Categories
Uncategorized

Cloud Computing and Security

Cloud Computing

In its broadest term, Cloud Computing can be defined as the practice of using a network of remote servers hosted by a provider on the Internet (“the Cloud”) to store, manage and process data. In the current enterprise landscape, organizations (called tenants) are steadily migrating technologies to and services into the Cloud looking for a competitive advantage that will enable the business to set themselves apart from the rest of the pack. These advantages of Cloud computing include a reduction in start-up costs, lower capital expenditures, utilization of on-demand IT services, and the dynamic allocation of computing resources and capacities. Along with these and other benefits comes the ubiquitous security effort of protecting the data that is stored and processed in the Cloud.
Even though companies are moving these technologies and services to a third-party entity (the provider) the responsibility for ensuring the integrity and confidentiality of the data still resides with the tenant. It does not change the fact that preventative and detective controls must be in place and corrective activities defined. The move only changes how information security is governed. In this article, we will look at some of the challenges surrounding Cloud Security.

Types and Uses of Cloud Computing

Before we jump into the myriad of topics that make up Cloud computing security let’s look at the types of Cloud computing and their uses. Most Cloud computing services fall into three categories: infrastructure as a service (IaaS), platform as a service (PaaS) or software as a service (SaaS).

Infrastructure-as-a-Service (IaaS)

The most basic category of Cloud computing services is Infrastructure-as-a-Service, termed as IaaS. With IaaS, an organization is renting IT infrastructure; servers, virtual machines, storage, and networks.

Platform-as-a-Service (PaaS)

This category of Cloud computing provides a platform and environment for developers to develop, test and deliver software applications.

Software-as-a-Service (SaaS)

This category provides applications and software solutions on demand over the internet, accessible to the user, usually via a web browser.

Cloud Security

When moving services and data to the Cloud, an organization needs to understand that security and compliance are a shared responsibility between the tenant and the provider. This is referred to as a shared responsibility model. Depending on the Cloud service that is being utilized, the security responsibility of the tenant includes patching operating systems as well as the applications (IaaS). But as the Cloud service changes, so does the responsibility. Example: when a tenant subscribes to an IaaS offering they are responsible for the OS, application and data security. If the tenant moves to a PaaS offering they are no longer responsible for the OS maintenance and the patching of that OS. Figure 1-1 graphically depicts the boundaries and ownership of security responsibilities. Regardless of the services utilized, the tenant is always responsible for their data security.
An oft-used phrase when discussing cloud security is “the tenant is responsible for security IN the cloud and the provider is responsible for security OF the cloud.” As you can see in Figure 1-1 the security of the data is ultimately the responsibility of the tenant.

Figure 1-1 Security Responsibility in the Cloud

Moving to the Cloud?

Is your organization looking to moving to the Cloud? Are you evaluating providers to find out what service will work best for your requirements? If so, there are a few questions/issues that should be clarified to make an informed decision before committing to a move.

·       What controls does the Cloud provider already have in place and can attest to?

·       Will the provider be willing to submit to external audits and security certifications?

·       Where will your data be located? Regulatory requirements might dictate where the provider must process and store data.

·       What oversight does the provider have over the hiring of administrators who will be operating in their Cloud environment? You may require the provider to follow your hiring criteria.

·       What is done to ensure the segregation of your data if the provider is servicing your data in a multi-tenant environment? Find out what controls or protocols are used to segregate your data and verify that these controls are being enforced. “Trust but verify”

·       What is the process for reclaiming your data in the event of a separation or acquisition? What happens if the provider gets acquired by a different third party?  Make sure that your data will be in a format that can be exported and usable.

·       Will the provider be able to completely restore your data or service in the event of a disaster? How long will it take to restore your data?

·       Will they support eDiscovery and the investigative process?

Your Data/Your Responsibility

Don’t fall into an “out of sight, out of mind” mode about your data when you move to Cloud services. It’s your data and the security of that data is, and always will be your responsibility regardless of where it is stored or processed.

Breaches can cause serious damage to your reputation and significant expense for your company.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

References:

ENISA – Cloud Computing Risk Assessment
https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment

Cloud Security Alliance – Security Guidance for cloud computing
https://downloads.cloudsecurityalliance.org/assets/research/security-guidance/security-guidance-v4-FINAL.pdf

Categories
Computer & Network Security

Everything you wanted to know about Ransomware…but were afraid to ask

What is Ransomware?

Ransomware is a type of malicious software that prevents users from accessing their computer system or files until a sum of money (ransom) is paid. In the malware landscape, ransomware has earned itself a well-deserved nasty reputation.

There are two types of ransomware identified in this branch of the malware family tree; 1) locker ransomware and 2) crypto ransomware

Locker ransomware effectively locks Windows access preventing the user from accessing their desktop or files. Typically designed to prevent access to one’s computer interface, Locker ransomware mostly leaves the underlying system and files unaltered.  A message would be displayed on the screen with instructions on how to regain access to the files. Winlocker is an example of this type of ransomware.

Crypto ransomware was designed to prevent access to specific, valuable data by encrypting the files using strong, public-key encryption. After performing the encryption, the bad actor would demand payment in exchange for a key that could be used to decrypt the files. Examples of this type of ransomware include Cryptolocker and CryptoWall among others.

Ransomware History

Modern crypto ransomware variants didn’t really come into the forefront of cybersecurity until around 2005. However, would you believe the first of this type was seen in 1989? The AIDS Trojan was identified in 1989 in England, making it the first of its kind. Also known as PC Cyborg Trojan it was propagated by mail…that’s right, no ‘e’. The creator of the virus, Dr. Joseph Popp snail-mailed some 20K diskettes through physical postage to victims under the guise of supplying AIDS research information.

The malware would replace the AUTEXEC.BAT file when the diskette was inserted into the user’s disk drive. The altered BAT file would track the number of times the computer was rebooted.  When the boot count reached 90 a splash screen informed the user of their situation; “Unless you pay me $$ you will not get your files back”. The virus worked by encrypting filenames. Relatively primitive in design it nonetheless rendered the files unusable. It didn’t take long for security researchers to reverse engineer the code and give users the ability to unlock their files.

The AIDS Trojan established the ransomware threat in 1989 but this type of malware wasn’t widely used in cybercrime until many years later. Jump forward to 2005 to see the accelerated acceptance and use of ransomware by criminal enterprises and bad actors.

Evolution of Ransomware
Ransomware in today’s threat landscape is affecting users worldwide. Different variants have evolved over the years. Driven by criminal enterprises who have seen the opportunity for financial gain, this family of malware has seen a dramatic increase in use over the last 15 years. Other direct revenues generating risks in the digital age include misleading apps and fake anti-virus.

Misleading Applications

Some of the early manifestations of revenue generating malware were called “misleading applications” and “fake anti-virus”. The first wave of these types of malware was identified around 2005.

Misleading applications intentionally misrepresent the security status of a user’s system. Fake anti-virus programs attempt to convince the user to purchase software to remove non-existent malware or security risks from the computer. Pop-up Ads would be presented to users while browsing, usually from sites which had been compromised. The ads posed as spyware removal tools, system performance optimizers or anti-virus solutions.

The ads would exaggerate the condition of the system or the impact of a discovered “threat”. The offer was to fix these issues for a small license fee. As a rule, there were no actual threats or issues and even if the user paid the extortion fee nothing was changed on their system.

These were not ransomware by the strict definition but nonetheless, they exploited a user’s lack of security awareness and fear.SpywareClear, ImproveSpeedPC, SpySherriff, and RegistryCare are early examples of this type of malware.

Locker and Crypto Ransomware

Around 2008 the attack methodology shifted from fake anti-virus to a more troublesome form of revenue generating malware. Enter the Locker Ransomware family of malware. Now, cybercriminals disabled access and control of a user’s computer, effectively holding the system hostage until payment is made.

Not only did the cybercriminals increase the impact to the user’s system with lockerware they also increased the dollar amounts they were demanding. Additionally, as the use of locker ransomware gained popularity (its use peaked around 2011 and 2012) it shifted from just reporting non-existent issues or errors to actually taking control of access to the computer.

2013 brought the next step in the malware evolution; crypto ransomware. This was the year that the first variant of CryptoLocker was identified and with it a came a new mechanic to the ransomware modus operandi; asymmetric encryption.

As was discussed earlier, locker ransomware changed access controls and prevented a user from accessing the data. This meant that the data was still on the system in a readable format but a user could not access it through the OS.  Crypto ransomware differed in that it actually rendered the data unreadable by using encryption techniques. The user still had logical access to the data files but could not read them.

CryptoLocker was a hugely successful but short-lived variant in this malware family. The original CryptoLocker botnet that controlled it was shut down in the middle of 2014. However, it was reported that hackers successfully extorted nearly $3 million USD before being shut down.

The old saying “imitation is the sincerest form of flattery” very appropriately describes cybercriminal activity in the crypto ransomware field subsequent to CryptoLocker.  Since its launch, cybercriminals have widely mimicked and copied the CryptoLocker approach. So much so that the Cryptolocker name has become synonymous with ransomware.

Ransomware – What Lies Ahead

Ransomware is a constantly evolving threat. It is difficult to predict the direction ransomware will head in the coming years. The threat landscape is continually changing with cybercriminals always looking for new methods and vectors in which to generate revenue. The ransomware concept has matured to a healthy level so much so that “Ransomware as a Service” is an identifiable vertical in the cybersecurity theater.

The battle against ransomware is a major task that requires everyone’s participation. Engineers and production designers creating new technologies or products will need to embed security into their creation process by considering use cases that could be leveraged for malicious intent. End users will need to stay vigilant and utilize basic security best practices to help protect their data. Security awareness needs to be emphasized to end users to help them avoid clicking on malicious links and making sure their systems and software are appropriately patched.

One of the most important (and underemphasized) mitigation strategies that you can do to protect yourself and your data is making backups. At the least, backup the data that is important to you and do it on a regular basis.

Ransomware Solutions

There is no bullet-proof solution when it comes to cybersecurity.   Security is a process, not a product.  Knowledge is a powerful weapon in the fight against cybercriminals. This knowledge can be gained by both individual research and professional consultation. While reading up on ransomware and cybersecurity will increase your awareness of threats and help you better understand how to recognize and avoid future attacks, a consultation with SecurIT360 can provide valuable tools to take your cybersecurity strategy to the next level.

If you would like to learn more about how you can protect your corporate data, please click here to contact us. SecurIT360 provides audits, assessments, and analysis of systems and operations across multiple industries including legal, financial, utilities, and healthcare.  Let us help you determine where you should spend your time and money protecting your information.

Categories
Research|Computer & Network Security>Vulnerabilities

A Vulnerability Scan is NOT a Penetration Test (Pentest)

What is the difference between a Penetration Test and a Vulnerability Scan?

Understanding the difference between a penetration test and a vulnerability scan is critical to understanding security posture and managing risk. Vulnerability scans and Penetration tests (pen test for short) are very different from each other in both process and outcome. However, sometimes the terms are incorrectly used interchangeably. In this article, we will explore the differences between the two as well as how they relate to each other.

Starting with the definitions of each you can see an immediate differentiator, the objective.

The objective of a vulnerability scan is to identify, rank, and report vulnerabilities or potential vulnerabilities that, if exploited, may result in system compromise. The objective of a penetration test is to discover and exploit existing exposures that could allow access to sensitive information or resources. Where the vulnerability scan is looking for open doors the pen test is entering those open doors.

Another major difference between the two is in the process and cost. Penetration testing requires the use of multiple tools and an experienced, certified security professional to conduct and monitor the test. During her/his engagement, the pen tester will generate scripts, change parameters of the attack and change settings on the tools being used. A very hands-on process.

On the other hand, a vulnerability scan is an automated process that does not require real-time management. The scan is automated and generally conducted using a single tool. Vulnerability scans can be scheduled to run automatically without manual intervention or manipulation. It does, however, require specific knowledge of the products/systems and the environment being scanned.

Additionally, there is a difference in scope. Depending on the requirement, a pen test will target high-value assets and the associated targets. This includes data assets and business functions. Vulnerability scans are generally enterprise-wide and touch servers, routers, firewalls, switches, and applications.

Even though a pen test is usually targeted/scoped for a single subject it requires more time to complete. In comparison, vulnerability scans take a short period of time. Depending on the size of the project a vulnerability scan can finish in hours compared to a pen test which can take days or even weeks.

There are various reasons for an organization to conduct pen tests and/or vulnerability tests. Satisfying compliance standards, defining a security posture, determining the effectiveness of security controls or testing an incident response program are among these reasons. Even though they are accomplished using different toolsets and processes, both pen tests and vulnerability scans serve important functions for protecting your environment and reducing risk.

If you would like to learn more about pen and vulnerability testing or discuss in greater detail how this could benefit your business please click here to contact us. You can also click here to subscribe to our blog which covers multiple topics on security threats and assessments. SecurIT360 provides audits, scans, and analysis of various systems and businesses across multiple industries including legal, financial, utilities, and healthcare. Let us help you determine where you should spend your time and money protecting your information.

Categories
Computer & Network Security>Malware

The Zenis Ransomware Variant Goes the Extra Mile

Overview

Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer or files.  A subset of ransomware called crypto ransomware (or crypto virus) has seen a dramatic rise in use over the last few years.  Crypto ransomware’s modus operandi involves encrypting popular and common file types on a compromised system and then demanding a ransom from the user for a key that can then be used to decrypt the files.

In Q3 2017, according to Malwarebytes, a company is hit with ransomware every 40 seconds.  This was an increase of 3x over Q1.  “While attacks against consumers are still more prevalent, this acceleration in attacks against businesses indicates criminals are developing targeted campaigns and setting their sights on bigger scores”[1]

When a particular type of malware proves to be effective (and profitable) many variants inevitably arise.  A recently discovered ransomware-type variant titled Zenis is one of the new breed.  Not only does Zenis encrypts files on a compromised system, it also disables the Windows repair and backup option and deletes shadow volume copies on the system.

Zenis is currently in the wild and the exact distribution method is unknown at this time.  Initial analysis suggests compromised Remote Desktop Services could be used.

Ransomware Behavior

After Zenis is installed on a target system it executes the following processes:

  • Runs a check to verify that it’s executed file name is “iis_agent32.exe”
  • Runs a check to verify an “Active” registry value exists named KEY_CURRENT_USERSOFTWAREZenisService.
    • If these two conditions are met then it proceeds to create a ransom note and proceeds with its next steps
  • Deletion of shadow volume copies
  • Disable startup repair
  • Clear event logs
  • Termination of Processes
    • sql
    • taskmgr
    • regedit
    • backup
  • Encrypts Files

 Protect Yourself

Following good computing habits and utilization of security software is important in protecting your systems from ransomware.  Some best practices are as follows:

  • Backup your system and store backup data off-site
  • Do not open attachments if you do not know who sent them.
  • After verifying that an attachment has come from a known source, scan the attachment
  • Make sure all Windows updates are installed as soon as they are released.  Also, make sure you update all programs, especially Java, Flash, and Adobe Reader.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology.
  • Use strong passwords and do not reuse passwords on multiple sites.

 

Some additional guidance you can reference to hardening your system against ransomware can be found here:  https://www.bleepingcomputer.com/news/security/how-to-protect-and-harden-a-computer-against-ransomware/ .

 

[1] Barkly https://blog.barkly.com/ransomware-statistics-2017