How to Protect Your Organization from Ransomware

One thing is certain in 2017: the threat landscape continues to increase at an exponential rate, and so do the business risks. In my opinion, one of the biggest threats—with the greatest level of impact—is ransomware.

Challenges Shared by All

Like all threats, ransomware is gaining momentum in both sophistication and severity of impact. PC Magazine defines ransomware as “Virus software that blackmails users by encrypting their hard drives or locking them out of the computer. It then demands payment to restore it.”

If organizations fall prey to a ransomware attack, they could choose to pay the ransom—however, paying the ransom proves to hackers that ransomware works. What’s more, there’s no guarantee that if you pay the ransom, you’ll get access to your hacked files. The best recovery method is to have recent backups to restore, but many organizations fail here.

The reality is that ransomware is spreading. McAfee reported that between 2014 and 2015, ransomware across sectors nearly tripled in volume—and new variations more than quadrupled. In 2016, total ransomware grew 80%. Simply put, your organization is at risk.

If the threat of ransomware is enough to make you lose sleep, take heart: You can still protect your organization. Ask yourself:

• How prepared are you for a ransomware attack?
• Are you doing all that you can to prepare for a ransomware attack? Do you have the right resources and talent on hand?
• How informed is your executive team, and do you have the right level of commitment and funding in support of your strategic plan?

Identifying these challenges will help better define your tactical and strategic security goals.

Tactical Adjustments: Preventive Defense

Below are tips on how to minimize the risks from known ransomware threats and vulnerabilities.

• Ensure that all of your important systems are properly backed up and that backups are stored in a safe, offline location.
• Implement well-defined security policies, standards, controls, and procedures for compliance and accountability.
• Execute a robust security awareness program to reduce the risk of unsecure behaviors, such as visiting malware-infected websites.
• Ensure that your training plans develop the in-depth skills required to utilize effectively the security tools and investments being made by your company.
• Increase network sub-netting and firewall/Intrusion Prevention System (IPS) to lessen the risk of compromise throughout the enterprise.
• Mature your group policy structure so that privileged accounts have a higher level of control and protection (e.g., multifactor authentication, restricted use, distribution of authority).
• Streamline patch management to remediate known vulnerabilities quickly.
• Put in place thoroughly defined incident response, risk assessment, and audit programs that are fully supported by your staff.
• Include encryption and certificate management, both of which are critical in securing confidential/protected information.
• Mature your reporting of work being done to support asset, risk, and impact assessments (quantitative and qualitative), as well as Business Continuity and Disaster Recovery (BC/DR) plans.

Strategic Adjustments: Proactive defense

The cybersecurity industry is maturing to address the challenges of ransomware and other threats. The following are strategic initiatives to consider in your long-term security plans.

• Grow the sources from which you learn about current threats and how they function, and continue to develop your intelligence networks for information gathering and sharing. (Be sure to use only trusted sites when doing your research.)
• Subscribe to external Open Source Intelligence (OSINT) feeds specific to malware, which may provide insight into the latest techniques used to bypass security defenses. (Note that Ransomware-specific OSINT sites are limited.)
• Mature your use of global threat awareness offerings that automatically update your systems to protect against behaviors associated with “zero-day” threats, which exploit an unknown computer security vulnerability.
• Consider migrating toward cloud-based services for additional advanced security capabilities.
• Establish performance baselines on network, system, application, and end-point devices. This will greatly improve your monitoring abilities to identify unusual or unsecured behaviors.
• Start researching Data Loss Protection (DLP) technologies and the skills required to enhance your control of outbound traffic to ensure security compliance.
• Back up your data. Because restoring the data in a timely manner can often be a challenge (especially if a large volume of data needs to be recovered), leverage virtualization technology to help streamline the recovery process. For example, a Virtual Desktop Infrastructure (VDI) used internally can greatly minimize the time and effort required to restore a compromised system. Be sure to incorporate point-in-time copies of critical data into your BC/DR planning.
• Leverage Security Information and Event Management (SIEM) solutions to centralize critical system logs and customize dashboards so that they quickly display useful information.
• Leverage in-depth forensic assessment and researching skills on how ransomware variances are constructed, how they behave, and what threat vectors or vulnerabilities they target. This will enable you to define custom rules within your security tools (Firewall, IPS/IDS, DLP, AV, AMP, URL Filtering, etc.) to alert you to unauthorized activity or system changes.
• Look for ways to lower the risk of ransomware attacks quickly and cost effectively. For example, quarantine all inbound messages with .ZIP or .RTF attachments and manually review until you have an automated means in place that is proven effective in eliminating these threats or lowering the risk to an acceptable level.

First Steps

The threat of ransomware doesn’t have to keep you up at night. If you understand the risks, identify your organization’s challenges, and develop a plan that defines both tactical and strategic change—one that includes investing in the right technologies and developing the in-depth knowledge and skill on how to leverage those technologies effectively—you will position your organization to be better prepared for the constantly changing threat landscape.

Links in this article are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

Share

You're Doing It Wrong: Passwords in Plaintext

This article is cross-posted on the NYSTEC Info Security Advisor blog.

Customer:  I forgot my password.

Website:  No problem! Here’s your new password via email — fully visible for your convenience!

Oh, the pain. The pain.

EMAILING PASSWORDS = BAD

EMAILING PLAINTEXT PASSWORDS = VERY BAD

There’s so much wrong here.

First, email is not a secure way to send confidential information. Emailing a password makes as much sense as posting an image of your new credit card and CVV number on Facebook. How should you be getting that new password instead? Check out the Open Web Application Security Project (OWASP) guidelines.

Second, getting a password sent to you in plaintext (or cleartext) means your password is being stored in plaintext. Not encoded. Visible to anyone. If that website becomes compromised or your email is exposed, your password could be shared with every hacker in the world.

Bonus badness: If a hacker gains access to your plaintext password, and you use the same password for all of your accounts, have fun trying to recover all of those accounts after the hacker changes your password(s) and email address!

If a website sends you a password in plaintext, it’s okay to cringe. The good news is that it may not be completely terrible. If it’s a one-time password (i.e., a temporary password), that’s sort of passable, especially if it comes with an expiration date. (A far better solution would have been getting a one-time link to click.)

However, if you’re emailed your real password in plaintext, that is completely terrible. Do not store any personal information on that site — credit card numbers, bank accounts, and passwords should be considered off-limits. And never use that password anywhere else.

Passwords are the most valuable bit of information you have. Something that valuable deserves respect. If a website is saving your password in plaintext, then your password — and you — aren’t getting the respect you deserve.

The links in this content are provided because they have information that may be useful. NYSTEC does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed therein. The opinions and statements contained in such resources are those of the author and do not necessarily represent the opinions of NYSTEC.

Network Forensics 101

To read the original post “Network Forensics 101,” click here.

A cybercriminal has just wiped all traces of an attack from your server. Now you’ll never know the source of the attack or the extent of the damage, right?

Not if you have a network forensic investigator on the trail.

The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. This article provides a short introduction to network-based forensic investigations of suspected criminal activity related to information technology systems.

A Thorough Understanding

Criminals attack computer systems for a number of reasons, but primarily for economic gain. Among the most common targets are banking and other personal information stored on PCs and servers that will assist in completing fraudulent financial transactions.

Network forensics—defined as the investigation of network traffic patterns and data captured in transit between computing devices—can provide insight into the source and extent of an attack. It also can supplement investigations focused on information left behind on computer hard drives following an attack.

Identifying attack patterns requires a thorough understanding of common application and network protocols. For example:

• Web protocols, such as http and https
• File transfer protocols, such as Server Message Block (SMB) and Network File System (NFS)
• Email protocols, such as Simple Mail Transfer Protocol (SMTP)
• Network protocols, such as Ethernet, WiFi, and Transmission Control Protocol/Internet Protocol (TCP/IP)

The investigator must understand the normal form and behavior of these protocols to discern the anomalies associated with an attack.

Know the Sources

Network forensic investigators examine two primary sources: full-packet data capture, and log files from devices such as routers, proxy servers, and web servers—these files identify traffic patterns by capturing and storing source and destination IP addresses, TCP port, Domain Name Service (DNS) site names, and other information.

Full-Packet Capture. The advantage of full-packet capture is that the content, and therefore the meaning and value, of data being transferred can be determined. Packet capture is not usually implemented on networks full-time because of the large amount of storage required for even an hour’s worth of data on a typical business network. In addition, there may be privacy concerns (although most businesses today require all employees to sign an acknowledgement that they do not have a right to privacy while on business-owned systems and networks).

Data capture is typically implemented when suspicious activity has been detected and may still be ongoing. The packet-capture-network tap point must be chosen carefully so that it can capture traffic flowing among all affected devices, or multiple taps must be implemented.

Log files. Most modern network devices, such as routers, are able to store NetFlow (or equivalent) data into log files on a full-time basis without affecting performance. Web servers, proxy servers, firewalls, Intrusion Detection Systems (IDS), DNS, Dynamic Host Control Protocols (DHCP), and Active Directory server log files also contain much useful information about activity on the network. These log files can be analyzed to identify suspicious source and destination pairs (e.g., your server is communicating with a server in Eastern Europe or China) and suspicious application activity (e.g., a browser communicating on a port other than port 80, 443, or 8080).

One advantage of using log files is the much smaller file size compared to full-packet capture. Another advantage is that the collection points are already in place in key locations, and it is not difficult to collect and store the output from multiple devices into one master log for analysis. There are many free as well as commercial tools for log aggregation.

Know the Tools

There are many free software tools available for network forensics. While a few have a graphical user interface (GUI), most free tools have only a command-line interface, and many run only on Linux.

Especially in the case of full-packet captures, data must be reduced through filtering before detailed analysis is performed.

What You Can Do

There are steps organizations can take before an attack to help network-based forensic investigations be successful. Here are three things you can do:

1. Put a process in place. For network forensic investigators to do their work, there need to be log and capture files for them to examine. Organizations should implement event-logging policies and procedures to capture, aggregate, and store log files.
2. Make a plan. Incident management planning will help to respond to and mitigate the effects of an attack.
3. Acquire the talent. The ability to interpret the data in log and capture files and recognize malicious activity in the data is a special skill that requires in-depth knowledge of network and application protocols. Whether the talent is in-house or external, it’s vital that organizations have access to computer and network forensics investigators who are experienced and accessible.

Share