One thing is certain in 2017: the threat landscape continues to increase at an exponential rate, and so do the business risks. In my opinion, one of the biggest threats—with the greatest level of impact—is ransomware.
Like all threats, ransomware is gaining momentum in both sophistication and severity of impact. PC Magazine defines ransomware as “Virus software that blackmails users by encrypting their hard drives or locking them out of the computer. It then demands payment to restore it.”
If organizations fall prey to a ransomware attack, they could choose to pay the ransom—however, paying the ransom proves to hackers that ransomware works. What’s more, there’s no guarantee that if you pay the ransom, you’ll get access to your hacked files. The best recovery method is to have recent backups to restore, but many organizations fail here.
The reality is that ransomware is spreading. McAfee reported that between 2014 and 2015, ransomware across sectors nearly tripled in volume—and new variations more than quadrupled. In 2016, total ransomware grew 80%. Simply put, your organization is at risk.
If the threat of ransomware is enough to make you lose sleep, take heart: You can still protect your organization. Ask yourself:
Identifying these challenges will help better define your tactical and strategic security goals.
Below are tips on how to minimize the risks from known ransomware threats and vulnerabilities.
The cybersecurity industry is maturing to address the challenges of ransomware and other threats. The following are strategic initiatives to consider in your long-term security plans.
The threat of ransomware doesn’t have to keep you up at night. If you understand the risks, identify your organization’s challenges, and develop a plan that defines both tactical and strategic change—one that includes investing in the right technologies and developing the in-depth knowledge and skill on how to leverage those technologies effectively—you will position your organization to be better prepared for the constantly changing threat landscape.
Links in this article are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.
This article is cross-posted on the NYSTEC Info Security Advisor blog.
Customer: I forgot my password.
Website: No problem! Here’s your new password via email — fully visible for your convenience!
Oh, the pain. The pain.
EMAILING PASSWORDS = BAD
EMAILING PLAINTEXT PASSWORDS = VERY BAD
There’s so much wrong here.
First, email is not a secure way to send confidential information. Emailing a password makes as much sense as posting an image of your new credit card and CVV number on Facebook. How should you be getting that new password instead? Check out the Open Web Application Security Project (OWASP) guidelines.
Second, getting a password sent to you in plaintext (or cleartext) means your password is being stored in plaintext. Not encoded. Visible to anyone. If that website becomes compromised or your email is exposed, your password could be shared with every hacker in the world.
Bonus badness: If a hacker gains access to your plaintext password, and you use the same password for all of your accounts, have fun trying to recover all of those accounts after the hacker changes your password(s) and email address!
If a website sends you a password in plaintext, it’s okay to cringe. The good news is that it may not be completely terrible. If it’s a one-time password (i.e., a temporary password), that’s sort of passable, especially if it comes with an expiration date. (A far better solution would have been getting a one-time link to click.)
However, if you’re emailed your real password in plaintext, that is completely terrible. Do not store any personal information on that site — credit card numbers, bank accounts, and passwords should be considered off-limits. And never use that password anywhere else.
Passwords are the most valuable bit of information you have. Something that valuable deserves respect. If a website is saving your password in plaintext, then your password — and you — aren’t getting the respect you deserve.
The links in this content are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed therein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.
A cybercriminal has just wiped all traces of an attack from your server. Now you’ll never know the source of the attack or the extent of the damage, right?
Not if you have a network forensic investigator on the trail.
The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. This article provides a short introduction to network-based forensic investigations of suspected criminal activity related to information technology systems.
Criminals attack computer systems for a number of reasons, but primarily for economic gain. Among the most common targets are banking and other personal information stored on PCs and servers that will assist in completing fraudulent financial transactions.
Network forensics—defined as the investigation of network traffic patterns and data captured in transit between computing devices—can provide insight into the source and extent of an attack. It also can supplement investigations focused on information left behind on computer hard drives following an attack.
Identifying attack patterns requires a thorough understanding of common application and network protocols. For example:
The investigator must understand the normal form and behavior of these protocols to discern the anomalies associated with an attack.
Network forensic investigators examine two primary sources: full-packet data capture, and log files from devices such as routers, proxy servers, and web servers—these files identify traffic patterns by capturing and storing source and destination IP addresses, TCP port, Domain Name Service (DNS) site names, and other information.
Full-Packet Capture. The advantage of full-packet capture is that the content, and therefore the meaning and value, of data being transferred can be determined. Packet capture is not usually implemented on networks full-time because of the large amount of storage required for even an hour’s worth of data on a typical business network. In addition, there may be privacy concerns (although most businesses today require all employees to sign an acknowledgement that they do not have a right to privacy while on business-owned systems and networks).
Data capture is typically implemented when suspicious activity has been detected and may still be ongoing. The packet-capture-network tap point must be chosen carefully so that it can capture traffic flowing among all affected devices, or multiple taps must be implemented.
Log files. Most modern network devices, such as routers, are able to store NetFlow (or equivalent) data into log files on a full-time basis without affecting performance. Web servers, proxy servers, firewalls, Intrusion Detection Systems (IDS), DNS, Dynamic Host Control Protocols (DHCP), and Active Directory server log files also contain much useful information about activity on the network. These log files can be analyzed to identify suspicious source and destination pairs (e.g., your server is communicating with a server in Eastern Europe or China) and suspicious application activity (e.g., a browser communicating on a port other than port 80, 443, or 8080).
One advantage of using log files is the much smaller file size compared to full-packet capture. Another advantage is that the collection points are already in place in key locations, and it is not difficult to collect and store the output from multiple devices into one master log for analysis. There are many free as well as commercial tools for log aggregation.
There are many free software tools available for network forensics. While a few have a graphical user interface (GUI), most free tools have only a command-line interface, and many run only on Linux.
Especially in the case of full-packet captures, data must be reduced through filtering before detailed analysis is performed.
There are steps organizations can take before an attack to help network-based forensic investigations be successful. Here are three things you can do: