On Friday of last week, Europol reported that a worldwide attack using a piece of ransomware known as “WannaCry” hit more than 150 countries and infected at least 200,000 victims. Europol Director Rob Rainwright said that “the global reach [of the attack] is unprecedented. The attack appears to be targeting businesses and large corporations in the healthcare, financial and infrastructure sectors; these sectors have highly sensitive information ripe for a hostage.
Ransomware is malicious software, a virus, that has two purposes. The first is to encrypt the contents of a machines hard drive, preventing the user from accessing the information without entering a unique key or password. The second purpose is to act as a worm and spread to as many machines as possible. With a large footprint of infected machines, the attacker can then hold the data for ransom, promising to provide the password or key to decrypt the data once the ransom is paid in bitcoin (untraceable digital currency).
The WannaCry ransomware appears to exploit a vulnerability in the Microsoft XP operating system that was discovered as a result of the recent NSA tool dump. It’s unclear at this time whether the ransomware was developed by the NSA or just as the result of the NSA’s day one exploit stockpiling. Microsoft president and chief legal officer Brad Smith responded to the attack stating that it “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”. Smith continued his comment stating that “this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.
While IT and Security teams have no doubt been working around the clock over the weekend to prevent the spread and manage the fallout, some key actions organizations should take in the immediate fallout are as follows:
- Immediately backup important and sensitive data in case you are infected soon.
- Update to the latest Microsoft security patches.
- Update all anti-virus and conducting immediate scans.
- Scan all inbound and outbound emails for malicious attachments.
- Send out a companywide awareness email warning employees about the attack and to be cautious of scams and malicious emails.
Moving forward, organizations should consider a more proactive approach to dealing with ransomware as opposed to reactive. In August of last year, CyberSheath Security Engineers wrote about the rise of ransomware and how using sandboxing techniques in daily operations can be 100% effective against malware attacks when used in combination with least-privilege. Adding to defense in depth, implementing a privileged account management solution can be used to prevent ransomware from spreading to critical servers by securing privileged accounts, and in combination with isolating critical servers with a secure jump host such as CyberArk’s PSM, can be a highly effective combination in combating malicious threats.
Let the security professionals at CyberSheath help you become proactive, not reactive. You can learn more about our approach by viewing our Privileged Access Management service area or clicking the button below to download our detailed Privileged Access Management datasheet.
Recently, a congressional investigation conducted by the U.S. House of Representatives’ Committee on Oversight and Government Reform reported that the two major data breaches suffered by the U.S. Office of Personnel Management (OPM) in 2014 and 2015 were indeed preventable and in fact, made worse by lax security regulations and ineffective management. The OPM is an organization that manages aspects of federal employment, such as background checks, for most government agencies. These massive attacks resulted in the compromise of sensitive data belonging to more than 22 million people.
Though there is some divergence amongst the political parties within the committee over who is to blame and how much progress OPM has made since being alerted of potential threat in 2005 via inspector general reports, the facts are undeniable – had the OPM implemented basic, required security controls and implemented modern security tools in a timely fashion once being alerted, they could have significantly mitigated, delayed, or prevented the damage inflicted by hackers. The specifics of how and when the intruders gained access to OPM’s network are not entirely clear but the report noted that there were several preemptive actions that were not addressed by OPM leadership. For example, OPM did not adopt two-factor authentication for remote logons until early 2015, though it had long been required of federal agencies. If they had employed this method sooner, they would have precluded continued access by the intruder into the OPM network (Krebs). Other suggestions included longer retention of chief information officers, reduction in the use of social security numbers, and implementation of better monitoring/security capabilities and tools. Needless to say, OPM has made some progress over the past year by implementing multi-factor authentication, hiring new cybersecurity advisors, and revamping their information technology infrastructure to one that is both modern and standardized.
How can you help prevent attacks like these for your own organization? Here are some basic tips to data breach prevention:
- Establish end-user security awareness by conducting regular training so that all users are better trained to notice odd behavior that could potentially be a result of hackers. Additionally, establish policies concerning privacy and data security and distribute to all employees. Train employees to lock their machines when leaving their work stations, not to click on links from unknown senders, and to maintain good cyber hygiene.
- Implement and maintain security tools that provide visibility and management of your organizational risk. Governance Risk and Compliance (GRC) platforms like RSA Archer and TraceSecurity TraceCSO provide platforms that simplify and automate IT and security risk management. Using these tools like Archer will also enable your organization to gain visibility into other areas by creating a dashboard of integrated security capabilities, such as vulnerability scan results and compliance remediation, with metrics and other visual information in one central location.
- Implement and maintain efficient monitoring and privileged account management programs. CyberArk offers a variety of products designed to help protect your business through such tools.
- CyberArk empowers organizations to record and monitor user activity during privileged sessions, helping security teams both deter and detect the unauthorized use of privileged accounts. Real-time privilege session monitoring enables security teams to detect suspicious activity as soon as it occurs and remotely terminate the session to minimize any potential damage. Additionally, searchable audit logs and session recordings are stored in a tamper-proof vault to prevent privileged users from editing or deleting their history and to be available for review after the fact in order to gain a clear understanding of the scope and severity of an incident.
- Utilize patch management across all systems on your network. Don’t just rely on Windows updates to keep you safe because any and all software can introduce new vulnerabilities. Employ firewalls and anti-virus/spyware programs on all systems on your network, push out updates to all machines as needed to reduce vulnerabilities introduced by misconfiguration and unnecessary default services.
- Back up your data securely. A remote data backup service will enable your organization to use its network safely to back up data effectively without having to worry about physical drives that can be lost or stolen. Additionally, mandate encryption of all data transmissions and only allow encrypted data to be downloaded onto portable media. Avoid using public wi-fi networks as they may facilitate the foreign interception of sensitive data.
If your organization has recently been impacted by a data breach or you are concerned that at least one of the practices above are not being enforced properly, CyberSheath has expert staff that can assess your organization’s security and determines the threat potential in any vulnerabilities you may have to prevent future attacks and data breaches. We provide services that assist clients in building and maintaining successful security programs through privacy assessment, security advising, and professional consulting services across a variety of tools including RSA Archer GRC and CyberArk.
In a recent article by Motherboard, the FBI warned of massive government data breaches from a group that has had access to US Government files for years. APT6 have “compromised and stolen sensitive information from various government and commercial networks since at least 2011”. While it is unclear from the article just which government agencies are involved, the FBI has released an alert that details several domains that are associated with command and control (C2) of customized malicious software and any activity related to these domains “detected on a network should be considered an indication of a compromise requiring mitigation and contact with law enforcement”.
It is important to note that there have been no official notifications from US Government Agencies, other than the FBI warning, but it brings up a good point about allowing government agencies to have back door access to encrypted data. If these very same government agencies can’t keep their own data secure, why should they be able to have access to encrypted data? Huge breaches within government networks are nothing new, and the thought of giving a special key for encrypted systems to the government is a little frightening.
This article comes at a time when the US government is demanding access to encrypted data and the ensuing fight over whether the access to said data should be granted using special government-appointed backdoors. Such as the proposed bill from Senators Diane Feinstein (D-California) and Richard Burr (R-North Carolina), covered entities receiving court orders from the government for information or data shall provide such information or data in an intelligence format or provide technical assistance to obtain such information or data in an intelligence format. This means that a device manufacturer, software manufacture, an electronic communication service, etc. must give the requestor (the Federal Government) the data that is clear and human-readable. Encrypted data is unintelligible. Under this bill manufactures would have to give the government special backdoor access. Additionally, any “unbreakable encryption” or sale of services that include it would be outlawed. While the chance of this bill going anywhere is very low, it creates an awkward situation – how can the government expect to be in charge of special backdoor access to private data, when they can’t even secure their own data?
Regardless of your stance on the issue, your data needs protecting. CyberSheath can assist you and your organization in securing your data. Start with an assessment today to identify your weaknesses and gaps.
Bring your own device (BYOD) is the use of an employee’s personal mobile device, e.g., smartphone, tablet and/or laptop, to access a company’s data or network. Once a trend, BYOD has gained wide acceptance across businesses succeeding in today’s markets. Findings from Tech Pro Research in early 2015 indicated “74 percent of organizations [are] either already using or planning to allow employees to bring their own devices to work.” What is the main motivator for this movement? A study conducted by IBM found the main advantages of the BYOD environment were a rise in employee productivity and satisfaction as well as overall financial savings for the business. The benefits of BYOD are great, but what does it mean for the overworked IT environment already combating constant attacks on their network?
Ultimately, allowing employees to use personal devices to access company proprietary information opens the business to potential cybersecurity risks. The risk of a non-company owned device being lost or stolen, lacking necessary anti-virus software, or accessing data that is not encrypted, all leave an organization’s data vulnerable and can lead to a data breach resulting in significant financial loss. As 2016 gets underway, the discussion on the protection of organization-controlled data becomes even more relevant. With the growth of BYOD in 2015, it is not a question of how an organization can avoid the adoption of this movement, but rather how can a business mitigate the risks associated with it? To address some of these concerns, CyberSheath has outlined 3 common industry best practices to begin the process of ensuring your data is secure within a BYOD environment.
3 Tips to Secure Data in a BYOD Environment
1: BYOD Policy
For starters, employees must have permission to use their personally owned devices for business purposes. A good place to begin is with a strong BYOD policy. The policy must clearly define the organization’s expectations of its employees when using their personal devices to conduct company business. Requirements for employees, such as requiring anti-virus software on non-company devices, enforcing a two-step authentication or putting company proprietary information into secure content lockers, are guiding principles that offer increased security to an organization. Industry educational institutions, such as the SANS Institute, encourage the use of policy development and describe them as the “practical steps necessary for defending systems and networks.” Policies enable organizations to hold employees accountable for their actions.
While policies provide guidance and permission to employees, policies in of themselves do not secure the data. Encryption is one of many ways to secure data on a personally owned device. In 2015 the Office of Personnel Management (OPM) learned the hard way the importance of encryption when discovered in hearings held by the House Committee on Oversight and Government Reform that “the data stolen in the massive OPM breach was not protected by practices like data masking, redaction, and encryption.” Encryption is an excepted best practice to meet compliance regulations that require the protection of data, and as expressed in hindsight by Rep. Elijah Cummings, D-Md. at the OPM hearing, “should become the norm.”
The third most important tip for the BYOD environment is training. While having a good policy in combination with strong encryption can protect the data, training brings it all together for the employees. Training employees on policies, how and when to use encryption and secure content lockers, go a long way in the fight against data breaches. Training enforces acceptance of the BYOD policy and employees can no longer use the reason “I didn’t know how” to secure my [data/mobile device/email/document]. While the above suggestions can be implemented relatively easily properly training employees on the policy and technology to support the policy is far more cost-effective than dealing with a data breach due to an uninformed employee.
How CyberSheath Can Assist Your Organization Mitigate the Risk of the BYOD Environment?
To start, as part of our Staffing and Residency service offering CyberSheath can provide the experts necessary, whether transitioning or reevaluating your current BYOD environment, to create the policies and procedures critical to securing your digital assets.
In the latest cybersecurity breach, the Defense Contract Management Agency (DCMA), responsible for administrating contracts on behalf of the Department of Defense (DoD), has taken several of its servers offline in response to a potential cybersecurity incident. According to Krebsonsecurity, a Cyber Protection strike team from the DoD is now working closely with the DCMA to elevate its security posture following the incident.
“So far, no DCMA, DoD or Defense Industrial Base data nor any personal identification information has been breached (…) DCMA’s website has been intentionally taken offline while the team investigates the activity,” the spokesperson says. “All other network operations have proceeded as normal (…)”
David Wray, DCMA Spokesman
The two-week-long “Corrective Action” message found on the home page of the DMCA.
According to an unidentified source in the DCMA, the agency has been having “major system issues, including a number of internal systems.” This incident adds to the string of cyber attacks on US Government systems from the U.S. Central Command’s Twitter and YouTube accounts, the United States Postal Service data breach, the National Oceanic and Atmospheric Administration website compromise, and the White House’s unclassified network breach.
What was the Attack Vector?
DCMA employees leverage resources for telework to review federal contracts between external companies and the DoD. At CyberSheath, we have seen a number of successful cyber attacks leverage these third party relationships and integrations to gain access to the internal trusted network of a partner. This methodology also follows the trends of recent attacks against the US Government. Albeit, this is only speculation as we do not have enough information to analyze who and how the attackers breached DCMA.
What was the Motivation?
It is highly likely that hackers targeted DCMA in an effort to obtain intel on the entities that hold specific contracts for the DoD so that they may target those entities and breach more sensitive networks. Alternatively, the groups responsible may be trying to release confidential information to the public to embarrass the US Government. In either case, this attack may set the stage for a greater incidence in the coming weeks.
Security assessments can be of transformational value for your organization or they can be shelfware, the determining factor on what you end up with is a matter of leadership and strategy. Here just one example of how an assessment can be transformational.
Several years ago I came into an organization with 5 separate security silo’s, all reporting independently of one another with almost no unifying set of objectives or control framework. One thing all 5 groups had in common was their belief that “the business just doesn’t get it”, it being security. When the 5 “families” got together the debate was fierce, discussions academic and action towards improvement nonexistent. If only we had more money, more tools, more people, more, more, more…then and only then could we be effective. I’m simplifying the story a bit to fit into a blog posting, but not by much.
Having the advantage of being new to the organization I recognized that part of the problem with the state of security was security. If you listened to the groups the sky was falling but they had no data to support their assertions. They had no way to demonstrate, with facts and figures, that the company was taking on more risk than was reasonable.
We needed a quantifiable way to give the business actionable data and let them come to the right conclusions around investments in the security arena. So with my enormous team of 1 which eventually grew to 3 (including me), we set out to educate the business as to the risks they were taking and make the company more secure. It’s not an exaggeration to say that the effort to transform security at a global Fortune 500 company began with 3 people and an assessment.
We knew that we needed a way to measure security and to do that we had to select a control framework that could withstand scrutiny and provide an actionable baseline against which we would measure improvement year over year. The two candidates were NIST and ISO and there were passionate arguments for and against each. In my opinion, this is an area that can be “overthought”, meaning you can always change your mind later but the most important thing is taking action now. In fact, we did exactly that by selecting ISO and then reverting NIST.
Contrary to what many people might think the next step was not to start the assessment. For the assessment to be effective the business would have to understand how and why it was important to their business and making them ISO or NIST experts was not in the cards. We had to select the parts of ISO and NIST that were relevant to the business from a regulatory compliance perspective. The business understands compliance, be it with HR (Employment law), workplace safety (OSHA), finance (SOX) and or any other functions that support the business. Security, however, had never taken the time to map the work they were doing back to regulatory requirements in a language the business could understand.
So we set out to do that mapping….long before we started engaging vendors to do an assessment. In my next post, I’ll share some of the challenges with doing the mapping and how we ended up selecting a vendor.