Compliance|Computer & Network Security|Information Security>Data Breach

Ransomware! – It’s here to stay…

“My firm WILL be affected by ransomware.” If you intone that rather gloomy mantra to yourself every morning before you go to work, you might end up being prepared to deal with the situation when it happens.

Ransomware is a type of malware that most often encrypts the contents of a hard drive and then rather helpfully offers you an email address or phone number to contact for removal instructions. And did I mention they’re going to ask for payment for the key to your now locked-up hard drive? They’ll ask for payment. And when the email with the funny cat pictures is spread around your office and more systems are affected, they’ll ask for money to unlock those too. Can the FBI help you at this point? No, because the kidnapper (of your data) is some kid working out of a grimy apartment overseas and they don’t have the resources to mount an international manhunt over the few hundred dollars that are being extorted from you.

If you bite the proverbial bullet and pay the ransom is the situation over and simply remembered as a painful lesson learned? Maybe……

An increasing number of ransomware variants will leave Trojans on your system; a back door into which the original perpetrator can come and go as he or she pleases. Some ransomware, after being unlocked, has reportedly lain dormant for a few months and then reactivated itself. Even worse, some ransomware operators have actually been caught and jailed and the phone number you call with credit card or Bitcoin in hand will just ring forever.

With estimated losses of over $18 million US dollars and over 1000 cases of a single variant of ransomware (Cryptowall) reported to the FBI’s ‘Internet Crime Complaint Center’ in June of 2015 alone, ransomware is definitely a clear and present danger to any and all firms.

Diligence and mitigation – mitigation and diligence. These are the two concepts that might just prevent a catastrophic ransomware event in your firm. It’s up to both your employees and your IT Staff to take these to heart, though, as it takes both groups to successfully prevent an infection AND to deal with one correctly when it happens.

Precautions your IT Staff can take:

  • Patch and Update software: Your firm should have a Threat and Vulnerability Management policy that mandates regular scanning, investigation of vendor-specific security alerts, and appropriate patching guidelines and targets.
  • Effective Security Suites: Your IT staff should be deploying a combination of anti-malware software and software firewalls to each and every system in your firm. Definitions should be updated constantly and scans should be a regular and recurring event.
  • Backups: The importance of accurate backups cannot be overstated! And this doesn’t necessarily mean a “you have a mapped Z: drive in Windows, copy anything important to it” type of backup either. Because there have been many, many instances of ransomware encrypting those drives as well. Why? Those drives and folders are just another target folder the infected system can see. What’s really bad is when the mapped drive isn’t the user’s personal folder but the actual root layer of the drive. That’s when EVERYONE’s backups get encrypted.   So make sure your firm has invested in an official backup framework, with software agents that will regularly make secure copies of important data.
  • Log analysis: a good Security Information and Event Management (SIEM) system or similar tool that analyzes log data can help prevent the spread of an infection if the IT Staff is alerted early to log data that would indicate an infection.
  • Hardened Email Systems: Does your firm use a hardened email system? Are spam filters current and in place? Do you scan incoming email for questionable attachments and quarantine them appropriately?

Precautions your Users can take:

  • Training: Do you have Acceptable Use policies for email, external flash media, and appropriate training for the users? Have they been taught not to open strange emails and do they know how to recognize and not click on questionable email links? Do they know what to do if they find a USB drive on the ground labeled “Company Salary Spreadsheet?” These are all part of a comprehensive policy and training framework your company should have in place.
  • Reporting: Employees should be able to recognize the warning signs of a malware infection and know immediately how to (and that they should) contact IT staff. Also, regular IT security training programs are not a luxury any more. They’re not something that only “the big guys” can afford to have. Every firm should have a policy of requiring some form of IT security training for its entire staff at least on an annual basis.

And finally,

What to do with an infected system:

  • Contact the IT Staff: if an employee believes they have fallen victim to or are falling victim to ransomware, the IT Staff should be contacted immediately. The sooner they’re aware of an issue, the more likely it is that some form of damage mitigation or limitation can be performed.
  • Disconnect from WiFi or unplug from the network immediately: This is extremely important! If a system has been identified as infected, disconnect from the network as soon as possible. Some ransomware-type malware “calls home” for encryption instructions. This is by no means foolproof, and users who are savvy enough to recognize a ransomware event in action are few and far between, but it could make a difference.
  • Realize when “you’re in over your head:” Dealing with ransomware is not an easy task. If your IT Staff appears to be floundering a bit, or unsure of what steps to take, or if ransomware is a regular recurrence at your firm, contact a 3rd party that specializes in network and computer security.

IT Security is a process, not an event. Good security policies and practices, regular scanning and investigation, and a watchful eye will go a long ways to keeping your firm secure. As more of the world becomes more connected every day, diligent firms should be making more of an effort to recognize the importance of IT Security in the workplace. An investment of time, attention, effort, and funding will always pay off.







Information Security>Data Breach|Social Engineering>Phishing

How Does Ashley Madison Threaten Your Organization?

Extortion is not usually a topic that employers have on their radar regarding their employees.  Most employers know they need to protect themselves against viruses, and “hackers”, but they often don’t think about the social engineering tactics that attackers may use to target employees.  However, when users put their private information on “secure” websites, they may assume this information is safe.  But, as the old adage goes, “assume anything you put online can be made public”, and it is likely that all of the users of the Ashley Madison website failed to consider the implications.

For more details about the Ashley Madison hack there are a number of sources that can reviewed.  Brian Krebs has two posts on the subject that are worth reviewing for more detailed information: Was the Database Leaked? and Extortionists Target Ashley Madison Users

Why should this apply to me?

Considering the services offered, and the number of records released, it is likely that most people will have a connection to someone who could be affected.  Given this line of thought, it is also plausible that attackers could exploit this, and target users who are on the list of records released.  Employers are not likely to be directly concerned about whether their employees are on this list; however, what if their users are put into a situation where they are black mailed, and may do something they would not otherwise think of doing, such as clicking on an illicit link, or downloading a malicious file?  Alternately, an attacker could use information from the Ashley Madison list to entice users to click on a link in a phishing email.  Employers need to be cognizant of this, and consider some controls which can be put in place to mitigate this threat.

We regularly see organizations where a user falls victim to phishing emails, and these stats will only increase when this specific, targeted threat vector presents itself.  This is a real threat, and it is a risk to organizations, as some users are going to be concerned about this, and may act more foolishly than normal in order to conceal their misdeeds.

What should we do?

User Awareness Training – Ensure users can identify a phishing email.  Make users especially aware of attacks related to the Ashley Madison hack.

Spam Filtering – It may be worth discussing the merits of blocking or increasing the risk of any emails containing words related to Ashley Madison.

Follow Basic Security and Compliance Practices – Review security practices including Authentication, Access Controls, and Patch Management.  Additionally, ensure there are mechanisms for recognizing anomalous behavior within the network.

It’s impossible to prevent users from being targeted, but organizations can use that to better prepare.  If their users will be targeted, then training employees is key.  Remember, instead of trying to prevent a ‘hack,’ expect one, and be prepared to detect it, slow down or stop the attack, and recover quickly.