Year: 2018

Categories
Uncategorized

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Categories
Uncategorized

Cloud Computing and Security

Cloud Computing

In its broadest term, Cloud Computing can be defined as the practice of using a network of remote servers hosted by a provider on the Internet (“the Cloud”) to store, manage and process data. In the current enterprise landscape, organizations (called tenants) are steadily migrating technologies to and services into the Cloud looking for a competitive advantage that will enable the business to set themselves apart from the rest of the pack. These advantages of Cloud computing include a reduction in start-up costs, lower capital expenditures, utilization of on-demand IT services, and the dynamic allocation of computing resources and capacities. Along with these and other benefits comes the ubiquitous security effort of protecting the data that is stored and processed in the Cloud.
Even though companies are moving these technologies and services to a third-party entity (the provider) the responsibility for ensuring the integrity and confidentiality of the data still resides with the tenant. It does not change the fact that preventative and detective controls must be in place and corrective activities defined. The move only changes how information security is governed. In this article, we will look at some of the challenges surrounding Cloud Security.

Types and Uses of Cloud Computing

Before we jump into the myriad of topics that make up Cloud computing security let’s look at the types of Cloud computing and their uses. Most Cloud computing services fall into three categories: infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS).

Infrastructure-as-a-Service (IaaS)

The most basic category of Cloud computing services is Infrastructure-as-a-Service, termed as IaaS. With IaaS, an organization is renting IT infrastructure; servers, virtual machines, storage, and networks.

Platform-as-a-Service (PaaS)

This category of Cloud computing provides a platform and environment for developers to develop, test and deliver software applications.

Software-as-a-Service (SaaS)

This category provides applications and software solutions on demand over the internet, accessible to the user, usually via a web browser.

Cloud Security

When moving services and data to the Cloud, an organization needs to understand that security and compliance are a shared responsibility between the tenant and the provider. This is referred to as a shared responsibility model. Depending on the Cloud service that is being utilized, the security responsibility of the tenant includes patching operating systems as well as the applications (IaaS). But as the Cloud service changes, so does the responsibility. Example: when a tenant subscribes to an IaaS offering they are responsible for the OS, application and data security. If the tenant moves to a PaaS offering they are no longer responsible for the OS maintenance and the patching of that OS. Figure 1-1 graphically depicts the boundaries and ownership of security responsibilities. Regardless of the services utilized, the tenant is always responsible for their data security.
An oft-used phrase when discussing cloud security is “the tenant is responsible for security IN the cloud and the provider is responsible for security OF the cloud.” As you can see in Figure 1-1 the security of the data is ultimately the responsibility of the tenant.

Figure 1-1 Security Responsibility in the Cloud

Moving to the Cloud?

Is your organization looking to moving to the Cloud? Are you evaluating providers to find out what service will work best for your requirements? If so, there are a few questions/issues that should be clarified to make an informed decision before committing to a move.

·       What controls does the Cloud provider already have in place and can attest to?

·       Will the provider be willing to submit to external audits and security certifications?

·       Where will your data be located? Regulatory requirements might dictate where the provider must process and store data.

·       What oversight does the provider have over the hiring of administrators who will be operating in their Cloud environment? You may require the provider to follow your hiring criteria.

·       What is done to ensure the segregation of your data if the provider is servicing your data in a multi-tenant environment? Find out what controls or protocols are used to segregate your data and verify that these controls are being enforced. “Trust but verify”

·       What is the process for reclaiming your data in the event of a separation or acquisition? What happens if the provider gets acquired by a different third party?  Make sure that your data will be in a format that can be exported and usable.

·       Will the provider be able to completely restore your data or service in the event of a disaster? How long will it take to restore your data?

·       Will they support eDiscovery and the investigative process?

Your Data/Your Responsibility

Don’t fall into an “out of sight, out of mind” mode about your data when you move to Cloud services. It’s your data and the security of that data is, and always will be your responsibility regardless of where it is stored or processed.

Breaches can cause serious damage to your reputation and significant expense for your company.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

References:

ENISA – Cloud Computing Risk Assessment
https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment

Cloud Security Alliance – Security Guidance for cloud computing
https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf

Categories
Information Security|Uncategorized

Budgeting for Cyber Security for 2019

Cyber-Security Budgeting is a Layered Approach

Cyber-Security is arguably the hottest market right now.  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over 250 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  4. Security patching for all hardware/software
  5. Endpoint protections – Antivirus/Malware solutions
  6. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  7. Check for consistent password and access controls across all of your platforms
  8. Encrypt portable devices
  9. Approve Basic Policies to establish guidelines
  10. Provide security training for users and IT staff
  11. Constant inventory devices on your network
  12. Review firewall, remote access/VPN, and wireless solutions regularly
  13. Comprehensive network documentation
  14. A proactive monitoring/logging/alerting solution should be in place
  15. Basic Incident Response capabilities
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Evaluate your ability to perform these basic functions adequately – do we need managed services? 

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  3. Compliment SIEM with MDR (Managed Detection & Response)
  4. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  5. Risk Management
  6. Vulnerability Management
  7. Mobile device management solution
  8. NAC – internal Network Access Controls
  9. Data Loss Prevention technologies
  10. Identity Access Management
  11. Forensic capabilities
  12. Application whitelisting
  13. Incident Response Table Tops, Red Team, Blue Team, Purple Team Exercises
  14. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics, implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)
Categories
Compliance|Information Security>Data Breach|Research|Computer & Network Security>Viruses|Computer & Network Security>Vulnerabilities

Our top 5 findings from IT security audits

What are the top things we have learned from performing 200+ security audits?

1.  The “major issues” do not change

Good security is good security, and you can think of the major security issues as being giant “targets” within your organization.  Targets which the bad guys hope will come into their line of fire, and they are regularly shooting at. You can easily spot and name these targets: User awareness, access control, backups/recoverability, etc.  These are the primary topics that most compliance requirements are based on. Identifying these large targets and putting in the appropriate safeguards to make these targets smaller are the goals of a good security program.

2.  Security is a moving target

Even though the “major issues” (the targets) do not change, do not confuse this with thinking that these targets are stationary.  Once the targets have been identified, key performance indicators should be established so that the targets can be measured and constant improvement can be realized.  As these “targets” move around, they have the tendency to grow over time. If your security program does not have a component of measurement and constant improvement, your “small targets” can quickly become large enough for the bad guys to see.  Just because you did well yesterday, doesn’t mean you will do well tomorrow unless you are able to keep pace with those moving targets.

3.  Most people like the “idea” of being secure

It holds true that almost everyone likes the “idea” of being secure.   Far less actually want to take the steps to become “secure”, usually due to one or more myths:

  • Cost – they believe they require an expensive “widget” to achieve their security goals
  • Effort – the time/manpower simply does not exist (and cannot be prioritized)
  • Impact – the changes proposed will affect the user population too greatly
  • Denial – that will never happen to us OR we are already secure

At the end of the day, security comes down to making risk-based decisions.  If these risk-based decisions are accurately recorded and measured, the decision of mitigating these risks should be an easy one:

What are the potential consequences if I do NOT do this?

4.  That’s not “security” related

Usually, at some point during an audit interview (usually multiple times) when discussing a topic (almost any topic), some detail is revealed that elicits the response “that’s not security related” from the client or user.  We find that people often have a hard time relating everyday events to security issues. They understand that if there is a “hacker” or a “virus” it is a security issue, but may not view things like service interruptions or high resource utilization as “security” related.

5. Gadgets and gizmos will not make you secure

One of the mantras that we regularly preach to our clients is that security is all about the “process” not the “product.”  We do this because of the large number of people who believe that “If I buy the latest HyperWall from DarkPlus with the VisorNet addon, I will automagically be secure!”  No matter how much we would like for our gadgets to be plug-and-play, if there is not some form of human interaction on the back end, the tool will become stale and less useful over time (or it may not have ever worked, to begin with). You should always try to measure the state of your security products/programs and strive to improve them over time in order to be effective.

We hope that these five keys will help you better evaluate your security.  If you would like to learn more about how you can protect your corporate data, please click here to contact us.  SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.

Categories
Computer & Network Security

Everything you wanted to know about Ransomware…but were afraid to ask

What is Ransomware?

Ransomware is a type of malicious software that prevents users from accessing their computer system or files until a sum of money (ransom) is paid. In the malware landscape, ransomware has earned itself a well-deserved nasty reputation.

There are two types of ransomware identified in this branch of the malware family tree; 1) locker ransomware and 2) crypto ransomware

Locker ransomware effectively locks Windows access preventing the user from accessing their desktop or files. Typically designed to prevent access to one’s computer interface, Locker ransomware mostly leaves the underlying system and files unaltered.  A message would be displayed on the screen with instructions on how to regain access to the files. Winlocker is an example of this type of ransomware.

Crypto ransomware was designed to prevent access to specific, valuable data by encrypting the files using strong, public-key encryption. After performing the encryption, the bad actor would demand payment in exchange for a key that could be used to decrypt the files. Examples of this type of ransomware include Cryptolocker and CryptoWall among others.

Ransomware History

Modern crypto ransomware variants didn’t really come into the forefront of cybersecurity until around 2005. However, would you believe the first of this type was seen in 1989? The AIDS Trojan was identified in 1989 in England, making it the first of its kind. Also known as PC Cyborg Trojan it was propagated by mail…that’s right, no ‘e’. The creator of the virus, Dr. Joseph Popp snail-mailed some 20K diskettes through physical postage to victims under the guise of supplying AIDS research information.

The malware would replace the AUTEXEC.BAT file when the diskette was inserted into the user’s disk drive. The altered BAT file would track the number of times the computer was rebooted.  When the boot count reached 90 a splash screen informed the user of their situation; “Unless you pay me $$ you will not get your files back”. The virus worked by encrypting filenames. Relatively primitive in design it nonetheless rendered the files unusable. It didn’t take long for security researchers to reverse engineer the code and give users the ability to unlock their files.

The AIDS Trojan established the ransomware threat in 1989 but this type of malware wasn’t widely used in cybercrime until many years later. Jump forward to 2005 to see the accelerated acceptance and use of ransomware by criminal enterprises and bad actors.

Evolution of Ransomware
Ransomware in today’s threat landscape is affecting users worldwide. Different variants have evolved over the years. Driven by criminal enterprises who have seen the opportunity for financial gain, this family of malware has seen a dramatic increase in use over the last 15 years. Other direct revenues generating risks in the digital age include misleading apps and fake anti-virus.

Misleading Applications

Some of the early manifestations of revenue generating malware were called “misleading applications” and “fake anti-virus”. The first wave of these types of malware was identified around 2005.

Misleading applications intentionally misrepresent the security status of a user’s system. Fake anti-virus programs attempt to convince the user to purchase software to remove non-existent malware or security risks from the computer. Pop-up Ads would be presented to users while browsing, usually from sites which had been compromised. The ads posed as spyware removal tools, system performance optimizers or anti-virus solutions.

The ads would exaggerate the condition of the system or the impact of a discovered “threat”. The offer was to fix these issues for a small license fee. As a rule, there were no actual threats or issues and even if the user paid the extortion fee nothing was changed on their system.

These were not ransomware by the strict definition but nonetheless, they exploited a user’s lack of security awareness and fear.SpywareClear, ImproveSpeedPC, SpySherriff, and RegistryCare are early examples of this type of malware.

Locker and Crypto Ransomware

Around 2008 the attack methodology shifted from fake anti-virus to a more troublesome form of revenue generating malware. Enter the Locker Ransomware family of malware. Now, cybercriminals disabled access and control of a user’s computer, effectively holding the system hostage until payment is made.

Not only did the cybercriminals increase the impact to the user’s system with lockerware they also increased the dollar amounts they were demanding. Additionally, as the use of locker ransomware gained popularity (its use peaked around 2011 and 2012) it shifted from just reporting non-existent issues or errors to actually taking control of access to the computer.

2013 brought the next step in the malware evolution; crypto ransomware. This was the year that the first variant of CryptoLocker was identified and with it a came a new mechanic to the ransomware modus operandi; asymmetric encryption.

As was discussed earlier, locker ransomware changed access controls and prevented a user from accessing the data. This meant that the data was still on the system in a readable format but a user could not access it through the OS.  Crypto ransomware differed in that it actually rendered the data unreadable by using encryption techniques. The user still had logical access to the data files but could not read them.

CryptoLocker was a hugely successful but short-lived variant in this malware family. The original CryptoLocker botnet that controlled it was shut down in the middle of 2014. However, it was reported that hackers successfully extorted nearly $3 million USD before being shut down.

The old saying “imitation is the sincerest form of flattery” very appropriately describes cybercriminal activity in the crypto ransomware field subsequent to CryptoLocker.  Since its launch, cybercriminals have widely mimicked and copied the CryptoLocker approach. So much so that the Cryptolocker name has become synonymous with ransomware.

Ransomware – What Lies Ahead

Ransomware is a constantly evolving threat. It is difficult to predict the direction ransomware will head in the coming years. The threat landscape is continually changing with cybercriminals always looking for new methods and vectors in which to generate revenue. The ransomware concept has matured to a healthy level so much so that “Ransomware as a Service” is an identifiable vertical in the cybersecurity theater.

The battle against ransomware is a major task that requires everyone’s participation. Engineers and production designers creating new technologies or products will need to embed security into their creation process by considering use cases that could be leveraged for malicious intent. End users will need to stay vigilant and utilize basic security best practices to help protect their data. Security awareness needs to be emphasized to end users to help them avoid clicking on malicious links and making sure their systems and software are appropriately patched.

One of the most important (and underemphasized) mitigation strategies that you can do to protect yourself and your data is making backups. At the least, backup the data that is important to you and do it on a regular basis.

Ransomware Solutions

There is no bullet-proof solution when it comes to cybersecurity.   Security is a process, not a product.  Knowledge is a powerful weapon in the fight against cybercriminals. This knowledge can be gained by both individual research and professional consultation. While reading up on ransomware and cybersecurity will increase your awareness of threats and help you better understand how to recognize and avoid future attacks, a consultation with SecurIT360 can provide valuable tools to take your cybersecurity strategy to the next level.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, assessments, and analysis of systems and operations across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.

Categories
Research|Computer & Network Security>Vulnerabilities

A Vulnerability Scan is NOT a Penetration Test (Pentest)

What is the difference between a Penetration Test and a Vulnerability Scan?

Understanding the difference between a penetration test and a vulnerability scan is critical to understanding security posture and managing risk. Vulnerability scans and Penetration tests (pen test for short) are very different from each other in both process and outcome. However, sometimes the terms are incorrectly used interchangeably. In this article, we will explore the differences between the two as well as how they relate to each other.

Starting with the definitions of each you can see an immediate differentiator, the objective.

The objective of a vulnerability scan is to identify, rank, and report vulnerabilities or potential vulnerabilities that, if exploited, may result in system compromise. The objective of a penetration test is to discover and exploit existing exposures that could allow access to sensitive information or resources. Where the vulnerability scan is looking for open doors the pen test is entering those open doors.

Another major difference between the two is in the process and cost. Penetration testing requires the use of multiple tools and an experienced, certified security professional to conduct and monitor the test. During her/his engagement, the pen tester will generate scripts, change parameters of the attack and change settings on the tools being used. A very hands-on process.

On the other hand, a vulnerability scan is an automated process that does not require real-time management. The scan is automated and generally conducted using a single tool. Vulnerability scans can be scheduled to run automatically without manual intervention or manipulation. It does, however, require specific knowledge of the products/systems and the environment being scanned.

Additionally, there is a difference in scope. Depending on the requirement, a pen test will target high-value assets and the associated targets. This includes data assets and business functions. Vulnerability scans are generally enterprise-wide and touch servers, routers, firewalls, switches, and applications.

Even though a pen test is usually targeted/scoped for a single subject it requires more time to complete. In comparison, vulnerability scans take a short period of time. Depending on the size of the project a vulnerability scan can finish in hours compared to a pen test which can take days or even weeks.

There are various reasons for an organization to conduct pen tests and/or vulnerability tests. Satisfying compliance standards, defining a security posture, determining the effectiveness of security controls or testing an incident response program are among these reasons. Even though they are accomplished using different toolsets and processes, both pen tests and vulnerability scans serve important functions for protecting your environment and reducing risk.

If you would like to learn more about pen and vulnerability testing or discuss in greater detail how this could benefit your business please click here to contact us. You can also click here to subscribe to our blog which covers multiple topics on security threats and assessments. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.

Categories
Computer & Network Security>Malware

The Zenis Ransomware Variant Goes the Extra Mile

Overview

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer or files.  A subset of ransomware called crypto ransomware (or crypto virus) has seen a dramatic rise in use over the last few years.  Crypto ransomware’s modus operandi involves encrypting popular and common file types on a compromised system and then demanding a ransom from the user for a key that can then be used to decrypt the files.

In Q3 2017, according to Malwarebytes, a company is hit with ransomware every 40 seconds.  This was an increase of 3x over Q1.  “While attacks against consumers are still more prevalent, this acceleration in attacks against businesses indicates criminals are developing targeted campaigns and setting their sights on bigger scores”[1]

When a particular type of malware proves to be effective (and profitable) many variants inevitably arise.  A recently discovered ransomware-type variant titled Zenis is one of the new breed.  Not only does Zenis encrypts files on a compromised system, it also disables the Windows repair and backup option and deletes shadow volume copies on the system.

Zenis is currently in the wild and the exact distribution method is unknown at this time.  Initial analysis suggests compromised Remote Desktop Services could be used.

Ransomware Behavior

After Zenis is installed on a target system it executes the following processes:

  • Runs a check to verify that it’s executed file name is “iis_agent32.exe”
  • Runs a check to verify an “Active” registry value exists named KEY_CURRENT_USERSOFTWAREZenisService.
    • If these two conditions are met then it proceeds to create a ransom note and proceeds with its next steps
  • Deletion of shadow volume copies
  • Disable startup repair
  • Clear event logs
  • Termination of Processes
    • sql
    • taskmgr
    • regedit
    • backup
  • Encrypts Files

 Protect Yourself

Following good computing habits and utilization of security software is important in protecting your systems from ransomware.  Some best practices are as follows:

  • Backup your system and store backup data off-site
  • Do not open attachments if you do not know who sent them.
  • After verifying that an attachment has come from a known source, scan the attachment
  • Make sure all Windows updates are installed as soon as they are released.  Also, make sure you update all programs, especially Java, Flash, and Adobe Reader.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology.
  • Use strong passwords and do not reuse passwords on multiple sites.

 

Some additional guidance you can reference to hardening your system against ransomware can be found here:  https://www.bleepingcomputer.com/news/security/how-to-protect-and-harden-a-computer-against-ransomware/ .

 

[1] Barkly https://blog.barkly.com/ransomware-statistics-2017