Safeguarding against the insider threat

The insider is still one of the most vulnerable elements of cybersecurity and it was the discussion of the recent Modern Workplace webcast on cyber intelligence and the human element.  Insiders are those who are authorized to work on company systems or in company facilities and they include trusted employees and contractors.  Whether it is through human error, social engineering, or intentional action, insiders are the cause of a significant portion of malware infections, data breaches, information theft, and privacy violations.

There are some key strategies you can use to safeguard against the insider threat.  First, technical controls can reduce the burden placed on insiders or minimize the potential damage done by insiders.  However, the insider threat cannot be solved entirely by implementing more technical controls.  No, human behavior is far different from a computer system and cannot be changed with by flipping a switch or changing a bit.  Companies need effective security leadership, security awareness training, and assessments and metrics.

Technical controls

Technical controls need to be implemented in such a way that they make it easy for users to do their job, while still remaining secure.  Systems that become too difficult to use when security controls are applied are the systems that will see less use as employees find workarounds.  For example, a company may implement more stringent password policies and change intervals only to find that users are storing the passwords unencrypted in phones, memo pads, or on the calendar at their desk.

Not implementing technical controls can have the same effect.  A company without adequate spam filtering could see users utilizing personal cloud email accounts for company email to avoid having to sift through mass amounts of spam.

Security leadership

Leaders should set an example for other employees and their subordinates by following secure computing practices.  They can also set an example by choosing where to spend money.  Information security needs to have an adequate budget and spending should be consistent and proactive rather than spike immediately following a security incident.  In the Modern Workplace webcast on cyber intelligence and the human element, Phil Ferraro, Nielsen CISO, said that it is essential for business leaders to understand that cyber risk is business risk.  This is more than an IT problem.

Awareness training

Awareness training is essential for teaching employees how to do their jobs safely.  Almost everyone uses a computer on the job and this means that they are interacting with organizational apps and data.  End users need to understand how to recognize phishing messages, including targeted spear phishing messages, as well as other social engineering schemes such as fake social media accounts, unsafe instant messages and text messages, or deceptive phone calls and voice mails.

People need regular reminders in order for information to stay top of mind.  It is not enough to conduct training once a year.  Training should be augmented with emails that inform users of new techniques and attacks or remind them of what they learned in training.  Posters and signs can also help employees remember their training.

Assessment and metrics

Follow up security awareness training with assessments such as online quizzes or questionnaires.  You may also consider conducting social engineering penetration testing by phishing your own users.  These assessments can help identify those that still make mistakes or do not fully understand the material so that you can focus additional training on those users.

It is also helpful to establish meaningful metrics on security performance.  Report on these metrics in company meetings so that employees know that it is important to the organization.  Use security metrics in employee reviews and reward employees and groups when security goals are met.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Share Button

The Future of DevOps

I recently did an interview with JAX Magazine on DevOps and here is the transcript of the interview.

Some people call DevOps a cultural movement, others consider it a magic bullet. In your view, what is the essence of DevOps?

DevOps is used to increase the efficiency of a business. It is a catalyst for collaboration between the roles of technology developers and IT operations to improve the agility of both IT and development. It is no magic bullet. The same problems such as poor communication, mismatched expectations, lack of cohesiveness and teamwork, and lack of vision that exist in a traditional development and operations setting will be carried over to a DevOps situation.

What are the latest trends in DevOps? Could you describe one important trend that you are particularly interested in?

As with most technology trends, DevOps is relying more heavily on cloud-based solutions. These solutions will shy away from the more simplistic Platform-as-a-Service (PaaS) approach and compartmentalize workflows into distinct containers. The container approach uses the same concept that DevOps employs. Using separate specialized containers that collaborate with each other that can change rapidly for a faster, efficient, and cost-effective solution. At the same time, there is a need to more flexible management on an enterprise scale so these solutions are being integrated with cloud management suites for ease of provisioning, monitoring, auditing, and management.

DevOps is more than a technology trend — some people claim that it is transforming the modern IT landscape. As more and more organizations decide to adopt DevOps, they need guidance and the right tools. In your view, what are the most suitable tools that should be part of a ready-to-use “DevOps kit”?

DevOps needs an infrastructure that can support rapid development and deployment.  I would say the essential toolkit includes a code repository, a project management tool, a change management application, and a ticketing system. Every person in the DevOps team needs to be on the same page. The project management tool helps with this. The code repository helps with code versioning and release management. This way everyone can work on the most recent branch of code submitted. An automated testing environment is also helpful with speeding up development and getting products to market faster. Next, the change management application allows for a controlled implementation of changes and ensures that adequate review of changes has been accomplished. Lastly, a ticketing system tracks end user issues and their resolution. When these items relate back to application issues, new releases can solve the underlying issues.

What is the role of cloud in a DevOps context? What benefits does it bring?

The cloud can be used for both collaboration for the development/operations team and the deployment to the customer. This can be used for rapid deployment of each new iteration. With a cloud, the support can be done anywhere, anytime, which makes it much more efficient than provisioning individual systems. The cloud can also be used to quickly set up test or QA environments and allows for rapid deployment of products or rapid growth.

If containers are revolutionizing IT infrastructure and DevOps is transforming the modern IT landscape, would you say that they go well together?

DevOps can use containers in many of its solutions. Containers can be thought of as single units that collaborate to make a final product. This way the DevOps job of supporting the containers can be singled out to an exact container with each container fulfilling a certain function. In this way, it is much easier to discern which container needs maintenance. This improves efficiency, which is one of the primary goals of DevOps

What are the anti-patterns of DevOps?

Anti-patters remove undesirable assumptions and artifacts from the DevOps culture and belief system. DevOps does not combine the roles of a Developer and Operations into a single job. It instead aims to strive for better collaboration between two roles within the same collaborative team. When developers start doing the job of system administrators or vice versa, anti-patterns bring corrective structure to the team. This ensures that both developers and administrators have the same goal instead of being in opposition to each other while still performing distinct tasks within the team.

Do you have a tip on how we can eliminate obstacles to DevOps adoption?

The first step to DevOps adoption is to get developers to start using an agile development approach rather than a traditional approach. This is essentially a prerequisite for DevOps and many companies have already taken this step. Next, comes coordination and integration of the teams. There needs to be the establishment of new norms, goals, and expectations. Some groups may need to undertake team-building exercises to better work together and there may be some cultural changes as well as development and operations teams may have developed their own unique cultures.

Share Button

How ransomware extortionists hide their tracks

Cybercriminals extorted about one billion dollars from ransomware victims last year, according to the FBI. And nearly all of those perpetrators went unprosecuted because of the innovative methods they use to protect their identities and hide their funds. They go to great lengths to keep authorities from seizing or freezing their money. By and large, their efforts have paid off. Here’s how they do it:

Hidden identities, disposable email
Extortionists protect their identities whenever interacting with victims. This generally occurs when they distribute ransomware, and when they collect ransom payments from victims in exchange for decryption keys.

Extortionists use disposable email accounts and when sending out phishing emails that target victims. These accounts have fake names associated with them and no useful contact information. In some cases, the accounts are owned by another individual—a person whose account was compromised, taken over and used to send malicious emails.

Layered like an onion
Extortionists often protect themselves during the collection phase by using so-called “onion routing” tools like Tor, which use multiple layers of encryption to ensure anonymous networking and communications. Tor is a network of computers that exchange encrypted data among themselves to obscure the source of the data. This prevents researchers and law enforcement from identifying where the decryption keys are stored.

Cryptocurrency enables anonymity
The cybercriminals responsible for disseminating ransomware typically demand payment in some form of cryptocurrency. Bitcoin is the most popular cryptocurrency with Litecoin and Dogecoin coming in second and third place, respectively. Bitcoin currency is stored in a digital wallet and bought and sold over bitcoin exchanges, through peer-to-peer marketplaces, and via person-to-person trades using an intermediary. Bitcoin transactions are logged publically but transactions only reference the wallet IDs of each partner in the transaction, not the names of the individuals themselves. Wallet IDs have no identifying information associated with them other than their number.

Cybercriminals typically keep a wallet ID for a short period of time and may only use it for a few transactions before switching to a new wallet ID. This ensures that specific wallet IDs are not identified as major bitcoin traders. They also use bitcoin laundering services or anonymizers like bitmixer.

Gift cards and money mules
Some forms of ransomware accept vouchers for payment. These include gift cards and CashU, MoneyPak, MoneXy, Paysafecard and UKash vouchers. These may be used to purchase goods that “money mules” then sell over the internet for cash. Money mules are also used to liquidate cards by selling them to individuals at less than face value. Cybercriminals prefer cryptocurrency because it allows them to keep a greater percentage of the profits.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button

Key security strategies for data breach prevention

If we have learned anything over the last few years about data breaches, it is that they are likely to happen.  However, data breach frequency can be reduced and its impact minimized with some key strategies.

Both response and prevention efforts are greatly impacted by organizational culture.  Organizational culture is formed over years as certain values and behaviors are reinforced or discouraged through a series of successes and failures.  Security is seen as important and vital to organizational success in positive security cultures while it is ignored or even discouraged in negative security cultures.

You can reinforce an existing security culture or bolster a lagging one with some of the same strategies.  The first strategy is to make the topic of security a common one.  Discuss risks in meetings and common decision-making situations.  Ensure that managers and knowledge workers are on the same page with risk, knowing how much risk is acceptable and how their decisions affect risk.  Employees also need to understand what it is they are trying to protect, such as customer information, trade secrets, or strategic business information.

Security awareness training can provide the skills and knowledge necessary to prevent data breaches and respond to those that happen.  It is also a crucial component of a security culture.  Security awareness training should be consistent and enacted for employees at all levels of the organization so that they can accurately recognize threats and understand their role in the response effort.  Since a large percentage of attacks target the human element in organizations, this training can equip employees with the skills to avoid such attacks.  Awareness training prepares employees for their role in incident response by teaching them about incident indicators and how to properly report an incident.

Incident response planning is also necessary to ensure that the response is performed correctly and in a timely manner.  An effective response can greatly minimize damages to both the organization and its customers.  Incident response plans should be regularly reviewed and updated, and those involved should participate in drills and exercises so that the response activities come naturally to them.

Leading all these efforts is a Chief Security Officer (CSO) or Chief Information Security Officer (CISO).  This individual should have the authority to interface at the highest levels of the organization to ensure that preparation and protections are placed appropriately throughout the organization.  Responsibility for security lies not only in IT but in the entire organization, from senior management to the factory floor; remote office workers to branch office managers; and from interns to HR.  They will also need a budget to perform these activities.

Choose your CSO or CISO wisely because they will be a driving force behind security initiatives.  They will need to be an effective communicator and leader with good vision and planning skills.  In a recent Modern Workplace webinar on cyber intelligence and data breaches, Vanessa Pegueros, DocuSign CISO, said that the CISO should have breach experience.  Breach situations are often high-stress, but the lessons learned are invaluable for a security leader.

Put the right strategies in place to bring about cultural change, increase awareness, refine and communicate incident response plans.  Then, equip a CSO or CISO with the authority, responsibility, and budget to make it all happen.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Share Button

Resume Ransomware: GoldenEye targets hiring managers, recruiters and HR

People charged with filling career positions at their companies need to be on the lookout for ransomware—especially GoldenEye ransomware.

GoldenEye is a new form ransomware written by the same cybercriminal who gave us the Petya and Mischa ransomware attacks. The author has applied some of the same distribution tactics that Petya and Mischa are known for by masking the ransomware as a job application. GoldenEye attacks typically begin with an email that appears to be from someone interested in a position. The inboxes of human resource personnel and hiring managers are often swamped with emails from potential candidates. As a result, very little time may be spent reviewing each email. Instead, recruiters and HR managers open the attachments and quickly screen resumes or cover letters to determine if the applicant is qualified for the position. GoldenEye takes advantage of this behavior. GoldenEye is currently targeting potential victims in German-speaking countries, but that could change at any moment.

GoldenEye emails include two attachments; a PDF cover letter and an Excel spreadsheet with a file name that includes the phony applicant’s last name, a dash and the word “application” in German. The cover letter looks entirely legitimate. The cover letter has an introductory statement, photograph and then states that the Excel file contains references and results from an aptitude test. The PDF attachment does not include any malicious code but the presence of a well-written cover letter aids in convincing the victim to open the second attachment, an Excel file.

The Excel file contains the ransomware as a macro. The file displays a flower logo that appears to be loading something. Microsoft Office blocks the macro unless macros have been enabled by the victim. Victims are enticed to enable the macros so that the loading screen will disappear to display the resume content. However, once enabled by the victim, the macro will save code into an executable file in the victim’s temp directory and then launch the ransomware. The program encrypts files and displays a ransom message. However, after the initial ransom message is displayed, GoldenEye restarts the machine and encrypts the Master File Table (MFT) and replaces it with a custom boot loader that shows the ransom message upon computer startup.

GoldenEye essentially performs the file encryption activities of Mischa and then restarts to perform the MFG encryption activity of Petya. Both encryption methods have been improved, and decryption methods for Petya and Mischa will not work on GoldenEye.

GoldenEye’s ransom message instructs victims go to a URL on the dark web to obtain their decryption key. Victims will need the decryption code presented in the ransom message to pay the ransom.

Be careful when opening any attachments from an unknown person and ensure you have a backup of critical files so that GoldenEye does not claim a ransom from you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button

PopcornTime offers victims a choice: Pay the ransom or infect your friends

PopcornTime is a newly-discovered form or ransomware that is still in the development stages but operates off a disturbing principle: Victims who have their files encrypted by PopcornTime can agree to pay the ransom, or they can choose to send the ransomware to friends. If two or more of those friends become infected and pay the ransom, the original victim gets their files decrypted for free.

The process is reminiscent of the movie, “The Ring,” where victims who had watched a film had seven days to make a copy of a killer movie, or they would die.

Researchers on the MalwareHunterTeam discovered PopcornTime, which shouldn’t be confused with another application with the same name that is used for streaming and downloading movie torrents.

PopcornTime is also similar to the chain emails or chain letters of days past, where the recipient is told to forward the communication or bad things will happen. The key difference between PopcornTime and chain emails is that with the latter, there’s usually no teeth behind the threats. Most chain emails and letters are proven to be hoaxes. With PopcornTime, the looming threat to your data is real.

PopcornTime is still in development so the final version could differ from what MalwareHunterTeam discovered.

A third choice that makes better sense
It’s worth mentioning that if your files are properly backed up, PopcornTime can’t make you do anything. You can simply delete all infected files, remove the virus from your computer, and download clean versions of your files from backup. Don’t let the criminals coerce you.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button

Ransomware distributor gets hacked: A look behind the curtain

Two email accounts of a ransomware distributor were recently compromised. The analysis of these accounts gives an interesting “behind the curtain” view of a ransomware distributor. It appears that even malicious hackers use a bit of security advice.

The email account, cryptom27@yandex.com, which was used by the attacker behind the recent San Francisco Municipal Transportation Agency (SFMTA) ransomware incident, had an easily-guessable secret question. That allowed a security researcher to take over the account. The unidentified attacker had a backup email account, cryptom2016@yandex.com, that used the same secret question and was also compromised.

The analysis of these emails was reported by IT security blogger Brian Krebs, and it reveals a lot about ransomware distribution. First, the ransomware distributed by this attacker was not targeting specific organizations but was targeting an industry instead. The attacks focused primarily on U.S. construction and manufacturing firms. However, the attacker did not turn away business from those he had inadvertently exploited while launching the attack. The attacker also used an exploit designed take control of Oracle servers and use them to distribute more ransomware.

The attacker used various threats to coerce victims into paying ransom demands. Victims were told they would never get their data back if they did not pay up. The attacker demanded payment within 48 hours, or the data would be deleted, and in some cases told victims that the ransom demand would increase the longer they spent thinking about it.

The attacker used Mamba (HDDCryptor) ransomware, which encrypts entire hard drives. And after the hard drives are encrypted, the attacker’s victims were presented with a message telling them to send an email to one of the aforementioned email addresses to get payment instructions. The attacker apparently used a third email address, but this one did not use the same secret question, and the researcher could not obtain access to it.

The analysis also shows how profitable ransomware can be. The attacker using these email addresses collected $45,000 from a previous attack on a U.S. manufacturing firm. This money was collected through various attacks over the course of a few months. This information was obtained from the two compromised email accounts. These attacks appear to have been committed by a single individual, but it is possible that multiple individuals were involved.

This case demonstrates the ease with which ransomware attacks can be carried out, as well as their massive earning potential.  It’s important for individuals and companies to protect themselves primarily by ensuring that all important data and systems are backed up and that those backups are stored in a location segmented from production systems.

A wide variety of technical controls can help detect ransomware and prevent its spread. User awareness training can help reduce the effectiveness of ransomware distribution through phishing. However, none of these methods are 100% effective. That is why backups are essential to any defense strategy. Take a lesson from this analysis and protect yourself because this threat is far from over.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button