Incident Response & Business Continuity – Planning and Practice Make Perfect

Computer systems and networks are irrevocably woven into the fabric of business practices around the world; we quite literally cannot do without them. What’s more, our lives and our business practices become more dependent on these devices every day. Unfortunately, this makes computer networks the number one criminal playground in the modern world.

Although computer security technology and processes are becoming increasingly effective, cyber-criminals have more than kept pace. Every year the number of computer security compromises is increasing. Cyber-attacks are becoming more sophisticated and can originate from anywhere that has Internet connectivity. It should also be remembered that cyber-criminals only have to be successful in one of their attacks to win, while businesses must successfully defend against every attack, every time to win the game. The upshot of all this is that every business is increasingly liable to experience some kind of cyber-attack. That is the reason why regulators and security professionals have been pushing businesses to increase the scope and effectiveness of their incident response capabilities in recent years.

To help counter modern cyber-incidents effectively, organizations must respond to them quickly and in an accurate, pre-determined manner. IR teams must determine and document specific actions to be taken in the event common information security events occur. Responsibilities for performing these incident response “procedures” should be assigned to specific team members. Once detailed procedures for addressing common security incidents have been completed, the IR team should review them and role play response scenarios on a recurring basis (at least twice annually is recommended). It is an unfortunate truth that incident response is a perishable skill and must be regularly practiced to be effective.

This same advice also applies to business continuity/disaster recovery plans – functionally, they are really the same thing as incident response. Whether your business is facing a flood, a tornado, a cyber-attack or even an employee error, they all have negative effects that can be lessened if you have effective, pre-planned responses in place that everyone involved is familiar with and has practiced regularly. So why not practice IR and BC/DR together? It can minimize the time personnel are away from their regular business duties and maximize the effectiveness of their training.

Business Size Affects Security Flexibility

In the realm of cyber-security, all of the advantages are with the attacker. To be successful, defenders have to guard against and defeat all possible attack types all of the time; attackers only need to find one hole in those defenses to win the game. That is why information security programs need to be dynamic and flexible in order to work properly.

I have worked with all types and sizes of organizations during my years in the information security field including government agencies, regulatory bodies, retail concerns, service providers, financial institutions and medical organizations. No matter what kind of organization I am working with, I have found it to be an immutable truth that the larger and more complex the organization, the more difficult and time consuming it is to make changes and to their information security program. It’s not really anybody’s fault, it’s just the nature of the beast. Bigger organizations have more checks and balances to deal with, more personality clashes to arbitrate, more committees to wrestle with and more ‘rice bowls’ to protect. However, this is no reason to throw up our hands and admit defeat. Now is the time to recognize that we have a problem and try to find ways to work around it.

One idea I wish to propose in this regard is the ‘top-down, bottom-up’ approach to information security. First, the people in top positions in large organizations need to be made fully aware that a real problem exists and how serious it is. They also need to be made aware of the business advantages of a flexible and effective information security program. Most important of all, they need to be willing to visibly show their full support for the program and the changes that are to come. After all, no organizational security initiative can get very far without full buy-in at the Board Room level.

Another part is the ‘bottom up’ part of the process. Some years ago I worked with a software suite that allowed anyone in the organization to easily access and view security policy on the company intranet. Not only could personnel view the policy, they could make suggestions to improve and change it, propose new techniques, recommend ways to streamline the process, etc. Nobody in an organization knows more about business processes and how to protect them than the people that work with them every day. Why not encourage them to make suggestions and report problems? All it takes is a little encouragement and minor reward. In fact, I’ve found that simply recognizing personnel for their security efforts is enough. Praise them in group meetings, put their pictures up on the wall, that sort of thing. Why should the organization hire expensive consultants to tell them the same things that they can learn from their own personnel?

The last part is acting upon the suggestions produced by management encouragement. Once valid suggestions have been made, the initiative needs to flow through the normally recalcitrant and obstructionist mid-levels of the organization to make it back to the top. Can this group be made to set aside their differences and encourage the adoption of rational and workable suggestions for change? If they can, then large organizations can truly improve the flexibility and effectiveness of their information security program, and save money doing it.

Ransomware: Bigger and More Sophisticated than Ever

Ransomware has been around for decades. In 1989 the AIDS Trojan was used to hide directories and encrypt all files on the C drive of infected computers. Users were then asked to “’renew the license” which involved sending $189.00 to a Panama P.O. box. This is an example of “crypto-ransomware.” Then around 10 years ago, other families of crypto-ransomware such as Cryzip, Krotten and Gpcode appeared on the scene.

Crypto-ransomware is particularly dangerous because it encrypts files on computer systems using strong and often unique encryption algorithms. This means that if these files were not properly backed up, users could lose this information forever unless they agreed to pay the price asked by the extortionists. And even if proper backups were extant, users still faced the hassle of rebuilding their machines; a time-consuming task that many would happily pay to avoid.

Another type of ransomware (that has been with us for more than 15 years) uses “blockers” to render computers unusable. Blockers are windows that cover all other windows on your desktop. These blocker windows usually contain a message from the extortionists telling users how and where to send the ransom in order to get their computer screens or browsers unlocked. This type of ransomware was the first to reach “epidemic” proportions back in 2010. Both of these ransomware types were originally used to attack mostly user machines, but now attacks on businesses are increasing rapidly.

Recently, especially within the last 6 to 10 months, things have changed. In April of this year, Kaspersky Lab noted that more than half of all ransomware is now crypto-ransomware; a figure up from barely 10% just a year earlier. In addition, there are new, more insidious types of crypto-ransomware appearing on the scene.

In January of this year the first JavaScript ransomware, “Ransom32” was noted. This ransomware uses the NW.js framework to infect computers, and so can probably be used to attack not only Windows OS, but Linux and Mac OS as well. This type of ransomware is being sold on the dark web as ransomware-as-a-service in exchange for a 25% cut in the ransom profits.

Another recently noted ransomware is called “Cerber.” Cerber encrypts user files using AES encryption, and costs the victim 1.24 bitcoins ($500.00) in ransom. Cerber itself is easy to remove, but encrypted files that have not been backed up will be lost if users fail to pay.

Now, there are even more dangerous ransomware types appearing. ZCryptor acts like a worm and can be spread from machine to machine. It is distributed through spam and email infection vectors, but can also be spread through Macro malware, removable/network drives or fake installers. It encrypts a number of different file types on infected computers using strong AES encryption algorithms, and changes the file extension to “.zcrypt.”

The sophistication and variety of these newer ransomware types shows that cyber criminals are investing plenty of resources on this malware. Users (and businesses) should expect more and more of these types of attacks in the future, and should protect themselves accordingly. Suggestions include:

  • Backup your important files very regularly. You will still lose any files/documents created after the last backup, so adjust your backup frequency accordingly.
  • Ensure that all of your systems and software are current for security maintenance and are configured in a secure manner.
  • Train your personnel about ransomware and how it spreads.
  • Keep your security software up to date and employ pop-up blocker software.
  • Monitor file system activity and extensions.
  • Employ Honeypots (such as MSI HoneyPoint software) on your systems.
  • Employ User Behavior Analytics (UBA) on your network.
  • Employ anti-ransomware products and mechanisms.
  • Ensure your Incident Response and Disaster Recovery plans are up to date and well-practiced.

Supply Chain Security: Another Data Breach Blamed on 3rd Party Vendor

One of the tasks I perform at MicroSolved is working on our Daily Threat Briefing. We use our TigerTrax™ threat intelligence gathering platform to pull in security information from all over the web and social media sphere. And one of the things I notice constantly is data breaches and other security compromises that are caused not by poor security at the affected organizations, but by security failures in their supply chain. This week’s example is the Bizmatics hack that exposed the private health information of patients from institutions such as the Pain Treatment Centers of America and the Interventional Surgery Institute. It is still unclear if the hacker actually collected this information, but it is sure he had access to it. Since this information is protected under HIPAA and HITECH, there could be regulatory and legal consequences from the breach. And, ultimately, the responsibility for protecting this patient health information lies with the medical organizations affected, not Bizmatics. The name of the game here is performing “Due Diligence” when you chose and maintain relationships with a third party service provider or vendor. Did you examine their information security policies and assessment results? Did you check out their financial standing? Did you check their history to see if they have had problems in the past? Did you check with other users of their services to see if they have experienced any difficulties with the provider? Have you been performing such checks not just once, but on a recurring basis? If you have been performing due diligence in these matters, chances are you will fare well legally. If you haven’t, chances are your organization will suffer for it. Despite this, many organizations do not perform proper due diligence. They find it is difficult to get the information needed, and even if the information is available, they find accessing it uses up lots of man hours. This is an area where the new MicroSolved passive assessment platform can help. The platform employs the powerful TigerTrax™ platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of organizations. And best of all, it performs these tasks very quickly and without touching the target’s network or systems directly in any way. So if yours is one of the organizations out there that is having trouble performing proper due diligence in choosing and maintaining supply chain relationships, try doing it the easy and effective way. Contact MicroSolved today and see how we can help.

Patch Your Cisco ASA’s ASAP!

Many networks employ Cisco Adaptive Security Appliances (ASA) as firewalls or to set up Virtual Private Networks, etc. Those of you that are among this group should be aware that Cisco published a critical security advisory on February 10 concerning a glitch in their ASA software. It seems that there is a vulnerability in the Internet Key Exchange (IKE) code of Cisco ASA Software that could potentially allow an unauthenticated attacker to gain full control of the system, or to cause a reload of the system.
This vulnerability is due to a buffer overflow condition in the function that processes fragmented IKE payloads. Attackers could exploit the flaw by sending crafted UDP packets to the affected system. It should be noted that this vulnerability is bad enough that it was given a maximum CVSS score of 10.
The ASA software on the following products may be affected by this vulnerability:
• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500-X Series Next-Generation Firewalls
• Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Cisco ASA 1000V Cloud Firewall
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Cisco Firepower 9300 ASA Security Module
• Cisco ISA 3000 Industrial Security Appliance
Patches are now available for this flaw. We recommend that vulnerable users of this software apply these patches as soon as possible. For more information see:

First Power Outage Ever Caused by Malware

For the last couple of decades industrial concerns, including public utilities such as power and gas providers, have been incorporating IP networks into their industrial control systems; apparently with very little awareness of the security problems this could cause. One of the reasons for this is that ICS/SCADA systems had always been fairly safe from tampering. They were “dumb” systems that had their own protocols, and were not connected to public networks. System administrators never had to think in terms of hackers and remote attacks. They were more concerned with things like physical break-ins and theft at that time, and hackers were mainly computer-savvy kids that weren’t really out to hurt anyone.

Another reason is that security almost always takes a back seat to greater efficiency and profitability. Couple this with the fact that public utilities were increasingly strapped with budgetary cutbacks, and it’s a no-brainer from their point of view. IP protocols were already in place and off-the-shelf hardware and software applications were relatively cheap.

Embracing expediency in this way is really costing the industry now, though. Public utilities are often guilty of failing to adequately segregate their control networks from their business networks, and even if they do, it is very difficult to fend off a persistent and talented attacker. Malware and social engineering techniques become more clever every day.

Factors such as these have made the security industry increasingly antsy for years. We have been warning that these vulnerabilities exist, and have been expecting a concrete example to crop up – and now it has!

Late last month, hackers caused what is believed to be the world’s first power outage using malware. It occurred in the Ukraine and knocked out regional power for several hours. The malware family used to perpetrate this outage is known as “BlackEnergy” and has been on the radar for some time.

Luckily, this was a relatively minor, short lived incident, and nothing like this has occurred (yet) in the United States. However, the fact that this outage was possible should be a wake-up call for all of us. Hopefully, the industry will pay attention to this incident and redouble their efforts to update, secure and monitor their systems.

It’s Tax Time Again: Watch Out for the Fake IRS Phishing Scams!

It seems like every year there is another phishing scam using the name of the Internal Revenue Service. Well, this year is no exception. This version claims to be a refund notification and contains an attachment for the unwary to click on. Don’t do it! For one thing, you should be aware that the IRS never initiates contact with taxpayers by email, text messages or social media channels to request personal or financial information.
This scam and other, similar scams also are perpetrated by telephone. Callers may say you have a refund due and try and get you to disclose private information to them. They may also call, say you owe them money, and demand immediate payment; they may even threaten to send the police to your home! Don’t panic. The more serious and immediate their demands seem, the more likely they are to be fakes. It will never hurt you to take the time to call the IRS and see if the call, text or email you have received is legitimate. Also, if you do happen to lose money to one of these scams, you can file a complaint with the Treasury Inspector General for Tax Administration.
The IRS website has resources in place to help taxpayers with this problem. This information is not particularly easy to find, but is accessible in a couple of areas of the website. If you click on the “News & Events” tab of the website there is a hyperlink to “Tax Scams”. This will get you started. You can also go to the “Help & Resources” tab. This area has links for reporting suspicious emails and scams, as well as a link to report tax fraud activity. For more information about past scams of this type, there is a page entitled “Phishing and Other Schemes Using the IRS Name.”
The important thing to take away from this is that Phishing and other types of social engineering techniques are becoming more prevalent every day, and are not about to go away. This is because as firewalls, SIEM solutions and other information security mechanism have become more effective, cyber criminals have had to find new ways to worm their way into your networks. So stay wary and avoid being credulous. Never open an attachment or click on a link anywhere without checking it out first. Also, never give unsolicited or suspicious callers any kind of private information. The old adage “Look Before You Leap” has never been more true and appropriate than it is right now!

It’s the Holidays – Make Sure You Keep Monitoring!

It’s the holidays! Everyone is busy shopping, getting ready for parties, meeting folks for a cup of good cheer, and all manner of other fun activities. Yes, it is safe to say that the holidays generally fill people with feelings of warmth and good cheer.

It’s also a great time of year for hackers! The fact that people are busy, distracted and even a little bit tipsy is what fills them with good cheer. What better time to break into a network and get your hands on some private information or to set up a blackmail scheme?

That is why it is most important for you not to neglect your log monitoring and other information security duties during the silly season. Make sure you don’t turn off alerting on your systems, look for activity at odd times of the day, and make sure you are monitoring what leaves the network and where it’s going. If you neglect these tasks now you just might not have any happy holidays at all!

Products Pre-Infected with Malware

I saw in the intelligence and threat briefing the other day that police body cameras pre-infected with the dangerous Conficker worm had been discovered. Once these cameras were connected to a computer, the worm attempted to spread to other machines on the network and to communicate with a command and control system. Great! Lots of juicy, salable information on a police network to be harvested. How about offering to sell informants to the criminals they are informing on? Bet the bad guys would pay plenty! Or, if you become well entrenched in the network, how about starting an intelligence service? You could keep the bad guys well informed about what the police are up to. Bet the bad guys would pay plenty for that too!
This isn’t the first time something like this has happened by any means. Every now and again we hear stories about phones, networking switches, computers, mother boards and lots of other products that come pre-infected with some kind of Malware. Unfortunately, it seems that this is happening more and more often and shows no signs of slowing down.
The big reason behind this trend is that it works. How many of us ever even think that our new toys may not be safe? After all, they are brand new from the factory, and the boxes they are packed in have never been opened before. And it’s not just cyber-equipment that may be infected. Increasingly, just about everything we buy or use has a computer in it, and many of these products are made to run over a network as well.
So, say you buy a new smart TV and it has come complete with some kind of Malware installed. Chances are you have a wireless network in your home, and all the family’s computers, smart phones and other devices hook up to it. Even people that come to visit probably log onto your wireless network. You do home banking, write emails, chat, do all kinds of private things on this network. But, thanks to your new TV, all that is secret no more!
The point is, it’s time we start paying more attention to this attack vector and begin doing something about it. We should ensure that we have mechanisms in place to test new products before we hook them into our systems. We should also put regulations and processes in place to ensure that manufacturers test their products for computer bugs before they are allowed to ship them.

Identity Verification – It’s Time to Bite the Bullet!

Every week in our daily threat and intelligence briefings I read about government and business computer systems that are hacked. And many, many times the stated reason is that a user name and password was revealed, hacked or stolen and the cyber criminals were able to use it to log into the system. But I don’t think this is the real reason at all; the real reason is that we are not properly establishing the identity of whoever is trying to access the system.
I know how inconvenient computer security can be for everyone. I not only see it every day in my profession, I also suffer from it myself as an individual. And the last thing most of us want is to make the task even more inconvenient and frustrating. But the fact is that identifying one’s self to a computer system by simply inputting a user name and password is just not good enough. We must increase the reliability of identity verification systems if we are to have any real hope of preventing illicit access.
To establish the identity of any person there are only three factors that can be employed. You can identify a person by something that they know, by something that they have or by something that they are. Obviously, a user name and password is something that a person knows, and we waste all kinds of time and effort in the futile hope that we can keep this special knowledge secret. I say futile because, as we all know, secrets have a frustrating habit of not lasting very long.
Something we have can be a physical object such as an RSA token or smart card, or it can be a “soft token” such as a digital certificate. An example of using something you have and something you know in tandem is a debit card and PIN. Something we are can be a number of things: fingerprints, retinal patterns, DNA, body features, etc.
Every time you add another “factor” to your user identification scheme, you more than double the amount of real security you are adding to the access control system. That is why, despite the inconvenience, I am a big proponent of using all three types of identification factors at once, especially for privileged or high-risk access. As far as I’m concerned, it’s time to bite the bullet, live with the inconvenience and just get the job done!