaited Final Rule for commercial UAS operations (Part 107). The rule, effective 29 August, 2016, expanded opportunities for commercial drone operators and businesses to test and integrate a wider range of commercial UAS applications. While beneficial to industry, Part 107 was merely a small first step. Operators must travel to a designated FAA testing facility to take an Aeronautical Knowledge Test in order to obtain a remote pilot certificate and entities interested in integrating extended operations – including those beyond visual line of sight (BVLOS), at night, over people, and with multiple UAS – are subject to a lengthy and arduous waiver process.
In the six months since Part 107 went into effect, the FAA has granted just over 300 of these waivers, the vast majority of which only allow for highly restricted nighttime operations. These lingering limitations on expanded operations stifle innovation and truncate the vast economic and social benefits possible through widespread integration of UAS technology.
Many companies that utilize UAS technology saw a glimpse of the future when the FAA announced plans to release a notice of proposed rulemaking (NPRM) for operations over people by the end of 2016. This NPRM would open a public comment period that would allow industry, consumers, and government stakeholders to provide input in support of a forward-leaning final rule that embraces innovation, safety and security. With no sign of progress at year’s end, FAA Administrator Michael Huerta publicly acknowledged an indefinite postponement of the NPRM on 6 January.
The promise of a NPRM took another hit in early 2017 when the new US Administration implemented a regulatory freeze and announced intentions to require two regulations to be repealed for every new one that goes into effect in an effort to reduce regulatory burdens on businesses. Let’s celebrate the reduction of redundant or burdensome regulations while recognizing that some regulation provides clarity to industry and actually promotes investment, innovation, and job creation through removing government prohibitions. Huerta’s “steadfast commitment to… ensur[ing] drones can fly over people without sacrificing safety or security” remains a hollow promise to companies eager to integrate operations over people, but stalled by the delay. Even initiatives that face no uncertainty or interagency “miscommunication,” such as digital education tools, consumer information centers/representatives, and an automated and expedited waiver process are in some nebulous queue.
While there are undoubtedly sectors of the economy in dire need of reduced regulatory burdens and less red tape, many rapidly developing sectors of the 21st century economy are at a standstill amidst legal and regulatory uncertainty. Commercial UAS technology is evolving at a pace that has exceeded nascent regulations. The industry needs a forward-leaning, progressive regulatory framework to in order to realize the vast economic and social benefits of this transformative technology.
Security issues must never be taken lightly and safety is always paramount, but we can, at the very least, initiate this critical dialogue and have transparency about reasons why we are not. A NPRM would provide an opportunity for industry stakeholders to sit down at the proverbial table and consider all questions and concerns – safety, security, or otherwise – alongside key lawmakers and regulators. Countries around the world continue to adopt progressive UAS regulations and authorize expanded operations, outpacing US progress and our government’s commitment to American innovation. Aggressive pursuit of US leadership in the research, development, production and application of UAS technology is more important than ever – time is of the essence because, as we all know, technology always wins.
Editor’s note: A new ISACA white paper on drone usage and a related checklist can be downloaded at www.isaca.org/drones.
Michael Drobac, Small UAV Coalition, Senior Advisor, Akin Gump Strauss Hauer & Feld
[ISACA Now Blog]
“Blank Slate” Campaign Takes Advantage of Hosting Providers to Spread Ransomware
In recent months, we’ve been tracking a malicious spam (malspam) campaign using emails with no message content and an attached zip archive to spread ransomware. We’ve nicknamed this campaign “Blank Slate” because the malspam messages are blank with nothing to explain the malicious attachments.
Last month, we published a blog that discussed farming Microsoft Word documents in AutoFocus associated with the Blank Slate campaign. It revealed more than 500 domains were used. These malicious domains were quickly taken offline, but Blank Slate actors quickly registered new ones, revealing a cycle of abuse towards legitimate hosting providers.
Today’s blog describes the delivery, exploitation, and installation components of this attacker’s playbook, and it explores the cycle of abuse criminals follow against legitimate hosting providers to host ransomware associated with these infections.
The infection chain
The infrastructure behind the Blank Slate campaign has two distinct phases. The first phase is receiving malspam from a botnet. The second phase is when an attachment from the malspam retrieves ransomware from a web server. The ransomware is designed to infect Microsoft Windows computers, and a successful infection chain consists of the following steps:
- Attacker’s botnet sends malspam to the intended recipient.
- User ignores security warnings and opens the zip archive included in the malspam.
- User ignores security warnings and manually extracts either a Microsoft Word document or a JavaScript (.js) file.
- User ignores warnings and manually enables macros for the Word document or user double-clicks the .js file.
- Word macro or .js file retrieves a ransomware executable from a web server.
- Word macro or .js file executes the ransomware on the user’s computer in the user’s security context.
Figure 1: The user receives an email from a host in the botnet.
These Blank Slate emails come from a botnet consisting of numerous compromised hosts across the globe. Sending email addresses are always spoofed, and they have no relation to the actual botnet host sending the message. The emails only consist of a zip archive sent as a file attachment. As shown in Figure 2, these email messages have no text whatsoever, only an attachment that intended victims are meant to open.
Figure 2: One of the malspam email messages.
The malspam’s zip attachment is actually a double-zipped file, meaning it contains another zip archive which itself holds the malicious active content. We believe the attackers chose to use a double-zip tactic as a countermeasure against antispam/antimalware technologies. With an additional layer of user interaction, some intended victims may become frustrated or distracted, and this might lead to an increased failure/abandon rate. However, we believe the attackers decided this was less of a risk than detection by antispam/antimalware technologies.
That second zip archive contains either a Microsoft Word document with a malicious macro as shown in Figure 3, or it contains a .js file as shown in Figure 4.
Figure 3: Example of a malspam attachment with a double-zipped Word document.
Figure 4 Example of a malspam attachment with a double-zipped .js file.
The Word document macro has malicious Visual Basic for Applications (VBA) script that will execute after the user has opened the document and enabled macros. The .js file has malicious JavaScript that will execute within Windows Script Host when it is double-clicked. In both cases, once the malicious script executes, it launches a PowerShell process to download and run ransomware on the Windows host as shown in Figure 5.
Figure 5: Communications between malicious script and server hosting ransomware.
Figure 6 shows an example of the traffic between a malicious .js file and a server hosting the Cerber ransomware.
Figure 6: Traffic from February 2nd 2017 of a .js file retrieving Cerber.
We primarily see Cerber ransomware distributed by the Blank Slate campaign, but other forms of ransomware like Sage 2.0 and Locky have also been noted.
The Blank Slate campaign has followed consistent patterns, and we’ve confirmed matching activity in AutoFocus as early as July 5th 2016 as shown in Figure 7.
Figure 7: Using AutoFocus to find Word documents from the Blank Slate campaign.
These results indicate at least seven months of obvious malspam, which raises the question: if the malspam is obvious, why is the Blank Slate campaign so long-lived?
Abusing hosting providers
A key factor to Blank Slate’s longevity the abuse of hosting providers. Our previous post on this campaign listed 555 domains associated with this campaign over the span of seven months. These domains were active for a few days before they were taken off line. Then the criminals behind Blank Slate moved to newly-registered domains, sometimes using the same hosting provider. This cycle has repeated itself over and over since July 2016.
To examine more closely, we reviewed a five-day period from January 29th to February 2nd 2017. During that timeframe, we found at least eight domains across seven IP addresses hosting Cerber ransomware. The following list shows each domain followed by its IP address.
- adibas[.]top – 46.173.219.161
- footarepu[.]top – 35.165.86.173
- guntergoner[.]top – 35.163.101.72
- guntergoner[.]top – 185.159.130.89
- ibm-technoligi[.]top – 35.165.251.24
- ibm-technoligi[.]top – 62.109.29.26
- polkiuj[.]top – 35.165.251.241
- polkiuj[.]top – 46.173.219.161
- suzemodels[.]top – 35.163.101.72
- astrovoerta[.]top – 185.159.130.89
- zofelaseo[.]top – 35.163.101.72
These domain names were registered a day or two before they were active. They remained active for up to seven days or more, depending on how quickly the hosting providers were notified.
So how do Blank Slate and other campaigns continue abusing hosting providers?
The requirements for establishing an account at a hosting provider are easy to acquire. The criminals only require a valid email, phone number, and credit card.
Most of these requirements are easy to obtain. Various free email services easily provide anyone a valid email address. Criminals can also purchase pre-paid phones without a contract (known as “burner phones”) that are hard to track. And finally, criminals often use stolen credit card data when establishing these accounts.
Figure 8: Requirements for an account at a hosting provider.
Criminal accounts on hosting providers are relatively short-lived, since the domains are quickly discovered and reported to the provider’s abuse department. However, these domains can stay online for a week or more before an abuse complaint is resolved. When a server is taken off-line, the criminals can easily establish another server through a new account using a different email, phone number, and stolen credit card data.
The cost is relatively inexpensive. A new email account can be established for free. Burner phones are cheap, as low as 20 to 30 dollars in the US. In the Russian underground, prices for a set of stolen credit card credentials are as low as five US dollars.
The situation lends itself to a cycle of abuse as criminals establish new servers, those servers are reported, the hosting provider shuts them down, and the criminals establish new servers.
Figure 9: The cycle of hosting provider abuse.
Conclusion
As implied by the cycle of abuse, domains and IP addresses associated with the Blank Slate campaign are constantly changing. With the current popularity of ransomware, we continue to see malspam daily in both targeted attacks and wide-scale distribution. We expect this trend will continue.
Palo Alto Networks customers are protected against this threat through our next-generation security platform. Our advanced endpoint solution Traps is designed to prevent such Word documents or .js files from compromising a system. WildFire continues to identify Microsoft Office documents using these techniques as malicious. Finally, AutoFocus users can identify associated malware by using the PowerShellCaretObfuscation and CerberSage_Distribution tags.
[Palo Alto Networks Research Center]
IT Risk: Making Better Connections Between Smoke and Fire
While children consume and learn voraciously, adults struggle with finding context, skepticism, and social conditioning. Overcoming these cognitive biases to drive your company toward more risk-savvy behavior means you’re going to have to deliver a pretty clear and effective message. Keep in mind these three rules of thumb to improve how well your risk reporting is understood.
One message at a time. Yes, IT risk is complicated and often there are many steps between a threat and the preventative actions needed to keep them from happening. Keep those connections in your appendix for later questions. Instead, focus your reports on the actions needed to be taken. Don’t contrast vulnerability scans with failures in change management controls on the same page. The risk is different, the response is different, and you’re inviting confusion.
A single message has another benefit: if you are only trying to change one behavior, you’ll have a much easier time tracking the effectiveness of your message and adjusting in the future.
Risks become consequences. A focus on threat vectors, incidents and trends is good for figuring out where controls are weak or strong, but sometimes bad for grounding the danger in something meaningful for a non-cyber savvy professional.
Focus on the consequences of the risks being reported. Phishing simulations may show an increase of management clicking on suspicious links, but other than potentially receiving a scolding, why should people care? Link phishing to a particularly painful data loss event, or laptops held ransom, and include recovery time as well. There may be no effective recovery from ransomware, and reparations for exposed personal information could cost millions and take years. The Anthem data breach from February 2015 is still in the courts.
Consider your audience. One kind of message will rarely work for everyone. Not only will managers, VPs and executives all have different perspectives on the world and the work that IT security is doing, but they all have different backgrounds and interests.
Take a look at your audience. Will executive management be making decisions about change control check gates? Generally not, so your one message to them shouldn’t be to get them to improve the sign-off process in application development. Maybe the better message is that investments in release management software haven’t been effective in reducing production failures.
Tailoring risk reporting to the people receiving it is the best way to increase the odds that your message is received. It’s cumbersome, but this is the heart of risk management: to reveal connections between sometimes esoteric events and business opportunities so that leaders can make the right calls at the right time.
Editor’s note: Adam Leigh will present on “Consequences That Matter – IT Risk” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.
Adam Leigh, CISA, CISM, CGEIT, CRISC, Manager, ITRM Operations, MetLife
[ISACA Now Blog]
Understanding New York State’s Cybersecurity Compliance for Financial Institutions
The New York State Department of Financial Services (DFS) cybersecurity regulations go into effect today. In this blog post, I’ll share what these regulations mean and the biggest changes that financial services companies can expect over the next several months.
As a recap, in late December 2016, the DFS published its revised proposal for cybersecurity regulations. The proposal explicitly calls out the need for and the responsibilities of a Chief Information Security Officer (CISO) function. The occupant of this role must be a qualified individual responsible for overseeing and implementing the cybersecurity program. Similarly, the regulation calls for the use of qualified cybersecurity personnel with current knowledge and ongoing training in that discipline. Although the qualifications of these individuals are not explicitly defined, the implication is that they are and must remain well-versed in cybersecurity.
The DFS also puts explicit demands on the senior officers or board of directors to ensure their active participation in the cybersecurity program. This includes approval of the cybersecurity policy, review of an annual report by the CISO (effective February 15, 2018), and an annual certification of compliance – signed by an individual. This last piece is reminiscent of the Sarbanes-Oxley Act and opens the door for potential individual liability. Clearly, the intent is for that senior officer and the entire board to take their cybersecurity responsibility seriously.
Compliance dates for various portions of the proposed regulation are staggered over the next 24 months. This was a change from the original proposal and is an acknowledgement of the challenges that covered financial institutions will face in complying with specific provisions of the regulation. Here’s a look at a few of these just to provide a flavor for the difficulties to achieve compliance.
At the 12-month stage, covered entities will need to have multi-factor or risk-based authentication in place for access to nonpublic information – even internally. Many financial institutions use multi-factor authentication (MFA) for remote access to their corporate networks, but few have adopted it for access to internal resources as there are additional complexities and costs involved. Moreover, for legacy applications or systems that do not support MFA natively, a compensating control will be needed to protect the nonpublic information there.
At 18 months, encryption of nonpublic information both in transit and at rest will be required. Where this is infeasible, CISO-approved compensating controls are acceptable, but they must be reviewed annually. Financial institutions typically encrypt the data on laptops as those are prone to loss or theft. However, encryption of data at rest on servers or in databases may not be common practice, except where payment cardholder information is involved. This will have to be expanded to include any nonpublic information. Data, in transit, should ideally be encrypted by the application. Consequently, this may require changes to a large number of commercial and internally developed applications. However, some older applications may be unable to encrypt natively. In such cases, encryption could be delegated to the network as an alternate control.
At the 24-month mark, financial institutions will need measures in place to ensure the security of nonpublic information that is accessible to or held by third-party service providers. The long lead time for this is necessary, given the quantity of suppliers or partners that may have access to or handle nonpublic information. The initial risk assessment, definition of minimum cybersecurity practices, subsequent contract revisions, etc. with third-party services providers will clearly be time-consuming. Some financial institutions already have enterprise risk management programs in place, which include some degree of vendor risk management. However, even these will need to be broadened to monitor cybersecurity risks at providers that touch nonpublic information.
At the federal level, the themes of active board participation and concern over third-party cybersecurity risks have also been echoed. The Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) have issued an advance notice of proposed rulemaking (ANPR) for enhanced cyber risk management. Public comments were due in late January 2017, but as written, the ANPR calls for more active board-level involvement in cybersecurity programs and the extension of enhanced standards to address cyber risk at third-party providers to the financial sector as well.
Financial institutions licensed by the state of New York should develop their plans to address the provisions of the newly effective cybersecurity regulation but keep an eye on the progress of the proposed federal regulations as well, if applicable. In the end, financial institutions may be better served by developing an overarching cybersecurity program that will encompass their risks and ultimately subsume regulatory requirements. Other states may follow New York’s lead and conceivably introduce their own cybersecurity regulations as well. As global financial institutions already know, variations in regulations across jurisdictions can be complex to manage in a piecemeal fashion.
[Palo Alto Networks Research Center]
