Will Hacktivists Turn to Ransomware?

The US presidential election is upon us and some political activists are out in the streets, and in convention halls. And some are busy hacking. I am referring to the hacktivists, those who illegally use technology to promote a social or political agenda. The main difference between hacktivists and other cybercriminals is that hacktivist crimes are typically associated with a protest or political motivation.

In the early days of hacktivism, hackers used computer worms to spread messages, such as the 1989 Worms Against Nuclear Killers (WANK) anti-nuclear message that sent system announcements on DEC VMS systems.

In recent years, hacktivists have used mostly website defacing, data disclosure, and Distributed Denial of Service (DDoS) attacks to spread their message. Hacktivists typically do not create the attack technology.  They simply augment it for their use. With versions of Cryptolocker, Cerber, Locky, and Stampado for sale at reasonable prices, hacktivists have all they need to launch their own attacks.

Hacktivist ransomware? Not yet.

The good news is that we have not seen hacktivist ransomware – yet. It is a concern because it will differ greatly from the ransomware we know today. Some hacktivists may not even make a demand.  Encrypting the data will cause the disruption in business they desire.

Now is the time to guard yourself from such attacks. Take an inventory of the data in your organization so you know where it is. Next, back up the data and ensure it can be recovered in time. Lastly, ensure that users know that your organization has a plan in place to respond to ransomware (your backup strategy) and educate them on the process for spotting and reporting ransomware. That last step, prevention, is key to your success.

Three steps to data protection

Many organizations have found out too late that valuable data was on a device that they did not track, and these oversights have resulted in data breaches, or data loss. Both consequences can be avoided when the organization understands what data they have and where it is located.

Craft a backup strategy that keeps the backup copies separate from the production copies so that ransomware will not infect both. The strategy should also allow for restores to be performed quickly enough so that business interruptions are kept to an acceptable minimum. In the industry, we call this the RTO or Recovery Time Objective. You also want to make sure the backups are performed frequently enough to avoid unnecessary data loss.

The final key to protecting your data from ransomware attacks of any kind is to communicate with employees. Ensure that they understand that the organization has a plan in place to deal with ransomware. In this way, employees will not feel that they need to take on the solution themselves by paying the ransom or, in the case of hacktivism, performing the requested action. Employees should also understand how to report ransomware so that the organization can respond to the incident quickly.

If hacktivism follows the route many believe it will, hacktivist ransomware will eventually enter the scene. Protect yourself from all ransomware by putting the right controls in place before the attack.

Continue reading

Adding Ransomware to Security Radars

Ransomware is the quickest way to turn your valuable data into garbage.  Ransomware is a form of malicious software that blocks access to user data such as documents, spreadsheets, pictures, music, or videos, typically by encrypting those files.  At this point, the ransomware will display a demand for payment in order to send the victim the decryption keys to the data.

Businesses and consumers often do not know what they have until it is encrypted.  It is then that they realize their Christmas list, family photos, and personal financials are inaccessible.  It can be much worse for companies.  Imagine the impact when payroll data, product formulas, or inventory records are suddenly unavailable.  Now imagine a doctor who is unable to prescribe medicine or perform an operation because the prescription information or patient records they need are encrypted.  As you can see, the impact of ransomware can be severe.

Despite ransomware’s severe impact, its attack vectors are more mundane.  Ransomware is obtained through a variety of well-known routes including email, websites, online advertising, exploits on system vulnerabilities, and infected files on shared folders or cloud file sharing services.

Email

Emails, particularly phishing emails, frequently entice users to open attachments that contain ransomware or to click links leading to infected websites.  The techniques used here are the same ones used by scammers, hackers, and other malware distributors.  Protection techniques include screening attachments with antivirus tools and utilizing email gateway scanning and filtering tools.  It is also important to educate employees or family members on how to recognize suspicious emails.

Infected websites and online advertising

Ransomware is also distributed from infected websites and through online ads.  Extortionists seed websites with malicious code and then wait for unsuspecting Internet users to visit a compromised site and get infected with their ransomware.  The likelihood of infection from such sites can be greatly reduced by utilizing a web filter, scanning web sites for malware or by browsing the web in a virtual machine.

Extortionists also create ads on social media or in search engines that download the malware.  Ads might pretend to be a flash player update, help or chat ads, or fake antivirus.  These ads are collectively known as malvertising.  The best way to protect against ransomware distributed through malvertising is by using an ad blocker.  There are many extensions for common browsers or standalone applications that can perform this activity.

Shared folders or cloud file sharing

Ransomware can also be obtained when a computer is connected to a network share that has ransomware on it.  Many ransomware variants are capable of spreading to shares that a computer is connected through, typically through mapped drives.  Ransomware can also infect your machine if you are using a cloud file sharing service that synchronizes files between machines.  If a personal computer is infected and has the cloud file sharing software on it, it can replicate the malware to other computers that are part of the sharing relationship, infecting them all in the process.  Monitor file servers for mass file changes to detect ransomware behavior and scan files that are placed on network shares.  Similarly, equip each computer that utilizes cloud file sharing applications with antivirus software and segment business cloud file stores from personal ones.

System vulnerabilities

Vulnerabilities in operating systems, applications and browser plugins are well documented once they have been discovered.  Attackers create exploit kits to target these vulnerabilities and then other malicious actors utilize these exploit kits to deliver malware to your machine.  The most common exploits are those related to operating systems such as Windows, applications such as Adobe Acrobat, or browser plugins such as Java, Flash, or Silverlight.  The best way to protect against the exploitation of such vulnerabilities is to keep systems, applications, and plugins updated to the latest version.  Vendors frequently release new versions or patches to software that fix the vulnerabilities that have been discovered.  Applying these updates can prevent those vulnerabilities from being exploited.

Exceptions

There will always be exceptions in a security system.  No system will protect you one hundred percent of the time and that is why it is important to have contingency plans.  When ransomware gets past your defenses, and it will at some point, be sure you have up-to-date backups of critical files so that you can remove the malware and encrypted files and then restore clean versions of the files back to computers.  Backup solutions should be distinct from production systems.  For example, a hard drive connected to a computer or a network attached storage device are both accessible from an infected machine so they are likely to be infected too.  However, tape backups or online backup services are distinct from production storage and can be relied upon to restore clean copies of data if the restore points predate the infection date.

Continue reading

Big Data ROI – How to use what you already have

We may not be using more of our brains but we can probably use more of our data. Did you know that organizations typically use only 1 percent of the data they collect? Why is this and how can we change it? Do organizations need more motivation, utility, expertise, tools, or just better data retention policies?

The problem of motivation

Motivation is the driving force behind activity but businesses, and the people who run them, are often juggling many priorities. Big data may just not be on the top of their list. It is easy to push analyzing organizational data because it seems easy to keep it around. After all, storage media continues to grow and is available at lower cost. However, there are additional costs, especially associated with the loss of data in a breach that organizations do not often factor in when considering the cost of storing data that may or may not be utilized in the future.

At the same time, some organizations struggle with motivation because they are always waiting to collect a bit more data before analyzing it. Statistical analysis is typically more reliable as data sets grow. However, machine learning can be used to fill in the some of the gaps once an analytical program has been sufficiently trained. Still, no matter what method is used, a minimum amount of data will be needed for a relatively accurate analysis and some companies are afraid of acting on potentially incorrect data. The downside of this is that they are also waiting to capitalize on the benefits of the data they hold.

Motivation needs to come from the top down if you want the use of data to be both successful and consistent. Organizational leaders must decide what they want to achieve from their data and then empower those best suited to analyze the data the task of putting it all together to obtain meaningful and valuable results.

Finding the utility

Lack of data ROI could also be due to a lack of value or utility. Some organizations collect data just because it is there or because it was provided but they have no need for the data and it is not producing them any value. Further, they see no value in the information. In this case, the best course of action is to make an informed decision as to whether the data is valuable. If it is not valuable, the organization should delete the data so that they do not have to expend resources managing and protecting it.

Achieving expertise

Analyzing big data, configuring machine learning algorithms, evaluating outcomes, and implementing the underlying analytical systems for big data requires a high level of expertise in a variety of disciplines. Some organizations do not have the expertise or they are in the process of developing that expertise.

Those that are new to analyzing big data might seek the help of a trusted partner to get them up to speed or they may outsource the role entirely. However, given the value of organizational data and the risk of exposure, outsourcing should be treated with a due diligence assessment of the outsourced company’s capabilities and reinforced with a strong contract.

Building better models and tools

Those who are using big data probably see room for improvement, especially in the models they are using to interpret the data and, in lesser cases, the software and infrastructure they utilize. Cloud computing can offer great advantages in expanding to meet big data needs and in providing the raw computing power to analyze large data sets. Other companies are deploying private or hybrid clouds so that they can offer more customized analytics to decision makers.

Performing better housecleaning

Lastly, some only use 1 percent of their data because they simply do not have a policy and procedure for removing useless data. A large component of this is the data retention policy which spells out how long different types of data will be stored by the company and when that data will be destroyed. Additionally, some data that fits certain criteria may be removed immediately. This might include spam or other junk emails, draft files, temporary files, Internet history, cookies, or encryption keys. Removing this data makes it easier to manage the remaining data and it can prevent malicious outsiders from obtaining data that could be used to launch attacks or otherwise harm the company or its customers.

Humans only use a small portion of our minds and we use an even smaller portion of the data we collect. The good news is that there are viable strategies companies can employ to begin utilizing more of that data. So what is holding you back?

Continue reading

Top security initiatives for 2016

2016 is going to be a big year for security. News of data breaches and the major technological innovations of 2015 will put more pressure on companies to implement effective organizational security. I believe 2016 will see major initiatives in these seven areas:

  1. Securing the supply chain

2015 demonstrated the need for organizations to ensure that their weakest security link does not lie among one of their suppliers. Some of the security breaches that occurred were the result of suppliers or partner companies that were handling or had access to company information.

The supply chain relies on sharing of information in order for it to function effectively and 2016 will see an increase in initiatives to implement a standard or minimum set of security controls throughout the process and wherever sensitive data is shared with suppliers or other partner companies.

  1. Leverage more data analytics for security

Big data has been growing more and more each year. It has been leveraged greatly in determining shopping habits, customer needs, process improvement and many other areas but I believe 2016 will see a growth in the use of big data in security. Big data can be used to predict likely targets, identify attack patterns, detect network or data anomalies that indicate abnormal activity such as a data breach, validate data sources to better screen out garbage data or identify areas where security controls are performing well. This is all very valuable in protecting organizational assets. It is also valuable to governments trying to protect their citizens and companies against attacks from foreign nations and companies.

  1. Internet of Things security

The Internet of Things (IoT) is expected to explode next year. As more and more devices come online, companies will develop new strategies and technologies to protect the devices and the data produced from those devices. I expect the innovation in IoT and IoT security will also trickle over to other areas of security, helping to improve security overall.

  1. More companies will hire a security executive such as a CSO

The Chief Security Officer (CSO) will be a more common member of the “C-suite” in the next year as companies realize that top level support is required and an independent executive division is needed to ensure transparency and functionality between technical, operational, financial, legal and other critical business areas.

CSOs will be expected to implement security best practices and work with compliance officers or teams to ensure adherence to relevant regulations. They will also be responsible for aligning businesses and security goals so that security initiatives are more effective.

  1. Find ways to hire and retain valuable infosec talent

2016 will see an increase in hiring of other infosec professionals, as well. CSOs will need a team to achieve their objectives and they will not be able to fill that need entirely from existing resources. Such resources may include risk management professionals, security analysts, penetration testers, security engineers and architects, security managers and other security professionals.

  1. Extend security to the mobile device

Employees today are not just mobile, they are mobile with multiple devices. Employees may have a laptop, tablet, and smartphone each connected to the corporate network. Companies will be implementing more controls to extend organizational security to the mobile device. This will include mobile device management systems but also more transparent security such as data driven security, identity management systems that integrate across mobile and traditional platforms and cloud systems that offer services to mobile and traditional systems alike.

  1. Encryption is the new “minimum” security

The regulations have spoken and encryption is practically the new minimum standard for security. 2016 will see an increase in the use of encryption for key systems such as email, network communications, web traffic including traffic that was previously not deemed sensitive, end user computers and mobile devices and servers. Those systems that are already using encryption will most likely get an upgrade to the type of encryption used or to the way they manage keys so that they are in line with best practices.

Do you see any other security initiatives coming forward in 2016?  Please share your thoughts with on Twitter @evanderburg and copy @DellPowerMore.

Continue reading

No compromise with the hybrid cloud

This statement may be familiar to many who have considered cloud services and it was both the start and end to many cloud discussions.

What is most important to you, cloud security and service customization or flexibility and cost?

Those who picked security and service customization adopted a private cloud model and those who picked flexibility and cost chose a public cloud model. Those that couldn’t choose continued using traditional IT to solve today’s problems and they had a tough time of it.

The good news is that you don’t have to make that choice anymore. Security, service customization, flexibility, and cost objectives can each be met through a merger of public and private cloud approaches in the hybrid cloud. To understand how this works, let’s briefly explore both prior models and the compare them to the hybrid cloud.

Security in public and private clouds

Organizations have more control over data and services when using a private cloud. This control allows for cloud services to be tailored to the company’s security strategy to better protect the data including security controls, and procedures necessary to meet compliance requirements. Along with greater control is increased visibility into the system for easier management and incident response. For example, computer forensic or investigative work can be streamlined as no third party limits access to the data or logs and the organization can collect evidence directly, resulting in a clearer chain of custody. Public clouds offer less visibility and control, making it harder to enforce security requirements, perform investigations, collaborate on incident response and notify customers quickly about data breaches. They have received the most criticism for their ability to securely protect data, especially in regulated businesses that must meet compliance requirements.

Private clouds may be shared among business units but they are not shared between unknown entities as is common in public cloud offerings. This reduces the chance that a successful exploit of a neighboring cloud system will impact organizational systems. However, public clouds are by nature targets because they are visible, well-known repositories of data. Attackers may not know what data resides in a public cloud or whether it is worth their effort to attack but public clouds hold so much data that they make a tempting target for attackers. By placing data in a public cloud, consumers are no longer a target of opportunity, they are a target of intent.

Flexibility

Public clouds offer the best flexibility since they can be expanded or adopted almost at will. Cloud consumers purchase just the services they desire. When they want more storage or additional processing power, they simply increase their cloud plan. Similarly, when they no longer need resources, they can release them back to the cloud.

Private clouds differ greatly in their flexibility. Organizations often purchase the servers, storage, and networking equipment along with the necessary software to set up a private cloud and they must pay IT personnel to maintain it. They also need to make purchases as the environment grows. Unfortunately, if demand for the private cloud shrinks, the investment is already made and the organization must find a different use for the equipment or suffer a poor return on investment when the equipment stands idle or when IT staff are not fully utilized. Hosted options are available for private clouds, but the organization must still have staff who are capable of managing the private cloud.

Public and private cloud cost models

Cost models differ greatly between cloud offerings. Public cloud pricing is based on service level and utilization. This tends to work well for companies that want to keep service costs aligned to usage. Private clouds often require direct capital expenditure, as mentioned above, or at least additional staff to manage, create and expand them.

Putting it together with the hybrid cloud

The hybrid cloud combines elements of the private and public cloud models. Private cloud elements provide the portal to services but public cloud elements can be used to extend the private cloud as needed. This makes the hybrid cloud flexible. Standardized elements that do not need the enhanced security of the private segment can be moved to the pubic segment, allowing for growth without as significant investment in capital equipment.

Data flows between public and private segments of the hybrid cloud can be fine-tuned to adhere to organizational security, privacy and compliance rules. For example, sensitive or confidential data, such as trade secrets, financials, and customer information could reside on the private element of the cloud while more operational data and public data are pushed to the public segment as needed. Alternatively, data could be allowed to be pushed to the public segment of the hybrid cloud but would only be able to reside there for a limited time and the data would be encrypted automatically.

I’m happy to say that you don’t have to choose between security and service customization or flexibility and cost. You can get it all in the hybrid cloud. For those who have rejected public or private cloud models, I encourage you to seriously consider the hybrid cloud. Tomorrow’s challenges will come in all shapes and sizes, many of which existing IT cannot handle. Move to a platform engineered for the future and reshape your business with the hybrid cloud.

Continue reading

Cloudsizing: Finding the right fit for your cloud

The maturation of the cloud is fascinating as it continues to adapt, providing more opportunities for companies and consumers to leverage the vast computing and storage power of computers around the world. Whether those resources are housed in a corporate data center or dedicated hosting facility as part of private cloud services or through third party public cloud offerings, the cloud is most likely part of your everyday life and it is one of the biggest technology growth areas, offering companies ways to save money and become more adaptable to change.

There are many options for cloud consumers, those utilizing or wishing to utilize cloud services. A large differentiator in cloud types lies in ownership and operation of the cloud infrastructure and three main types of clouds, private, public and hybrid are used to support differing business needs.

Private cloud

Private clouds allow business units to utilize cloud services without needing direct capital investment. The organization makes the investment in the underlying technology resources and support personnel to maintain the equipment and offers cloud resources to business units as a service.

Private cloud resources are not shared with other companies, resulting in predictable performance and optimized workloads. Neither are they restricted by the requirements of other clients. This allows for private cloud services to be customized so that they are tailored for the organization’s needs.

There are disadvantages to utilizing a private cloud. The main disadvantage is the large capital investment required on the part of the organization to implement and expand a private cloud. This makes it less flexible than public cloud offerings and more difficult for organizations to test the waters by deploying pilot or prototype systems or to offer services. Rather, prototypes and pilots must make a business case that results in realistic expectations of long-term revenue to cover capital expenses. However, an organization can set up a private cloud using outside hosted resources. The difference here between a private cloud that is hosted and a public cloud is that the private cloud resources are dedicated to you, not shared among multiple companies.

Public cloud

Public clouds, on the other hand, are what most end users think of when the word “cloud” is mentioned for these clouds are owned and operated by an outside entity and services are provided on a subscription basis, or sometimes for free. Cloud consumers can purchase only the services they need and they can easily increase or decrease their cloud resources by simply purchasing more or less. Public cloud services can also be made available very quickly to consumers because the infrastructure is already there. This is important for companies that need to rapidly respond to demand. In some cases, public cloud services can be provisioned hours or minutes later compared to days or weeks of procurement time in private clouds

Many public cloud services are designed for a specific use case that may or may not fit your own organizational use case. Public cloud providers do this in order to better manage their solution and reduce complexity of upgrades and maintenance. Public cloud services can be customized but this tends to increase the cost of the service and reduce service portability or the ability of the cloud consumer to migrate from one cloud provider to another.

Since public clouds are operated by a third party, consumers of the cloud do not have the same level of visibility into the underlying technology, processes and procedures that go into providing those services. This makes it more difficult to ensure that services in the cloud meet organizational compliance requirements. This is especially crucial when a data breach occurs and the organization must investigate and notify its customers. Public cloud contracts may not specify notification and compliance requirements leading to issues such as lack of timely notification of a data breach, inability to identify breach scope or other required data, and fines and sanctions against the cloud consumer.

Hybrid cloud

Both of these cloud models are powerful methods for providing organizational technology services but not all companies neatly fit into one of these two categories. This has led to the rise of the hybrid cloud. The hybrid cloud extends the private cloud to the public cloud. This adds the flexibility private clouds lack but still allows the organization to manage the data, processes and controls in the way they do with a purely private cloud.

In a hybrid cloud, customizations can be integrated on the private segment while standardized, out-of-the-box, portions of a solution are located on the public segment. This allows the organization to tailor the solution to their needs without limiting their ability to move the standardized elements to another cloud vendor or to spread the workload and service availability risk among multiple cloud vendors.

One significant benefit of the hybrid cloud is the ability to utilize existing infrastructure and to migrate portions of a service to public segments over time. This reduces the disruption a large change would have on system availability and utilization which can increase productivity. The front-end of a system can stay the same for users while back-end components are moved around the hybrid cloud.

The piece that makes this all work is a hybrid cloud service and associated management tools such as Dell Cloud Manager.  These tools centralize the administration of the hybrid cloud and interface with the public and private segments to enforce defined rule sets and establish communication and functionality between the components.

Wrapping it up

The hybrid cloud offers many of the advantages of both public and private clouds. This is not to say that the hybrid cloud is the best solution for all cloud scenarios as many services may still find that a private or public solution meets their needs. The biggest news and key element of the hybrid cloud is its fit for the myriad solutions that have yet to make their way to the cloud due to one objection or another or for those that had to settle for one type that did not truly meet their needs. With hybrid in the mix, cloud services can be more ubiquitously deployed and utilized, resulting in increased agility, closer alignment to operational objectives, and a better match of technology expenses to revenues.

Continue reading

The missing leg – integrity in the CIA triad

Information security is often described using the CIA Triad. The CIA stands for Confidentiality, Integrity, and Availability and these are the three elements of data that information security tries to protect. If we look at the CIA triad from the attacker’s viewpoint, they would seek to compromise confidentiality by stealing data, integrity by manipulating data and availability by deleting data or taking down the systems that host the data.

By and far, most attacks have been focused on disrupting confidentiality or availability so defense mechanisms and training has also been focused there. The number of data breaches has skyrocketed and there is a flourishing market for stolen data including personal health information, credit card numbers, social security numbers, advertising lists, and proprietary technology. We also see many attacks on availability through Denial of Service.

Integrity attacks are much less commonplace, but they still represent a threat. Organizations must protect more than just confidentiality to be secure (see Overly and Howell’s Myth #3).

So what does an attack on integrity look like? Let’s look at three examples

  1. Enticing an opponent to make a bad decision

There is a software development saying that goes, “Garbage in, garbage out,” meaning if you let junk data into your program, it will produce junk for output. Similarly, junk data used in decision making will result in bad decisions. Integrity attacks of this sort aim to sabotage competitors or opponents by poisoning information stores that their competitors use to make critical decisions.

  1. Exploiting temporary data inconsistencies

Attackers modify the time on a Network Time Protocol server so that door access control systems think it is the middle of the day instead of the middle of the night. Consequently, the doors unlock or require only a pin instead of multi-factor authentication.

In another example, thieves momentarily inflate the balance of accounts before performing a wire transfer or stock ticker symbols are changed in a trading company database resulting in many incorrect stock transactions and inflated or deflated stock valuation by the market.

  1. Online Vandalism

Hacktivists or cyber activists often employ online vandalism to spread their message and others vandalize sites for fun or to hurt brand image. For example, the FBI issued a warning in April that ISIL was mass-defacing WordPress websites using known vulnerabilities.

The good news is that many of the technical controls organizations already have in place to protect the confidentiality and availability of data can also be used to protect its integrity since attackers must exploit similar vulnerabilities or access the same systems on which they perform other attacks. However, procedures and training may need to be updated so that employees are aware of such threats and how to recognize them. Furthermore, the data that goes into critical decisions should be validated through alternate sources. Consider the following:

  • Require application security assessments to address integrity as well as confidentiality and availability.
  • Conduct a risk analysis of the loss of data integrity for key information systems and use these risk calculations to ensure that controls adequately address risk levels.
  • Update security awareness training to include sections on data integrity, validation and incident reporting.
  • Ensure that security policies and procedures address integrity as well as confidentiality and availability.

Continue reading