Ransomware Recovery: How to meet realistic Recovery Time Objectives (RTOs)

When it comes to ransomware attacks, those who lose valuable data and have no viable backup tend to pay the ransom, while those with backups simply restore their data. However, neither group walks away unscathed because they both suffer downtime.

Downtime is the period when systems are unavailable for use, and it can cost small and midsize businesses thousands of dollars or worse—it could put them out of business. An Imperva survey of RSA 2017 attendees found that downtime costs companies more than $5,000 in 56% of cases and more than $20,000 in 27% of cases. Depending on the size of your company, this could be the cost of doing business, or it could be a catastrophe.

Establishing  Recovery Time Objectives (RTOs)
Companies should take the time to identify the maximum amount of downtime that is acceptable under various disaster scenarios. It’s a good idea to get started on this right away because this information will help determine what type of backup systems you need to have in place.

For example, business leaders may decide, after analyzing the data, that email should be restored within 10 minutes, domain services within 30 minutes, customer facing websites within 30 minutes and the Enterprise Resource Planning (ERP) system within 45 minutes. These values constitute applications’ Recovery Time Objectives (RTOs). Business leaders may also decide that email can be down for a maximum of one hour, domain services for two hours, customer facing websites for four hours and the ERP system eight hours before losses due to the downtime are intolerable. Each of these values constitutes a Maximum Tolerable Period of Disruption (MTPOD).

In most circumstances, systems would need to be restored in accordance with the RTOs and, in extraordinary circumstances, systems would be restored within the MTPOD.

Based on the RTO and MTPOD, IT and other groups put redundancy, business continuity, and backup and recovery strategies in place to meet these objectives. This may involve a hybrid recovery strategy with cloud and on-site backups. Companies might also decide to use cloud replication with virtualization to resume services at another site if the primary site fails. Backup and recovery systems are crucial in bringing systems online after disasters like ransomware strike.

Actual vs. estimates
I have found that initial estimates for recovery objectives are often in need of revision following the first incident. Trend Micro estimates that the average ransomware recovery takes 33 hours. This is far higher than most organizational estimates prior to a ransomware infection. That’s likely because organizations don’t always factor in the initial steps of incident response when determining their RTOs. In the example above, recovery controls alone might be able to meet the domain services MTPOD of two hours, but it takes first responders 30 minutes to validate the incident and identify the extent of the incident scope, which results in the organization exceeding the MTPOD by 30 minutes.

In other cases, organizations have been surprised by the scope of ransomware infections. Trend Micro found that 47% of ransomware spreads to 20 or more people. Furthermore, ransomware is efficient at targeting sources of information in organizations. Without this critical information, large groups of employees are unable to do their jobs.

It’s also important to remember that recovery plans need to be kept up to date. Organizations relying on outdated plans may have unclear expectations as to when steps in the plan will be complete and as a result, they will be unable to meet recovery objectives.

Action items
Establish RTO and MTPOD for systems based on their availability need. Next, put controls in place to meet these recovery metrics. If you have not experienced ransomware before, consult with those who have to determine if controls are adequate. Backup and recovery controls are the most crucial elements and must be designed appropriately. That means ensuring that recovery is available to the required locations at appropriate speeds to meet objectives.

Recovery metrics should be reevaluated annually to ensure that changes in business availability needs are reflected in the established metrics. Controls should go through a similar process of evaluation against recovery metrics to ensure that controls can adequately meet recovery metrics for potential threats.

For more news and information on the battle against ransomware, visit the FightRansomware.com homepage today.

Share Button

The privacy discussion – How ISPs, search engines, and social media services collect your information

The repeal of the FCC Internet privacy rules has spurred on much discussion on privacy online and how companies collect and use that information.  I have fielded many questions on what this means for consumers and their privacy when going online, using search engines, and social media.  Some have wondered how Internet Service Providers (ISPs) differ from search engines and social media in how they collect consumer data.

The difference between how ISPs and social networks or search providers collect and use data comes down to the how easy it is for consumers to switch from one provider to another, the ability to opt out, and the ability to circumvent data collection.

Switching services

The primary difference is in how easy it is for consumers to switch providers.  Search engines are the easiest.  Simply navigate to another search engine, such as DuckDuckGo which does not track its users, and issue the same search.  Yes, the results may vary, and you may be less satisfied with the results, but the process is simple.  It takes very little time, and the impact is not great.  However, search providers offer more than just searching.  Email, cloud services, stock tracking, shopping and other services may also be tied into your search account, so for consumers to fully move away from the platform, they must also adopt new providers for each of these services.

It is a little more difficult with social networks because not all users are on all social networks and social networks cater to certain types of social sharing.  If a user decides they do not like how one social network uses their data, so they decide to leave, they may be unable to communicate with some people who are not on the next social platform of choice, or they may miss out on updates from some of their contacts.

Now let’s look at ISPs.  To change ISPs, a user must contact the ISP, which might involve breaking a contract and paying fees.  They must then pay for new service from a different ISP and wait until that provider can connect their service.  This might result in a period where the user cannot connect online.  There are some cases where there is only one ISP in the user’s region, so they have no choice but to work with that ISP no matter what their privacy policy is.

It is clear that it is more difficult for consumers to change their ISP or their social network than it is for them to change their search engine.  However, it is not clear whether it is more impactful for consumers to change their ISP than their social network.  It may also be more difficult for consumers to switch their search provider if they intend on fully disconnecting from that provider because this involves changing email, shopping, and other services as well.

Opting out

There is also a difference between ISPs and social or search providers in the ability for users to opt out.  Prior to the privacy rules that were recently repealed, ISPs opted in each user but allowed them the ability to opt out.  This is something that Facebook and Google do not do.  If you want to use Facebook and Google, you will be tracked and your data used.

Circumventing data collection

I believe the largest difference between the ISP and the social network or search providers and their collection of data is that ISP data collection can be circumvented with the use of a VPN.  ISP data collection takes place because they are an intermediary to the communication channel.   This gives them a broad view of the myriad tasks a household performs online which can be valuable in building a profile of a household.  However, the entire process can be circumvented by utilizing a VPN.  When users are on a VPN, the ISP only sees connections originating from the household (IP address) and going to the VPN service.  They do not see the traffic that goes over the connection since it is encrypted.  However, the services at the other end still do see the traffic since the traffic is designated for them.  In order to use a social network, a user must log in, and requests must be sent to the social network.  Requests cannot be sent to an intermediary to perform on their behalf.   The only alternative would be for users to set up fake or random accounts that are used for perusing social networks and then discarded but the use case of such a system would be limited due to the requirement of sending friend requests, and it would violate many social network’s terms of use.

This article is sponsored by JURINNOV, a TCDI company specializing in cybersecurity and computer forensic consulting services.

Share Button

Cybersecurity career landscape and industry trends

I recently did an interview with Karen Marcus for Careers in Cybersecurity on education, career development, and career success.  The transcript is provided below and is divided into a section for those just starting out in cybersecurity, those mid-career and those late into their career.  Enjoy the read and please let me know your thoughts in your comments.

For someone just starting out in cybersecurity:

What degrees should they pursue? Any advice for landing that first job?

There are a variety of degrees from associates to Ph.D. that concentrate on security in some way such as Information Assurance, Cybersecurity, or Information Security.  Some may also decide to pursue a similar degree such as IT or Computer Forensics with an emphasis on information security.  However, if you do not have a degree in one of those fields, don’t despair.  Cybersecurity touches on many aspects of the organization, and your individual discipline and experience can give you insight into that part of cybersecurity.  For example, those in HR would relate to employee training, onboarding and termination procedures, employee screening and background checks, and employee compliance requirements while a person from an accounting background could understand the SOC/SSAE accreditation process, ROI, the financial impact of implementing new systems.  If you fall into this category, consider training to educate you on compliance, security controls, and risks so that you can adapt your own business understanding to cybersecurity.

What three things should they focus on in their first job to support advancement later on?

This is a hard one as each job will be different and there may be different methods used for advancement.  However, generally, a person in cybersecurity should demonstrate that they are a continual learner by striving to stay ahead of the technology curve and never stop reading.  Second, focus on your communication skills.  Communication skills are essential at any level, but they are increasingly valuable the farther up the ladder you move.  Lastly, be adaptable.  Cybersecurity is an ever-changing industry, and you will need to be able to change with it.

What pitfalls should they watch out for?

Don’t peg your life to some arbitrary set of career objectives.  Your career is as unique as you are and you should be the one to determine where you want to go.  Next, be successful from start to finish.   Success is not something that is achieved finally at the end of a career by seeing if you met some life goal or accomplishment.  Rather, it is being satisfied with the position you have, the value you bring to your company, and the impact you have on those around you.  Satisfaction is not complacency.  Goals are excellent, and you should set exciting stretch goals for yourself, but understand that each goal would not be accomplished if not for the successes of the moment.  Recognize those successes and take the time to cherish and celebrate them.

 

Middle Career (those who have been working in cybersecurity for a few years but haven’t progressed to a senior or executive level):

Do you recommend pursuing a Master’s degree?

A Master’s degree is an excellent choice for those who have established themselves in the industry and want to move forward.  I do not recommend it for those who have not yet entered the industry yet as it will price them out of entry-level jobs by being overqualified and yet they will be underqualified for other jobs.  A Master’s degree can be an excellent way to augment a degree that was not in cybersecurity such as those with a CIS, Computer Science, or Business degree.  Those are likely the people who will see the most value from a Master’s degree.  Some employers will want a Master’s degree in order to progress up the ladder and so this may be a requirement.

What skill gaps may a person in this position need to fill? How can they get appropriate training and/or mentoring to address them?

A mentoring relationship is an excellent suggestion, but I wouldn’t wait till you are in you middle career to do it.  I found a mentor shortly after starting in the industry and have mentored those who haven’t even entered the industry yet.  There is hardly ever a time when the experience of someone who has gone before you cannot be put to good use.

Your employer may have training options for you on specific skills.  The type of training should be based on your own learning style.  Some can learn easily from reading books, while others learn best from webinars or from online training.  Still, others require instructor-led training.  Each has its advantages and disadvantages regarding ease and cost.

Each person needs to take responsibility for his or her own training and keep learning each day.  This includes reading articles and other materials regularly to keep abreast of changes in the industry.  Consider following a cybersecurity expert on Twitter and read what he or she posts.  You can also subscribe to RSS feeds from cybersecurity sections of major publications or for cybersecurity blogs.  You would be surprised at how much you can learn just by reading a little bit each day.

Are there other obstacles that may have nothing to do with the person (e.g. company politics or being in a particular sector)? If so, how can they be overcome?

Company culture can be a catalyst or an inhibitor for success.  Ensure that you are well suited for the company culture.  Many have found themselves in a culture that is counter to their own, and their career progression was difficult like swimming against the current.  Let the culture current take you where you want to go rather than fighting it.  You will have a much more satisfying life if you do.

Late Career (those who have been working in cybersecurity for many years and have seen substantial success, perhaps progressing to executive and C-suite levels):

What is the next level for professionals in this position, and what can they do to get there?

Executives are the big fish in a company, and the way to move up is to find a larger pond or to grow their own pond.  That often means finding a larger company or one that is growing at a faster pace.  However, the real focus should be on what your goal is.  You may be perfectly satisfied with your current position.  If you make enough money and enjoy the position, there may not be a need to increase stress by changing jobs, learning a new routine, establishing new relationships, and proving yourself all over again.  Consider the cost of changing new jobs when evaluating the potential benefits.

What advice do you have for diversifying skills or fine-tuning specialties?

There comes a time in everyone’s life when they realize that change has finally made part of their skill set irrelevant.  In the cases, it is important to recognize this and not fight it.  Next, seek out complimentary skills that build on the knowledge and experience you have already and then seek those out.  Add breadth to your skill set by extending outward in your retraining rather than seeking out greatly differentiated skill sets.  Retraining with this method will make it much easier for you to adopt those skills and to thrive.

Is there a common post-retirement path or pattern?

I am a strong proponent of mentoring others.  I think the process should begin long before retirement and extend into retirement.  Mentoring gives the mentor a connection back to a previous generation and into the workforce after they have left it and it is a great benefit to those they mentor.  Seek out no more than three people to mentor and establish a real relationship with them, asking them questions about their goals and strategies and sharing your understanding and the things you have learned along the way.

Retirees can also participate in professional groups.  Those who spent a lifetime learning likely won’t want to stop, and this can be an excellent way to keep up with what is happening in the industry.

Share Button

Spora ransomware could become a major player

Spora is a relatively new ransomware, but there are signs which indicate that it could become a major player in the underground ransomware market, according to various reports.

There are currently hundreds of ransomware variants being used by cybercriminals, but only a handful are backed by major criminal syndicates that have the funding to write robust malicious code and the infrastructure to support global extortion efforts. These groups are behind some of the biggest names in ransomware like Locky, CryptoLocker and TeslaCrypt. Spora is not there yet, but it’s certainly on its way.

A strong build
The first thing that sets Spora apart from a large number of homegrown ransomware variants is its encryption capabilities. Spora utilizes offline encryption to avoid detection and is capable of performing the encryption using a unique key set without communicating with a command and control server. This is not a brand new technique. It’s been used successfully in the past by both Cerber and Locky. Spora differs in that it encrypts each file with a distinct key, then file keys are encrypted with an AES key unique to the victim.

Second, Spora has a very well designed website with a professional look and feel. It has an easy to use interface consisting of a clean dashboard with colorful icons, tool tips and a live support chat that delivers quick responses to inquiries, according to security researchers.

One very interesting feature of Spora is that it offers victims a menu of options for retrieving some or all of their files as well as protection services. They allow users to decrypt two files free as an act of good faith and to demonstrate their ability to decrypt the data. Other options include decrypting several files for $30, removing the ransomware for $20, protecting against further infections of Spora for $50, and a full restore for $120. However, it should be noted that these prices may change. Spora uses identifying information provided by victims when they connect to the payment website to dynamically generate prices. The cybercriminal behind Spore likely charge more for businesses or for those in different regions. Even with its dynamic prices, Spora is priced much lower than other ransomware, a strategy that was likely designed to build up their reputation.

Spora’s weaknesses
Despite these strengths, Spora has some significant weaknesses. The ransomware does not yet have a way to bypass the UAC, a feature in Microsoft Windows that prevents programs from running with escalated privileges. A UAC warning message appears when Spora executes and victims must allow the program to run. Spora also launches a command prompt to delete volume shadow copies and the command prompt is displayed on the screen for the victim to see.

At the moment, Spora is limited to Russian-speaking countries. The attackers behind this ransomware appear to be organized and professional so it is likely that the next version of Spora will address its current deficiencies and target a much larger audience. Prepare yourself by backing up your data and by validating that your backups can be restored.

Continue reading

Share Button

How to create a BYOD policy that keeps your business data secure

Bring your own device (BYOD) policies are commonplace in many organizations today. Employees bring in their personal cell phones, laptops, tablets and other mobile devices and use them to content to corporate networks. Additionally, employees regularly use personal computers and other devices not owned by the organization to work at home or on the road.

Unfortunately, BYOD can be risky for organizations that do not implement adequate security controls.  Personal devices that aren’t properly managed by the company often have inconsistent security controls implemented on them. For example, one device may lock out after three minutes of idle activity and require a complex password, while another may not even require a password to log on. However, both devices may be used to access sensitive or critical business data. For organizations that lack strong and consistent security controls, BYOD can easily turn into a security nightmare. Here’s a quick list of steps you can take to create a BYOD policy that will protect your business data:

  1. Establishing a policy that governs how BYOD devices can connect to and use organizational systems, how they should be backed up, and which security settings should be in place.
  2. Configure devices to connect to network resources over a transparent virtual private network.
  3. Gain greater control over mobile devices with a Mobile Device Management (MDM) solution. MDM solutions allow for more consistent security settings to be applied to devices. For example, applications can be whitelisted or blacklisted, BYOD devices can be geofenced, and jailbroken phones can be banned from connecting to networks or data stores.

BYOD and the ransomware threat
A large percentage of BYOD devices are mobile phones or tablets that are susceptible to some forms of ransomware. Mobile ransomware viruses often masquerade as enticing applications such as POGO Tear, which pretends to be a Pokemon Go application; Android defender, a bogus antivirus app; Charger, a fake battery management app; Lockdroid, a counterfeit Google Android update package; and Lockscreen, a deceptive Android lock screen app. Some mobile devices have been found to have malware pre-installed on them. The owners of those devices did not need to download a fake app. They were infected the moment they powered up the new device.

The good news is that mobile data is often easy to restore if appropriate backups have been taken of the phone or tablet. The bad news is that an infection may not be limited to your device. Worms may propagate through mobile email clients to your contacts. Additionally, some malware may infect a mobile device and then be transmitted to a computer when the device is connected for charging or data exchange.

Protect yourself by keeping your mobile operating systems and apps up to date. Consider a mobile firewall, mobile antivirus solution, and make sure you back up your device. Other BYOD devices such as laptops should be equipped with endpoint protection software, secure and up-to-date operating systems, and they should be backed up regularly.

Continue reading

Share Button

The top 10 ransomware attack vectors

Ransomware is infecting the computers of unsuspecting victims at an astronomical rate. The various methods that cybercriminals use to take over a machine and encrypt its digital files are called the attack vectors, and there are quite a few.

In this article, we’ll explore the top 10 ransomware attack vectors. The first five exploit human weaknesses through social engineering attacks. In other words, they use carefully crafted messages to entice victims into clicking a link, downloading software, opening a file or entering credentials. The second five spread ransomware computer to computer. Humans may be somewhat involved in the process by navigating to a site or using a machine, but they are primarily automated processes. Let’s take a closer look at each attack vector:

1. Phishing
Phishing is a social engineering technique where phony emails are sent to individuals or a large group of recipients. The fake messages—which may appear to come from a company or person the victim knows—are designed to trick people into clicking a malicious link or opening a dangerous attachment, such as the resume ransomware that appeared to be a job candidate’s CV.

2. SMSishing
SMSishing is a technique where text messages are sent to recipients to get them to navigate to a site or enter personal information. Some examples include secondary authentication messages or messages purporting to be from your bank or phone service provider. Ransomware that targets Android and IOS-based mobile devices often use this method to infect users. For example, after infecting your device, Koler ransomware sends a SMSishing message to those in your contacts list in an effort to infect them as well.

3. Vishing
Vishing is a technique where ransomware distributors leave automated voicemails that instruct users to call a number. The phone numbers they call from are often spoofed so that messages appear to come from a legitimate source. When victims call in, they are told that a person is there to help them through a problem they didn’t know they had. Victims follow instructions to install the ransomware on their own machine. Cybercriminals can be very professional and often use a call center or have sound effects in the background to make it seem like they are legitimate. Some forms of vishing are very targeted to an individual or company and in such cases, criminals usually know quite a bit of information about the victim.

4. Social media
Social media posts can be used to entice victims to click a link. Social media can also host images or active content that has ransomware downloaders embedded into it. When friends and followers view the content, vulnerabilities in their browser are exploited and the ransomware downloader is placed on their machine. Some exploits require users to open a downloaded image from the social media site.

5. Instant message
Instant message clients are frequently hacked by cybercriminals and used to send links to people in a user’s contact list. This was one technique used by the distributors of Locky ransomware.

6. Drive-by
The ‘drive-by’ technique places malicious code into images or active content. This content, when processed by a web browser, downloads ransomware onto the victim’s machine.

7. System vulnerabilities
Certain types of ransomware scan blocks of IP addresses for specific system vulnerabilities and then exploit those vulnerabilities to break in and install ransomware onto the machine.

8. Malvertising
Malvertising is a form of drive-by attack that uses ads to deliver the malware. Ads are often purchased on search engines or social media sites to reach a large audience. Adult-only sites are also frequently used to host malvertising scams.

9. Network propagation
Ransomware can spread from computer to computer over a network when ransomware scans for file shares or computers on which it has access privileges. The ransomware then copies itself from computer to computer in order to infect more machines. Ransomware may infect a user’s machine and then propagate to the company file server and infect it as well. From here, it can infect any machines connected to the file server.

10. Propagation through shared services
Online services can also be used to propagate ransomware. Infections on a home machine can be transferred to an office or to other connected machines if the ransomware places itself inside a shared folder.

Be cautious and skeptical of the messages you receive, whether they come from email, instant message, text, voicemail or social media. Ransomware distributors are crafty and one click could be all it takes. Technical controls are also necessary to screen out unwanted content, block ads, and prevent ransomware from spreading. The most important thing is to have adequate backups of your data so that, if you ever are attacked, you can remove the virus and download clean versions of your files from the backup system.

Continue reading

Share Button

Safeguarding against the insider threat

The insider is still one of the most vulnerable elements of cybersecurity and it was the discussion of the recent Modern Workplace webcast on cyber intelligence and the human element.  Insiders are those who are authorized to work on company systems or in company facilities and they include trusted employees and contractors.  Whether it is through human error, social engineering, or intentional action, insiders are the cause of a significant portion of malware infections, data breaches, information theft, and privacy violations.

There are some key strategies you can use to safeguard against the insider threat.  First, technical controls can reduce the burden placed on insiders or minimize the potential damage done by insiders.  However, the insider threat cannot be solved entirely by implementing more technical controls.  No, human behavior is far different from a computer system and cannot be changed with by flipping a switch or changing a bit.  Companies need effective security leadership, security awareness training, and assessments and metrics.

Technical controls

Technical controls need to be implemented in such a way that they make it easy for users to do their job, while still remaining secure.  Systems that become too difficult to use when security controls are applied are the systems that will see less use as employees find workarounds.  For example, a company may implement more stringent password policies and change intervals only to find that users are storing the passwords unencrypted in phones, memo pads, or on the calendar at their desk.

Not implementing technical controls can have the same effect.  A company without adequate spam filtering could see users utilizing personal cloud email accounts for company email to avoid having to sift through mass amounts of spam.

Security leadership

Leaders should set an example for other employees and their subordinates by following secure computing practices.  They can also set an example by choosing where to spend money.  Information security needs to have an adequate budget and spending should be consistent and proactive rather than spike immediately following a security incident.  In the Modern Workplace webcast on cyber intelligence and the human element, Phil Ferraro, Nielsen CISO, said that it is essential for business leaders to understand that cyber risk is business risk.  This is more than an IT problem.

Awareness training

Awareness training is essential for teaching employees how to do their jobs safely.  Almost everyone uses a computer on the job and this means that they are interacting with organizational apps and data.  End users need to understand how to recognize phishing messages, including targeted spear phishing messages, as well as other social engineering schemes such as fake social media accounts, unsafe instant messages and text messages, or deceptive phone calls and voice mails.

People need regular reminders in order for information to stay top of mind.  It is not enough to conduct training once a year.  Training should be augmented with emails that inform users of new techniques and attacks or remind them of what they learned in training.  Posters and signs can also help employees remember their training.

Assessment and metrics

Follow up security awareness training with assessments such as online quizzes or questionnaires.  You may also consider conducting social engineering penetration testing by phishing your own users.  These assessments can help identify those that still make mistakes or do not fully understand the material so that you can focus additional training on those users.

It is also helpful to establish meaningful metrics on security performance.  Report on these metrics in company meetings so that employees know that it is important to the organization.  Use security metrics in employee reviews and reward employees and groups when security goals are met.

Special thanks to Microsoft Office, the sponsor of this article.  As always, all thoughts and opinions are my own.

Share Button