Year: 2017

Ransomware attacks are not new. In fact, ISACA has been sounding the alarm on the increasing spate of ransomware for quite a while. Unfortunately, it takes a massive-scale cyber attack like the recent WannaCry incident for such cyber crimes to gain national and international notoriety. In fact, another recent ransomware attack that caught the public’s attention in the U.S. came when San Francisco’s transportation department was hit last November, impacting the city’s light rail transit system.

There is a reason why ransomware attacks are becoming popular: For the bad guys, it simplifies the crime and the process of monetization.

Think about it. Earlier, even a simple computer crime involved two steps to get to monetization. First, the criminals have to break in and steal personal information like credit card details, and then secondly, sell it on the dark web, often to organized crime groups, in order to get paid. The buyers in turn use the credit card or other information to commit fraudulent transactions.

With ransomware, crime has become an easy, one-step monetization process. Attackers break in to a computer system, install ransomware and get the payment directly from the person or organization impacted. It’s a one-to-one interaction, and payment is easily received. While accepting ransomware payment in bitcoins may seem a bit more challenging than accepting a credit card payment, anonymity is crucial to cybercriminals, making it well worth the modest additional effort.

But even with increased awareness on cyber attacks and the heightened need for cyber security, the question remains: why are organizations still so vulnerable? And what can they do about it?

• Whitelisting: Sometimes a ransomware attack can start off with a phishing episode where someone within an organization downloads and runs a malicious executable. Once that happens, the company’s end-point security products (typically an antivirus software solution) is often not enough to detect the attack. That’s why organizations like ISACA, US-CERT and the National Association of Corporate Directors (NACD) also recommend implementing whitelisting or application control – a process by which an organization runs only “known good applications.”

In the past, whitelisting has been hard to manage and maintain. For example, when a company implements the whitelisting approach, every person and device in the company will run only known good code. But the problems arose in keeping the lists up to date, such as when an executive had to run an application like WebEx or GotoMeeting. When the application ran and automatically installed a new version of the solution, the executive would be prevented from launching it, until it was entered into the whitelist. The lack of productivity with old versions of whitelisting solutions spelled doom for that approach.

However, in the last year or so, the next generation of whitelisting solutions have hit the market, and they are far superior to the old ones. Newer solutions can trust entire families of software and pull the latest whitelists, making the process of managing “known good software” more intuitive and convenient for IT departments. So, it’s critical for organizations that earlier discarded the whitelisting approach to revisit that consideration again, especially in the face of increasing ransomware attacks.

• Patching: Keeping systems patched and up to date is important, but it is not a panacea since spear phishing attacks can still trick victims into installing ransomware.

• Backups: Maintaining a good backup helps organizations navigate the waters of a ransomware attack far more deftly. For example, when San Francisco’s transportation system was hit last fall, the city refused to pay hackers the $70,000 ransom that was being demanded. Instead, it took a few days to painstakingly restore backups and during that time, the city let the residents ride in the transit system for free.

Interestingly, we are also seeing the emergence of quirky trends among ransomware criminals. These hackers are increasingly adopting best practices to close ransom transactions quickly, as the ransom demands are often not too high compared to the time and effort it would take to restore the backup.

So, to motivate the victim to pay the ransom, ransomware attackers are:

• Offering discounts if the ransom is paid within a set number of days
• Adopting a “try before you buy” approach, where the affected party can ask for a specific file to verify the veracity of the hacker’s claims
• Offering technical “chat” support after the ransom has been paid to assist the victim in recovering files

But despite these best practice claims by cybercriminals, organizations that have become victim to ransomware attacks need to make sure a thorough cleanup process is executed as part of the incident response – perhaps even scrubbing and restoring the entire system and network – to make sure the attackers are no longer there.

Rob Clyde, CISM, Board Director, ISACA, Executive Chair of the Board of Directors at White Cloud Security

[ISACA Now Blog]

Kazuar, Windows Defender and Worst-Case Scenarios

The WannaCry Ransomware attack continues to dominate the news cycle, and we’re sure you’re closely watching developments and taking appropriate US-CERT precautions.

But from Microsoft issuing an emergency patch for Windows Defender to the NSA director sharing his cyber fears to Gizmodo phishing for Trump administration officials, last week didn’t disappoint in delivering a rich trove of other security news. In case you missed it, here are some other stories that got our attention.

 

Meet Kazuar

From the pages of “Oh great, they’re doing that now?” comes an analysis of the cyber-espionage malware dubbed Kazuar that incorporates an API to reverse C&C communications flow. Detailed over at BleeptingComputer – crediting research from Fox-IT and Palo Alto Networks – the highlights are:

… the most notable and original feature is in Kazuar’s C&C server communications… Kazuar has the ability to reverse the flow of normal C&C server communications. Instead of infected hosts pinging the C&C server for new commands, an attacker can ping the victim whenever he wants and send new instructions.

 

Patch Windows Defender… Like Right Now!

Google’s Project Zero discovered a vulnerability in the malware protection engines of Windows 7, 8, 8.1, 10 and Server 2016. Microsoft quickly responded by issuing an emergency patch. According to Ars Technica:

The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it’s simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft’s malware protection engine—websites, file shares—could be used as an attack vector.

 

Government Cyber attacks Double, Trump Signs New Order

As reported by GCN, Dimension Data research found that cyber attacks on government agencies – as a proportion of total attacks – doubled from 7% in 2015 to 14% in 2016, ranking the government sector as a #1 target alongside the financial services industry.

According to GCN:

Government agencies were increasingly hit with ransomware attacks, coming in at 19% of attacks. (Business and professional services sustained 28% of all ransomware attacks.) Phishing and social engineering schemes, which delivered 73% of malware, were less likely to target governments, going after the manufacturing industry primarily.

On a related note, U.S. President Trump signed an executive order on cybersecurity. Subtitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” the order covers a wide array of security policies, issues, risk management and cyber initiatives. Paul Rosenzweig, breaks down the EO for Fifth Domain.

According to reporting by Bloomberg:

The order seeks to improve the often-maligned network security of U.S. government agencies, from which foreign governments and other hackers have pilfered millions of personal records and other forms of sensitive data in recent years.

 

You’d Better Listen to This Guy

The Washington Times reported on recent cybersecurity remarks from NSA Director Adm. Mike Rogers to the Senate Armed Services Committee.

…Adm. Rogers also raised eyebrows by discussing a “worst-case scenario” cyberattack on critical infrastructure that instead of revealing data – such as a WikiLeaks hack – would entail the manipulation of vital national data on a “massive scale.”

“Advanced states continue to demonstrate the ability to combine cyber effects, intelligence, and asymmetric warfare to maintain the initiative just short of war, challenging our ability to react and respond…”

From the Washington Post:

http://www.washingtonpost.com/video/c/embed/1b81037a-34c8-11e7-ab03-aa29f656f13e

 

Ethical Questions Emerge When Journalists Turn Pen Testers

Steve Ragan’s column at CSO raises some interesting ethical questions about Gizmodo’s effort to see if they could get Trump administration officials to click on phishing emails. The article Here’s How Easy It Is to Get Trump Officials to Click on a Fake Link in Email can fill you. Using tactics similar to those that compromised the Democratic National Committee, Gizmodo manufactured a phishing campaign targeting Trump advisors and administration officials and advisors, including then FBI Directory James Comey, Rudy Giuliani and Newt Gingrich, to see how many recipients they could get a click on a fraudulent link. About of half the links sent were clicked.

Ragan’s column asks, “does it cross a line when a news organization creates a Phishing simulation in order to develop news?” His analysis and consideration is worth checking out here.

 

No Basic Training for Military Cyber Operators

As we have noted often, the cyber skills gap continues to accelerate across all sectors, including the military. Ars Technica recently reported on a Senate Armed Services Committee hearing during which the Department of Defense discussed broadening its thinking when it comes to quickly onboarding and retaining cyber talent:

One of the possible solutions that the DOD has looked at is bringing people with experience and skills essential to offensive and defensive cyber operations into the service “laterally.” That means giving them ranks (and pay grades) commensurate to their skills and entirely bypassing the normal recruitment and advancement process.

 

…And What Else?

Naked Security shared details on how to hack a Jeep Cherokee.

Schneier on Security discussed Securing Elections.

BleepingComputer reported using digitally created fingerprints to unlock smartphones.

[(ISC)² Blog]

There are a lot of exciting things happening in the IT field, which means there’s a tremendous amount of growth occurring in a lot of businesses. With that growth comes the need to hire cost-effective talent. This begs the question: How can we get more young people excited about launching careers in IT?

Why IT?
When you ask children what they want to be when they grow up, you’ll hear an array of answers. From firefighter and police officer to professional athlete or doctor, there are a handful of occupations that always seem to draw interest from children.

Kids typically don’t grow up pretending they’re IT pros or dream about fixing computers, coordinating corporate security strategies or deploying advanced new software programs, but maybe that’s our fault as adults. The IT career field is an exciting one, and we’re doing our youth a disservice by failing to get them excited at a young age.

For starters, there’s the positive industry outlook, with both wages and employment opportunities outpacing most other industries.

Then there’s the fact that IT pros can work in just about any environment. There are Fortune 500 positions, as well as opportunities to contract with small businesses. This change of scenery can be refreshing for people who like to move around and see new things.

Making IT attractive to young students
As you can see, there are a lot of positive things happening in the IT industry. The goal has to be for educators, adults, and those already in the field to shine a light on its positive trajectory. Here are a few ideas:

1. Make the push online. Today’s youth (and tomorrow’s professionals) spend a lot of time online. For companies and organizations that want to reach this segment of the future workforce, there needs to be a greater online push for visibility. Since social media is a hugely popular destination, there’s value to be extracted from sharing engaging content and strategically funneling users to landing pages. There’s also something to be said for tapping into visual social platforms like Snapchat and Periscope to provide some behind-the-scenes content about how exciting a career in IT can really be.
2. Focus on creativity. Creativity is a big thing when young people search for jobs. They want careers that allow them to use their talents and enjoy the freedom to innovate and create from the start. Unfortunately, very few career fields – especially at entry-level positions – leave room for imagination and vision. However, IT professionals are like artists in many ways, constantly being called on to use certain tools to maximize resources and build new solutions.
3. Highlight the low cost. For high school students who won’t be having their college paid for by a parent, the rising cost of tuition and the ever-present burden of student loans is enough to scare even the most optimistic child away from pursuing a college degree. Thankfully, you don’t need a four-year degree to be an IT pro. Some specialized training/certificates can get people started in the field.

IT isn’t exciting in the sense that you get to fight fires or hit a 95-mph fastball in front of 40,000 fans, but that doesn’t mean today’s children can’t grow up wanting to pursue a career in this growing field. It’s up to us to shed light on just how stimulating it can be.

Larry Alton, Writer, LarryAlton.com

[ISACA Now Blog]