Compliance|Information Security>Data Breach|Research|Computer & Network Security>Viruses|Computer & Network Security>Vulnerabilities

Our top 5 findings from IT security audits

What are the top things we have learned from performing 200+ security audits?

1.  The “major issues” do not change

Good security is good security, and you can think of the major security issues as being giant “targets” within your organization.  Targets which the bad guys hope will come into their line of fire, and they are regularly shooting at. You can easily spot and name these targets: User awareness, access control, backups/recoverability, etc.  These are the primary topics that most compliance requirements are based on. Identifying these large targets and putting in the appropriate safeguards to make these targets smaller are the goals of a good security program.

2.  Security is a moving target

Even though the “major issues” (the targets) do not change, do not confuse this with thinking that these targets are stationary.  Once the targets have been identified, key performance indicators should be established so that the targets can be measured and constant improvement can be realized.  As these “targets” move around, they have the tendency to grow over time. If your security program does not have a component of measurement and constant improvement, your “small targets” can quickly become large enough for the bad guys to see.  Just because you did well yesterday, doesn’t mean you will do well tomorrow unless you are able to keep pace with those moving targets.

3.  Most people like the “idea” of being secure

It holds true that almost everyone likes the “idea” of being secure.   Far less actually want to take the steps to become “secure”, usually due to one or more myths:

  • Cost – they believe they require an expensive “widget” to achieve their security goals
  • Effort – the time/manpower simply does not exist (and cannot be prioritized)
  • Impact – the changes proposed will affect the user population too greatly
  • Denial – that will never happen to us OR we are already secure

At the end of the day, security comes down to making risk-based decisions.  If these risk-based decisions are accurately recorded and measured, the decision of mitigating these risks should be an easy one:

What are the potential consequences if I do NOT do this?

4.  That’s not “security” related

Usually, at some point during an audit interview (usually multiple times) when discussing a topic (almost any topic), some detail is revealed that elicits the response “that’s not security related” from the client or user.  We find that people often have a hard time relating everyday events to security issues. They understand that if there is a “hacker” or a “virus” it is a security issue, but may not view things like service interruptions or high resource utilization as “security” related.

5. Gadgets and gizmos will not make you secure

One of the mantras that we regularly preach to our clients is that security is all about the “process” not the “product.”  We do this because of the large number of people who believe that “If I buy the latest HyperWall from DarkPlus with the VisorNet addon, I will automagically be secure!”  No matter how much we would like for our gadgets to be plug-and-play, if there is not some form of human interaction on the back end, the tool will become stale and less useful over time (or it may not have ever worked, to begin with). You should always try to measure the state of your security products/programs and strive to improve them over time in order to be effective.

We hope that these five keys will help you better evaluate your security.  If you would like to learn more about how you can protect your corporate data, please click here to contact us.  SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.

Computer & Network Security

Everything you wanted to know about Ransomware…but were afraid to ask

What is Ransomware?

Ransomware is a type of malicious software that prevents users from accessing their computer system or files until a sum of money (ransom) is paid. In the malware landscape, ransomware has earned itself a well-deserved nasty reputation.

There are two types of ransomware identified in this branch of the malware family tree; 1) locker ransomware and 2) crypto ransomware

Locker ransomware effectively locks Windows access preventing the user from accessing their desktop or files. Typically designed to prevent access to one’s computer interface, Locker ransomware mostly leaves the underlying system and files unaltered.  A message would be displayed on the screen with instructions on how to regain access to the files. Winlocker is an example of this type of ransomware.

Crypto ransomware was designed to prevent access to specific, valuable data by encrypting the files using strong, public-key encryption. After performing the encryption, the bad actor would demand payment in exchange for a key that could be used to decrypt the files. Examples of this type of ransomware include Cryptolocker and CryptoWall among others.

Ransomware History

Modern crypto ransomware variants didn’t really come into the forefront of cybersecurity until around 2005. However, would you believe the first of this type was seen in 1989? The AIDS Trojan was identified in 1989 in England, making it the first of its kind. Also known as PC Cyborg Trojan it was propagated by mail…that’s right, no ‘e’. The creator of the virus, Dr. Joseph Popp snail-mailed some 20K diskettes through physical postage to victims under the guise of supplying AIDS research information.

The malware would replace the AUTEXEC.BAT file when the diskette was inserted into the user’s disk drive. The altered BAT file would track the number of times the computer was rebooted.  When the boot count reached 90 a splash screen informed the user of their situation; “Unless you pay me $$ you will not get your files back”. The virus worked by encrypting filenames. Relatively primitive in design it nonetheless rendered the files unusable. It didn’t take long for security researchers to reverse engineer the code and give users the ability to unlock their files.

The AIDS Trojan established the ransomware threat in 1989 but this type of malware wasn’t widely used in cybercrime until many years later. Jump forward to 2005 to see the accelerated acceptance and use of ransomware by criminal enterprises and bad actors.

Evolution of Ransomware
Ransomware in today’s threat landscape is affecting users worldwide. Different variants have evolved over the years. Driven by criminal enterprises who have seen the opportunity for financial gain, this family of malware has seen a dramatic increase in use over the last 15 years. Other direct revenues generating risks in the digital age include misleading apps and fake anti-virus.

Misleading Applications

Some of the early manifestations of revenue generating malware were called “misleading applications” and “fake anti-virus”. The first wave of these types of malware was identified around 2005.

Misleading applications intentionally misrepresent the security status of a user’s system. Fake anti-virus programs attempt to convince the user to purchase software to remove non-existent malware or security risks from the computer. Pop-up Ads would be presented to users while browsing, usually from sites which had been compromised. The ads posed as spyware removal tools, system performance optimizers or anti-virus solutions.

The ads would exaggerate the condition of the system or the impact of a discovered “threat”. The offer was to fix these issues for a small license fee. As a rule, there were no actual threats or issues and even if the user paid the extortion fee nothing was changed on their system.

These were not ransomware by the strict definition but nonetheless, they exploited a user’s lack of security awareness and fear.SpywareClear, ImproveSpeedPC, SpySherriff, and RegistryCare are early examples of this type of malware.

Locker and Crypto Ransomware

Around 2008 the attack methodology shifted from fake anti-virus to a more troublesome form of revenue generating malware. Enter the Locker Ransomware family of malware. Now, cybercriminals disabled access and control of a user’s computer, effectively holding the system hostage until payment is made.

Not only did the cybercriminals increase the impact to the user’s system with lockerware they also increased the dollar amounts they were demanding. Additionally, as the use of locker ransomware gained popularity (its use peaked around 2011 and 2012) it shifted from just reporting non-existent issues or errors to actually taking control of access to the computer.

2013 brought the next step in the malware evolution; crypto ransomware. This was the year that the first variant of CryptoLocker was identified and with it a came a new mechanic to the ransomware modus operandi; asymmetric encryption.

As was discussed earlier, locker ransomware changed access controls and prevented a user from accessing the data. This meant that the data was still on the system in a readable format but a user could not access it through the OS.  Crypto ransomware differed in that it actually rendered the data unreadable by using encryption techniques. The user still had logical access to the data files but could not read them.

CryptoLocker was a hugely successful but short-lived variant in this malware family. The original CryptoLocker botnet that controlled it was shut down in the middle of 2014. However, it was reported that hackers successfully extorted nearly $3 million USD before being shut down.

The old saying “imitation is the sincerest form of flattery” very appropriately describes cybercriminal activity in the crypto ransomware field subsequent to CryptoLocker.  Since its launch, cybercriminals have widely mimicked and copied the CryptoLocker approach. So much so that the Cryptolocker name has become synonymous with ransomware.

Ransomware – What Lies Ahead

Ransomware is a constantly evolving threat. It is difficult to predict the direction ransomware will head in the coming years. The threat landscape is continually changing with cybercriminals always looking for new methods and vectors in which to generate revenue. The ransomware concept has matured to a healthy level so much so that “Ransomware as a Service” is an identifiable vertical in the cybersecurity theater.

The battle against ransomware is a major task that requires everyone’s participation. Engineers and production designers creating new technologies or products will need to embed security into their creation process by considering use cases that could be leveraged for malicious intent. End users will need to stay vigilant and utilize basic security best practices to help protect their data. Security awareness needs to be emphasized to end users to help them avoid clicking on malicious links and making sure their systems and software are appropriately patched.

One of the most important (and underemphasized) mitigation strategies that you can do to protect yourself and your data is making backups. At the least, backup the data that is important to you and do it on a regular basis.

Ransomware Solutions

There is no bullet-proof solution when it comes to cybersecurity.   Security is a process, not a product.  Knowledge is a powerful weapon in the fight against cybercriminals. This knowledge can be gained by both individual research and professional consultation. While reading up on ransomware and cybersecurity will increase your awareness of threats and help you better understand how to recognize and avoid future attacks, a consultation with SecurIT360 can provide valuable tools to take your cybersecurity strategy to the next level.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, assessments, and analysis of systems and operations across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.

Research|Computer & Network Security>Vulnerabilities

A Vulnerability Scan is NOT a Penetration Test (Pentest)

What is the difference between a Penetration Test and a Vulnerability Scan?

Understanding the difference between a penetration test and a vulnerability scan is critical to understanding security posture and managing risk. Vulnerability scans and Penetration tests (pen test for short) are very different from each other in both process and outcome. However, sometimes the terms are incorrectly used interchangeably. In this article, we will explore the differences between the two as well as how they relate to each other.

Starting with the definitions of each you can see an immediate differentiator, the objective.

The objective of a vulnerability scan is to identify, rank, and report vulnerabilities or potential vulnerabilities that, if exploited, may result in system compromise. The objective of a penetration test is to discover and exploit existing exposures that could allow access to sensitive information or resources. Where the vulnerability scan is looking for open doors the pen test is entering those open doors.

Another major difference between the two is in the process and cost. Penetration testing requires the use of multiple tools and an experienced, certified security professional to conduct and monitor the test. During her/his engagement, the pen tester will generate scripts, change parameters of the attack and change settings on the tools being used. A very hands-on process.

On the other hand, a vulnerability scan is an automated process that does not require real-time management. The scan is automated and generally conducted using a single tool. Vulnerability scans can be scheduled to run automatically without manual intervention or manipulation. It does, however, require specific knowledge of the products/systems and the environment being scanned.

Additionally, there is a difference in scope. Depending on the requirement, a pen test will target high-value assets and the associated targets. This includes data assets and business functions. Vulnerability scans are generally enterprise-wide and touch servers, routers, firewalls, switches, and applications.

Even though a pen test is usually targeted/scoped for a single subject it requires more time to complete. In comparison, vulnerability scans take a short period of time. Depending on the size of the project a vulnerability scan can finish in hours compared to a pen test which can take days or even weeks.

There are various reasons for an organization to conduct pen tests and/or vulnerability tests. Satisfying compliance standards, defining a security posture, determining the effectiveness of security controls or testing an incident response program are among these reasons. Even though they are accomplished using different toolsets and processes, both pen tests and vulnerability scans serve important functions for protecting your environment and reducing risk.

If you would like to learn more about pen and vulnerability testing or discuss in greater detail how this could benefit your business please click here to contact us. You can also click here to subscribe to our blog which covers multiple topics on security threats and assessments. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.