Top Ten Ways Companies Can Reduce Cyber Risk

cost-of-cyber-attacks-to-business-mq593szq6dt3vzuawhu5qtm2upt66jfkqpxzl18l8sMid-sized businesses are defined from about $50 million to $800 million in revenue. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). According to the 2017 Verizon Data Breach Investigations Report, 75% of the breaches were caused by outsiders with 51% involving organized criminal groups and the remaining involved internal actors. Not surprising, malware installed via malicious email attachments was present in 50% of the breaches involving hacking(Verizon, 2017). Here are ten steps (applicable to any size business) you can take to shield your mid-sized business from cyber-attacks:

10) Train Staff Often:

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that is directly related to keeping a good business reputation and core customer base. Here are a few more training necessities:

1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)

2. Use games contest and prizes to teach cyber safety – leadership must do this as well.

3. Notify and educate staff of any current cyber-attacks – have a newsletter.

4. Teach them how to handle and protect sensitive data – do lunch and learns.

9) Secure Wireless Networks:

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

8) Physically Secure Your Environment:

Focusing on web tools and monitoring is needed, but it’s also important to remember there are physical concerns about securing your network as well. To a threat actor overcoming all of your security measures may be as easy as walking up to your router and pressing the reset button. Make sure that your key pieces of in-office infrastructure are secure, and that you’re monitoring them with video, sensors or other physical security controls. Make sure to be creative and thorough about how you define a physical security connection point including: doors, public lobbies, windows, air vents, turnstiles, roofs, printer room, network closet, and USB ports on machines, etc. Lastly, employees should keep their devices near them at all times.

7) Double Down on Firewalls:

While most routers have a firewall built in that can protect your internal network against outside attacks, you should know that it may not be automatically activated. It’s generally called something like SPI (stateful packet inspection) or NAT (network address translation). Either way, turn it on (Chelsea Segal, Cox Blue, 09/16/18).

It’s also important to ensure that your own software isn’t sending information out over the network or the internet without your permission. For that, you’ll want to install firewall software on your PC as well. PC Magazine’s top pick is Check Point ZoneAlarm Pro, but the default firewall that comes with Windows 8 and 10 is also a good start.

6) Evaluate Your Operational Resilience and Cyber-Security Practices Quarterly: 

A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018). They can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment.

5) Review Control Access / IAM and Audit Access Regularly:

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain:

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

1. Limit access to sensitive data to only a few authorized employees.

2. Encrypt all your sensitive data – do not over-classify.

3. Backup your data periodically and store it in an offsite location.

4. Protect all devices with access to your data – third party vendor implications.

5. If you accept credit cards transactions, secure each point of sale.

3) Create a Guidebook for Mobile Security:

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

1. Ensure your equipment has the latest security software and run anti-virus/malware scans regularly. If you don’t have good anti-virus software installed, buy and install it.

2. Install all software updates as soon as they are available, including all web browsers.

3. Have the latest operating systems on your devices with access to regular updates.

4. Make sure your internet connect is protected with firewall security.

5. Make sure your Wi-Fi network is encrypted, hidden, and password protected.

2) Use Encrypted Websites for E-commerce Via Strong Third-Party Risk Management Policies:

Only buy from encrypted websites by looking for https on every page. Don’t’ be teased in by super low prices or the like, it may be a drive by download set-up. Ensure that the owner of the website is reputable and is who they say they are. This kind of gets at third party and supply chain risk management, which should be based on some applicable security framework for your industry, etc.

1) Avoid When Possible and Rigorously Evaluate Freeware:

There are a lot of free options for software including anti-virus (AVG), graphic design (GIMP), marketing and sales applications, some of which are quite reliable. However, many are not reliable and pose risk because they often come with malvertising, utility ad ons that slow things down, or direct malware. All of this complicates cyber risk and blurs sight lines into the infrastructure stack. Cyber security isn’t a good place to cut costs so pay for a good antivirus and firewall tool-set. If you are going to use a robust free graphic design tool like GIMP make sure it is documented, always updated, and that it is run in a limited area.

Bonus) Have a Sound Way To Prioritize Patching.

Establish a process to risk-rate vulnerabilities based on: ease of exploit and potential impact of the vulnerability (reference the CVE scores), if other working defenses are in place, and lastly by grouping the assets they may impact.

Reach out to me here for questions.

British Airways Data Breach Likely The First GDPR Rollback Test.

On 08/21/18 British Airways (BA) suffered the start of a data breach which ended on or about 09/05/18. A UPS (uninterruptible power supply) failure and subsequent power surge was partly how the breach was exacerbated. It was also indicated that a third party (vendor) was involved in some way which complicates liability and brings supply chain security more into scope.

The breach allowed cyber criminals to steal personal and financial information from about 380,000 customers who booked directly with the airline in the preceding two weeks (Ivana Kottasová, CNN, 09/07/18). When a passenger makes a booking through the BA website, they must submit their name, e-mail address, address, and credit or debit card details including: the number, expiration date, date, and the security code or “Card Verification Value” (CVV) — all of this was compromised.

BA Breach
Photo: Steve Parsons/PA.

Yet most interestingly, this is one of the first major data breaches since GDPR came into effect in May this year, Walters said (Samuel Gibbs, the Guardian, 09/07/18). “It appears that the company notified the Information Commissioner’s Office and customers within the GDPR’s mandatory 72 hours but the breach will now be investigated and the company could be penalized if it did not take all the necessary measures to protect customer data” (Samuel Gibbs, the Guardian, 09/07/18).

The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues. For British Airways’ this amounts to about $630 million dollars based on last years revenue (Gwyn Topham, the Guardian, 09/06/18).

Yet many observers see fines this hefty as counterproductive and the catalyst to push business outside of the EU. Moreover, many international law firms and economists have doubts about the applicability of the GDRP outside of the EU, citing state sovereignty, and free enterprise protection in the United States, etc. The courts will likely further define the context of GRPRs applicability and may roll its reach back some. It is way to early to know what GDPR means in practicality but pushback is coming from well funded, well organized, well researched powerful law and business interest groups. GDPR is dangerously overbroad and ambiguous as echoed in this law firm newsletter (Wendy Butler Curtis and Jeffrey McKenn, Orrick, Herrington & Sutcliffe LLP, 09/09/18). We welcome the debate for a better more modern GDPR.

Thousands of MikroTik Routers Hacked to Spy On Network Traffic

router-hacking.pngAt present more than 7,500 Mikrotik routers have been compromised with malware when attackers configured the devices to forward network traffic to a handful of IP addresses under their control (Shaun Nichols, The Register, 09/04/18). According to Chinese cyber research firm 360 Netlab the attackers obtained access to the devices by exploiting CVE (Common Vulnerabilities and Exposures) 2018-14847. Ironically this vulnerability had a patch available since April 2018.

This vulnerability is associated with Any Directory File Read (CVE-2018-14847) in MikroTik routers which was found as exploitable by the CIA Vault 7 hacking tool identified as Chimay Red, along with another MikroTik’s Webfig remote code execution vulnerability.

Since 08/24/18 the 360 Netlab honeypot network had picked up on more than 5 million devices with an open TCP/8291 port worldwide, of which 1.2 million are MikroTik devices. Out of those, about 31 percent, or 370,000, are vulnerable to the flaw (Tara Seals, Threatpost, 09/04/18).

The infection does not appear to be targeting any country, as the hacked devices reside across five different continents with Russia, Iran, Brazil, and India being the most commonly impacted. The top 10 countries with compromised MickroTik routers are (Ms. Smith, CSO Online, 09/04/18).

  1. 1,628 in Russia
  2. 637 in Iran
  3. 615 in Brazil
  4. 594 in India
  5. 544 in Ukraine
  6. 375 in Bangladesh
  7. 364 in Indonesia
  8. 218 in Ecuador
  9. 191 in the US
  10. 189 in Argentina

The researchers noted that the malware is also resilient to reboots, leaving a firmware update as the only permanent solution to the problem (Shaun Nichols, The Register, 09/04/18). “In order for the attacker to gain control even after device reboot (IP change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL,” Netlab writes.

Also, the attackers seek to infect victims with the browser-based Coinhive cryptomining script (Fig. 1). They achieve this by redirecting the HTTP proxy settings to an error page they created, where they placed the mining script. “By doing this, the attacker hopes to perform web mining for all the proxy traffic on the users’ devices,” 360 Netlab researchers indicated.

Hive

However, the attackers made a mistake when they set up proxy access control lists that block all external web resources, including those required for the mining operation (Fig. 1).

360 Netlab says it does not know what the ultimate goal of the attacker will be. Their analysis shows that the attacker is particularly interested in ports 20, 21, 25, 110, and 144, which are for FTP-data, FTP, SMTP, POP3, and IMAP traffic. An unusual interest is in traffic from SNMP (Simple Network Management Protocol) ports 161 and 162, which researchers cannot explain at the moment (Shaun Nichols, The Register, 09/04/18).

“This deserves some questions, why the attacker is paying attention to the network management protocol regular users barely use? Are they trying to monitor and capture some special users’ network SNPM community strings?” 360 Netlab asks.

Bleeping computers research recommends that MikroTik users install the latest firmware version on the device. Based on the information provided by 360 Netlab users can check if HTTP proxy, Socks4 proxy, and network traffic capture features are active and exploited by a malicious actor (Ionut Ilascu, Bleeping Computer, 09/04/18).

Reach out to my company Abstract Forward Consulting if you have questions.

In Cybersecurity There Are Two Kinds Of People: Those With Certs And Those Who Are Creative.

In cybersecurity there are two kinds of people, those with certifications and those who have proved they don’t need them. Just like degrees, certifications are only as good as the person holding them. If a person has a CISSP, a CISA, or another related certification, but does no more that attend the minimum continuing education to keep their certs in good standing, they will have little relevant security competence. Additionally, these certifications can not be compared to a CPA where the math and rules are clear and do not change at the speed of technology.

A person can show real world cybersecurity competency by building and defending websites and applications, by attending many top cybersecurity conferences and leaving some, by accurately following and blogging about threat actors (Brian Krebs), and by frequently speaking at security conferences – but more importantly their content needs to be validated by other thought leaders.

 

This is not at all to say that degrees and certifications have no value, but it is to say they are hyped up and not for everyone, especially those like Steve Jobs, Bill Gates, Larry Ellison, Mark Zuckerberg, and about 95% (est) of real hackers and technology security makers. These people are too focused on the synergies of the technology and threats “in the now” that they do not focus on memorizing things for tests that will likely become obsolete in 2-4 years anyway.

The problem with standardized tests is that they teach conformity in a limited non-real-world context based on limited information with no accurate knowledge of the future. A standardized test cannot teach or confirm creativity, quality character, incident response savvy, backwards engineering, your ability to actually build and defend an application, your ability to lead and inspire people in the right direction, stress management, and most importantly that you understand the threat actor profile and landscape and can adapt on your feet.

Many people who study for a security certification realize it’s a memorization and buzz word test. Yes, it will prove you are not a “complete moron” in security, but it will prove no more, and it has nothing to do with creativity. Yet the best security protections must be creative because the enemy is. Hackers use creativity and new technology models to break into systems in ways not thought of before. Yet before they break into these systems they have to learn and backwards engineer them. They do this with a type of intelligence and experience-based creativity that is too high for any standardized test to confirm.

If you survey all the major data breaches and hacks to find out what caused them and what could have prevented them, it is never because an organization “needed more people with standardized security certifications”. Rather, it is usually due to: lack of creativity, corporate silos, office bureaucracy, turfs wars (think why the FBI and CIA missed 9/11) poor communication, not enough real world red teaming, failure to patch, poor internet hygiene education, failure to measure and prioritize risk, and incompetent security leaders who only hire their friends or people who conform to their biases.

If you really want to learn and stay updated about cybersecurity, grab your laptop or tablet and blog real time at the Cybersecurity Summit in MN 10/22/18 to 10/24/18 – register here. Blogging is important because it makes you write down what you are learning, and your followers will force you to talk more about what your posting, so you will learn more by defended or changing it. You must be an active learner by creating and supporting the web technology behind your web-site – 100%.

Also, when attending these events don’t be like most people and hang only with your “established click”. Meet new people and be open to diverse viewpoints even ones that are hard to swallow – you grow more from that. Leave your assumptions at the door. Do not boast about the fact that you have an advanced degree or certification to someone else. You never know what the other person is capable of or has achieved. Remember most hackers and the best technology people are unorthodox.

Here is a run down of the amazing Cybersecurity Summit speakers.

  • Bruce Schneier, who will be signing copies of his forthcoming book “Click Here To Kill Everybody”
  • Chris Roberts, one of the world’s foremost experts on counter threat intelligence
  • Tony Sager, who leads the development of the CIS Critical Security Controls for the Center for Internet Security
  • Peter Brecl, Director of Managed Security Services at CenturyLink
  • Scott Borg, Director and Chief Economist at the U.S. Cyber Consequences Unit
  • Brian L. Levine, who recently engaged in the first criminal trial of a Chinese entity for trade secret theft that cost a U.S. company more than $1 billion
  • Tim Crothers, who built and leads the Cyber Fusion Center at Target

And many others!

To learn more and register for the event, go to www.cybersecuritysummit.org Register now now because prices will increase after Aug. 30. Came say hi to me at the event and reach out to my company Abstract Forward Consulting if you have questions.

Abstract Forward Podcast #1: Data Classification With Jim Danburg.

data_classification_2.jpgIn this episode, renowned governance, risk and compliance critical infrastructure security and resiliency expert Jim Danburg joins us for a candid and thought-provoking conversation on data classification, including a funny story doing a project for a CISO (chief information security officer).  More specifically, we discuss the four types of data classification vs. only three, data over-classification, data mis-classification, governance risk and compliance, data security, role based access control (RBAC), need to know policy, litigation discovery risk, the declining cost of data storage: disk vs. solid state, outsourcing data and PCI risk, mapping dependencies, the relationship between executives and data policy compliance, insider threat, bring your own device (BYOD) containerization: corporate vs. personal data with privacy implications, the secure destruction of data and hardware – and what it takes to improve all this!

Contact Abstract Forward Consulting here.

Disclaimer: This podcast does not represent the views of former or current employers and / or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

Five Things Small to Medium Businesses Can Do To Mitigate Cyber Risk

Small to medium businesses should evaluate their operational resilience and cyber-security practices quarterly. A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018).

b7.contentThey can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). Here are five steps you can take to shield your small business from cyber-attacks:

1) Train Staff Often

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing today because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that’s directly related to keeping their business reputation and core customer base. Here are a few more training necessities:

  1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)
  2. Use games contest and prizes to teach cyber safety – leadership must do this as well.
  3. Notify and educate staff of any current cyber-attacks – have a newsletter.
  4. Teach them how to handle and protect sensitive data – do lunch and learns.

2) Secure Wireless Networks

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

3) Control Access / IAM and Audit Access Often

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

  1. Limit access to sensitive data to only a few authorized employees.
  2. Encrypt all your sensitive data – do not over-classify.
  3. Backup your data periodically and store it in an offsite location.
  4. Protect all devices with access to your data – third party vendor implications.
  5. If you accept credit cards transactions, secure each point of sale.

5) Create a Guidebook for Mobile Security

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

  1. Ensure your equipment has the latest security software and run anti-virus/malware scans. regularly. If you don’t have anti-virus software installed, buy, and install it.
  2. Install all software updates as soon as they are available, including all web browsers.
  3. Have the latest operating systems on your devices with access to regular updates.
  4. Make sure your internet connect is protected with firewall security.
  5. Make sure your Wi-Fi network is encrypted, hidden, as well as password protected.

For more information reach out to Abstract Forward Consulting here.

6 Pronged Approach to Data Exfiltration Detection

The best way to detect precursors to data exfiltration is to employ a six-prong detection approach applied to all risk areas as practicable. Figure 1. shows the six-pronged detection approach.

Figure 1. Six-Pronged Data Exfiltration Precursor Detection Approach [1] [2].

1) Signature Based.

Characteristics: 1) Uses known pattern matching to signify attack; 2) Former zero days, known exploits, etc.

Advantages: 1) Widely available; 2) Most antivirus is based heavily on this; 3) Fairly fast; 4) Easy to implement; 5) Easy to update.

Disadvantages: 1) Cannot detect attacks for which it has no signature – Zero days; 2) Insider threat.

2) Host Based.

Characteristics: 1) Runs on a single host; 2) Can analyze audit-trails, logs, the integrity of files and directories, etc.

Advantages: 1) More accurate than NIDS; 2) Less volume of traffic so less overhead.

Disadvantages: 1) Deployment is expensive; 2) No plan for if the host gets compromised – Real risk for organizations with more than 10 thousand employees.

3) Human Based [2].

Characteristics: 1) Has the unique experience set deriving intuition; 2) Has five senses.

Advantages: 1) Has the ability to learn multiple tools and connect the dots; 2) Can set team direction and inspire people; 3) Can think creatively; 4) Can think with the voice of the customer or recipient of a phishing e-mail.

Disadvantages: 1) Bias and ego; 2) Cannot calculate large numbers fast.

4) Anomaly Based.

Characteristics: 1) Uses statistical model or machine learning engine to characterize normal usage behaviors; 2) Requires big data and other software tools; 3) Recognizes departures from normal as potential intrusions.

Advantages: 1) Can detect attempts to exploit new and unforeseen vulnerabilities; 2) Can recognize authorized usage that falls outside the normal pattern.

Disadvantages: 1) Generally slower, more resource intensive compared to signature-based tools; 2) Greater complexity, difficult to configure; 3) Higher percentages of false alerts.

5) Network Based.

Characteristics: 1) NIDS (network intrusion detection system) examine raw packets in the network passively and triggers alerts.

Advantages 1) Easy deployment; 2) Unobtrusive; 3) Difficult to evade if done at the low level of network operation.

Disadvantages: 1) Fail Open; 2) Different hosts process packets differently; 3) NIDS needs to create traffic seen at the end host; 4) Need to have the complete network topology and complete host behavior; 5) Highly unlikely.

6) Externally Based.

Characteristics: 1) Studies show there are 258 externally measurable characteristics about network infrastructure (without any inside info).

Advantages: 1) Beaching marking – identifying mismanagement symptoms such as poorly configured DNS or BGN networks; 2) Beaching marking – identifying malicious activity which mostly includes SPAM, phishing, and port scanning; 3) One study found it to be highly reliable in predicting breaches (90% true positives in a closed limited test) [3].

Disadvantages: 1) Its low hanging fruit – easy weaknesses to spot; 2) Good I.T. audits and red teaming is similar.

[1] Dash, Debabrata. “Introduction to Network Security”. PowerPoint presentation. 2017.
[2] Photo of public figure Bruce Schneier by Per Ervland. https://www.schneier.com/ 2018.
[3] Liu, Yang; Sarabi, Armin; Zhang, Jing; Naghizadeh, Parinaz; Karir, Manish; Bailey, Michael; and Liu, Mingyan. “Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents” 2015. Pg. 1.

Decryption Options For 3 Ransomware Types

ransomware-main.pngRansomware is on the rise and is going after more victims with little to no defenses, small to medium-small sized businesses and even quiet non-profits. Here are a few tools with a valid track record of stopping and removing 3 common types of ransomware.
1) LockCrypt is a ransomware discovered in June 2017 but is still active in various mutations. It spreads by brute forcing Remote Desktop Protocol credentials – a key port (3389) that should be obviously locked. A prominent example of this exploit occurred in December 2017 when an employee opened an email which was maliciously sent from another co-worker’s account. This was merely an attempt to trick the person to click on the malicious attachment which was appended to the letter. Once it was opened, the ransomware download began after which 48 out of 500 servers of North Carolina County were compromised with LockCrypt (Ugnius Kiguolis, Spyware.com, 12/11/17).

As per Bitdefender, this ransomware family has several sub-variants with the following specific extensions, the first (.1btc) is decryptable with this free Bitdefender tool and the others may be decryptable with the free Trend Micro Malwarebytes Ransomware File Decryptor tool (check for updates).

  1. .1btc (decryptable and included in this version of the tool)
  2. .lock (decryptable, not included in our tool)
  3. .2018 (decryptable, not included in our tool)
  4. .bi_d (not decryptable)
  5. .mich (decryptable, not included in our tool)

2) The five-year-old ransomware Trojan-Ransom.Win32.Rakhni has received a facelift recently which now allows it to decide whether or not to install its traditional ransomware or to drop a cryptominer.

The malware is delivered through spam campaigns where the email comes with a PDF attached which the receiver is prompted to save and then enable editing. When the victim attempts to open the document he or she is presented with an executable that portrays itself as an Adobe Reader plugin and it asks the person to allow it to make changes to their computer (Doug Olenick, SC Magazine, 07/06/18).

According the Kaspersky labs, the current injection chain on this newer exploit is largely the same as before. However, the malware moves along a rather complex path before it decides which form it will take. During the process it will check to make sure the device is not a virtual machine, it will check for and disarm an AV software and also Widows Defender and finally erase most of the footprints made during the malware installation.

The executable, which is written in Delphi and has its strings encrypted, then presents a message box that states the PDF could not be opened, basically to keep the victim from thinking anything negative is about to happen (Doug Olenick, SC Magazine, 07/06/18).

It first checks that the device has one of the substrings:

  1. \TEMP
  2. \TMP
  3. \STARTUP
  4. \CONTENT.IE
  5. Registry check

It then checks to see if the registry contains checks that in the registry there is no value HKCU\Software\Adobe\DAVersion and if it finds this is so it creates HKCU\Software\Adobe\DAVersion = True (Doug Olenick, SC Magazine, 07/06/18). As of Feb 2018 Kaspersky Labs has a free decryption tool (since updated) to get rid of most variations of this infection.

3) Thousands of LabCorp’s servers were impacted by the SamSam ransomware attack on 07/13/18, a CSO online report confirmed (Steve Ragan, 07/19/18). Early information indicates that the company contained the spread of the infection and neutralized the attack within 50 minutes – great. However, before the attack was fully contained, 7,000 systems and 1,900 servers were negatively impacted; 350 were production servers (Steve Ragan, CSO Online, 07/19/18. This is a growing trend in the healthcare sector that reached 15% in 2016 (Fig1. Greg Slabodkin, Health Data Management, 04/11/18).

Fig. 1.
Ransomeware Health.pngAs per Jessica Davis of HealthcareITnews, “SamSam is the virus that shut down the Allscripts platform for about a week in January 2017 and is known to use brute force RDP (remote desktop protocol) attacks to breach a system and spread. The variant is also responsible for taking down Hancock Health, Adams Memorial and the government systems of Atlanta — among a host of others” (HealthcareITNews.com, 07/20/18).

The ransom note it displays is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment (Christopher Boyd, Malwarebytes Labs, 05/01/18).

Fig 2.
samsam-ransomware-infected-file-sensorstechforum-com-sorry-for-files-html-virus
The virus has been updated a couple of times. Currently, it appends one of the following file extensions (Julie Splinters, spyware.com, 06/23/18):

  1. .weapologize;
  2. .AreYouLoveMyRansFile;
  3. .breeding123;
  4. .country82000;
  5. .disposed2017;
  6. .fucku;
  7. .happenencedfiles;
  8. .helpmeencedfiles;
  9. .howcanihelpusir;
  10. .iaufkakfhsaraf;
  11. .mention9823;
  12. .myransext2017;
  13. .noproblemwedecfiles;
  14. .notfoundrans;
  15. .prosperous666;
  16. .powerfulldecryp;
  17. .supported2017;
  18. .suppose666;
  19. .VforVendetta
  20. .Whereisyourfiles;
  21. .wowreadfordecryp;
  22. .wowwhereismyfiles;
  23. .loveransisgood.

Different variants of the virus might drop different versions of ransom notes. However, at the moment victims might receive one of these ransom notes in:

  1. 0009-SORRY-FOR-FILES.html,
  2. IF_WANT_FILES_BACK_PLS_READ.html,
  3. 000-PLEASE-READ-WE-HELP.html,
  4. 000-No-PROBLEM-WE-DEC-FILES.html,
  5. READ-FOR-DECCCC-FILESSS.html,
  6. HELP_DECRYPT_YOUR_FILES.HTML,
  7. 001-HELP_FOR_DECRYPT_FILE.html,
  8. 006-READ-FOR-HELLPP.html,
  9. PLEASE_READ_FOR_DECRYPT_FILES_[Number].html,
  10. PLEASE-README -AFFECTED-FILES.html.

SamSam is the newest and most powerful of the three types of ransomeware mentioned above. There is no known decryption tool or fix for data that you don’t already have your data backed up. Yet it is known to uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and similar tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through the network and do damage (Dark Reading, 06/20/18, Ajit Sancheti). Stay tuned here for updates regarding a stable decryption tool for SamSam.

Two Equifax Leaders Charged with Insider Trading Amid Data Breach Mess

equifax (1).jpgA former software developer for Equifax, Sudhakar Reddy Bonthu, faces insider trading charges related to the company’s massive data breach last year, according to the SEC and federal prosecutors. Allegedly, in August 2017, Bonthu was asked to participate in Project Sparta, which Bonthu’s bosses described as a major project for one of the company’s clients who suffered a major breach that exposed details of over 100 million users.

Unknown to Bonthu at the time, that client was Equifax itself, which a month prior discovered that it was hacked and an intruder stole details for over 145.5 million US and international users. Bonthu was tasked with creating “an online user interface into which users could input information to determine whether they had been impacted by the breach.” According to court documents, he was told that “the project was a high priority for the unnamed company and had a short deadline because the client intended to ‘go live’ on September 6, 2017, with the breach remediation applications designed by Equifax.”

To create the website, which later turned out to be equifaxsecurity2017.com, Bonthu was given test data and was included in mailing lists exchanging information about the still-secret breach. SEC investigators say that Bonthu concluded on his own that the secret client in Project Sparta was in fact Equifax itself.

In an attempt to obstruct his trail he used his wife’s trading account, wherefrom he purchased eighty-six out-of-the-money put option contracts for shares of Equifax common stock with an expiration date of September 15, 2017, and a strike price of $130 per share. Bonthu made this purchase despite the fact that Equifax’s policies expressly prohibit any trading in derivative securities, including put and call options.

By purchasing out-of-the-money put options, Bonthu could make money only if the market price of Equifax stock were to drop below the put option strike price before the contract expired approximately two weeks later, on September 15. If the market price did not so drop, the put options would expire and his investment would be worthless.

On September 8, the price of Equifax common stock closed at $123.23, a drop of $19.49 (nearly 14%) per share from the prior day’s closing price of $142.72. […] As a result of the precipitous drop in Equifax’s share price, Bonthu turned his initial investment of $2,166.11 into $77,333.79 in only six days. In sum, Bonthu’s ill-gotten gains from his trading in Equifax options totaled $75,167.68, a return of more than 3,500% on his initial investment.

3028.03.15equifaxchart.JPG

The SEC says Bonthu had never previously traded in Equifax options. Equifax fired Bonthu in March 2018 after he allegedly refused to cooperate on an internal investigation on charges that he violated the company’s insider trading policy. Bonthu has agreed today to a permanent injunction and to return ill-gotten gains plus interest. If the settlement is approved by a judge, this will terminate SEC civil charges.

The equifaxsecurity2017.com website, on which Bonthu worked, has been deemed one of the most poorly put together breach notification sites in recent years, with several issues affecting it.

He is the second Equifax employee charged with insider trading after Equifax’s breach last year. Earlier this March the SEC charged former CIO of Equifax U.S. Information Solutions Jun Ying. Equifax says it tipped off the Department of Justice and the SEC to Ying’s alleged insider trading.

Although Ying wasn’t directly told that Equifax had been breached, he was assigned to assist Equifax’s Global Consumer Solutions unit with what was billed as “a business opportunity for an unnamed client,” code-named Project Sparta, according to court documents. The project was designated as “urgent,” and everyone participating, including Ying and his team, were instructed to cancel their Friday evening plans and respond to all requests.

At 5:27 p.m. that day, Ying texted a co-worker that the breach they were working on “sounds bad” and noted: “We may be the one breached. . .. Starting to put 2 and 2 together,” according to the SEC complaint. Later that evening, Ying learned that Equifax’s CSO, chief legal officer and vice president of cybersecurity had all canceled their travel plans, it adds.

The following Monday, around 10 a.m., “Ying used a search engine to find information on the internet concerning the September 2015 cybersecurity breach of Experian, another one of the three major credit bureaus, and the impact that breach had on Experian’s stock price,” according to the complaint. “The search terms used by Ying were: (1) ‘Experian breach’; (2) ‘Experian stock price 9/15/2015’; and (3) ‘Experian breach 2015.’

“This defendant took advantage of his position as Equifax’s USIS chief information officer and allegedly sold over $950,000 worth of stock to profit before the company announced a data breach that impacted over 145 million Americans,” says U.S. Attorney Byung J. “BJay” Pak. “Our office takes the abuse of trust inherent in insider trading very seriously and will prosecute those who seek to profit in this manner. By selling when he did, Ying avoided losses in excess of $117,000.”

Earlier this month, Equifax revised its estimate of the breach’s impact to 147.9 million U.S. consumers. About 15 million U.K. consumers – of which about 860,000 are at risk of identity theft – and 8,000 Canadian consumers also saw their personal information get breached (see Equifax Breach Victims: UK Count Goes Up).

I identified Equifax’s control gaps and conflict of interest in a post shortly after the breach in 2017. I suspected then as I do now that more people will be charged related to conflict of interest with LifeLock identity theft protection.

Information sourced from Tara Siegel Bernard for the New York Times, Allison Prang for the Wall Street Journal, and the associated press. Curated and edited by Jeremy Swenson of Abstract Forward Consulting.

Chinese Hackers Stole About 614GB of Data from Unnamed U.S. Navy Contractor

A series of cyber attacks backed by Chinese government hackers earlier this year infiltrated the computers of a U.S. Navy contractor, allowing a large amount of highly-sensitive data on undersea warfare to reportedly be stolen. Likely by A People’s Liberation Army unit, known as Unit 61398, which is filled with skilled Chinese hackers who pilfered corporate trade secrets to benefit Chinese state-owned industry. The breaches, which took place in January and February 2018, including secret plans to develop a supersonic anti-ship missile for use on US submarines by 2020, according to American officials.

Fig. 1. U.S. Navy Submarine.
Navy Image

This data was of a highly sensitive nature despite it being housed on the contractor’s unclassified network – putting it here was mistake and exacerbated vulnerabilities. A contractor who works for the Naval Undersea Warfare Center in Newport, R.I. — a research and development center for submarines and underwater weaponry — was the target of the hackers, the Post reported. While the unnamed officials did not identify the contractor, they told the newspaper that a total of 614 gigabytes of material was taken. Included in that data was information about a secret project known as Sea Dragon, in addition to signals and sensor data and the Navy submarine development unit’s electronic warfare library. The Washington Post said it agreed to withhold some details of what was stolen at the request of the U.S. Navy over fears it could compromise national security.

A Navy spokesperson told Fox News in a statement the service branch will not comment on specific incidents, but cyber threats are “serious matters” officials are working to “continuously” bolster awareness of. There are measures in place that require companies to notify the government when a cyber incident has occurred that has actual or potential adverse effects on their networks that contain controlled unclassified information,” Cmdr. Bill Speaks said. “It would be inappropriate to discuss further details at this time.”

Fig 2. China’s first domestically manufactured aircraft carrier returns to port in Dalian after sea trials on 05/18/2018.

chinese-aircraft-carrier
Military experts fear that China has developed capabilities that could complicate the Navy’s ability to defend US allies in Asia in the event of a conflict with China. The Chinese are investing in a range of platforms, including quieter submarines armed with increasingly sophisticated weapons and new sensors, Admiral Philip Davidson said during his April nomination hearing to lead US Indo-Pacific Command. And what they cannot develop on their own, they steal – often through cyberspace, he said. “One of the main concerns that we have,” he told the Senate Armed Services Committee, “is cyber and penetration of the dot-com networks, exploiting technology from our defense contractors, in some instances.”

Chinese government hackers have previously targeted information on the U.S. military, including designs for the F-35 joint strike fighter which they copied. Last year, South Korean firms involved in the deployment of the U.S. Army’s Terminal High-Altitude Area Defense, or THAAD, missile defense system, the Wall Street Journal reported at the time. No matter how fast the government moves to shore up its cyber defenses, and those of the defense industrial base, the cyber attackers move faster.

Compiled from Jennifer Griffin at Fox News, The Post, The Wall Street Journal, Independent News, and Huff Post. Edited and curated by Jeremy Swenson of Abstract Forward Consulting.