Exchange Server Zero-Day Attack Sign of More to Come

Another sophisticated and widespread cyber attack just made the news last week. This attack, dubbed ProxyLogon, strings together four zero-day vulnerabilities in Microsoft Exchange Server that allow attackers to take over servers, compromise email and implant a web shell that gives them the ability to execute code on the servers from anywhere without authentication. Microsoft immediately released emergency patches for the identified vulnerabilities, tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

These attacks, initially attributed to the China-backed group Hafnium, were first noticed in early January and reported to Microsoft on March 2. It has since been determined that multiple advanced persistent threat groups have also been using this same exploit since about the same time of the Microsoft patch release (March 2), and that hundreds of thousands of servers around the world have already been attacked.

News of the attack caused immediate panic on multiple levels of government and industry. The CISA recommended immediately patching these issues or unplugging Exchange servers until they are patched. They also recommended that all possibly affected organizations should immediately take steps to determine if their systems have already been compromised. The word everyone is using here is “immediate.”

This Exchange Server attack surely does remind me of the way the devastating supply chain attacks we are still dealing with. Here we have highly enabled, state backed hacking groups systematically identifying cyber-vulnerabilities of every type, developing a group of exploits designed to take advantage of these vulnerabilities, identifying lots of fat targets to hit and then striking all of those targets at once. That is evidently the same thing that is happening with the Exchange Server attacks. And curiously, both these attacks and the supply chain attacks exploited flaws that had been present in the code for ten years or more. What’s more, if these Exchange Server attacks follow the same program, we can expect follow up exploits to be waiting in the eaves to further exploit the vulnerabilities and the panic they fomented.

What this tells me is that we are presently in the first stages of a global cyberwar whether we recognize it or not. So far, we are just taking the hit and scrambling around playing catch up while we try to figure out how to effectively address the problem. However, the enemy does not seem to be giving us time to sort things out. What would you like to bet that another, similarly devastating attack will hit us in no more than six months from now? I would put a nice chunk of change on that bet!

Another thing that these attacks show me is that we have gotten distributed network security wrong from the very beginning. The basic code that still lies at the very core of the Internet was never designed with security in mind and is basically flawed. We adopted it anyway and by the time security problems started to manifest themselves, it was too late; the paradigm was set. Going back and revamping it will prove to be impossible. You might as well try to get Americans to drive on the left side of the road, say “ahoy” instead of “hello” when answering the telephone and to use Metric measurements rather than Standard.

So how are we going to keep our riches and information safe from the Cyber Scourge? I certainly don’t have an answer that has any chance of actually being implemented. However, I would venture to guess that whatever solutions appear in the near future, they will probably be Draconian! Time for everyone to plan on expending a bigger chunk of their resources on cyber-security.

Financial Institutions Should Start to Embrace the Zero Trust Security Model

Another consequence of the supply chain attacks of 2020 is the big push to adopt the Zero Trust security model. This security model isn’t really a new set of security controls per se; it is more a way of implementing and coordinating existing control types. Another apt name for the Zero Trust security model would be the “Paranoids’ Delight” security model. Zero Trust assumes that internal and external attackers are there, that security breaches are inevitable, and that system compromises have probably already occurred.

The National Security Agency (NSA) defines Zero Trust as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. … . Zero Trust embeds comprehensive security monitoring; granular, dynamic, and risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus specifically on protecting critical assets (data) in real-time within a dynamic threat environment. This data-centric security model allows the concept of least privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.”

Implementing Zero Trust into your security program is no easy task. It takes time, it takes resources and it takes a willingness on the part of company personnel to adopt and participate in a stricter security regimen. It means that gaining access to critical resources will be more difficult, and it means that access to nonbusiness-related resources on business networks will be curtailed. Getting buy-in for these processes will be an uphill battle at best.

The very first step in the process is knowing your entire network, including trusted partner/service provider/vendor connections and privileges. You need to be able to identify the criticality of all your network assets, how data flows, what trusts what, who has access to what resources and more. A good way to start collecting such information is by conducting a detailed Business Impact Analysis (BIA) if one is not already in placer.

Once you understand these processes, you can start defining “tuples.” A tuple is the combination of a user, device, and any other security-related contextual information to be used in making an access decision. For information in a tuple to be reliable, you must ensure explicit authentication of both the user and device. Once tuples have been constructed, you need to implement a Zero Trust decision engine. This engine examines the tuple in the access request and compares it to a pre-established security policy for the data or resources being requested. It then makes a risk-informed decision on whether to allow access and sends a log entry of that access request and decision to be part of future suspicious activity analytics. You need to do this for every access request to each sensitive resource.

This is an intimidating goal, and I’m sure that most of you don’t know how to proceed. Besides doing a thorough BIA, I also recommend starting by validating and coordinating your present information security program. Ensure that you have complete inventories of all network assets, that you have fully implemented access control, change control, configuration management, security maintenance, incident response and security monitoring practices in place.

The next step is to ensure that all of these processes work as a whole and are coordinated. People and departments need to communicate freely and without reservation. There is no room in an advanced information security program for squabbling and “rice bowl” mentality. Zero Trust will not work unless the entire organization pulls together as one.

Organizations Should Harden their Networks Against Supply Chain Attacks

Many people are a little shaky on just what a supply chain attack is. A supply chain attack occurs when a trusted vendor or service provider with access to your network is compromised by an attacker, who then uses this exposure to attack your network. This can be either through service providers that have direct access to your network, or through compromised third-party software applications that you use on your network. These kinds of vulnerabilities have been plaguing networks for years, but we’ve never seen the level and complexity of supply chain attacks we experienced last fall. And the problem is far from over; NIST expects these attacks are only likely to grow due to insufficient protection of software development and distribution channels, combined with the fact that other cyberattack paths are becoming more difficult to exploit.

So, what can you do now to get ready for more supply chain attacks? The first thing is to ensure that you have a strong vendor management program in place. You should perform due diligence when choosing and implementing service providers and software providers / applications. Review their history to see if there any past security incidents with their services or applications, review their information security program and ensure that they have strong controls in place, review results of vulnerability assessments, code reviews and penetration tests to see if problems were detected and what was done to remediate those problems, and perform these checks on a regular basis; not just once.

When dealing with software providers, look into their code development, sharing and storage practices if possible. Are they checking the integrity of their code by scanning for malware before each build is released? Do they use multifactor authentication to sign on to machines that have access to their codebase? Is access to coding projects based on least privilege / need-to-know, or does the whole development team have access? If a vendor’s code development process is strong, they should have no problem sharing this information with you. It’s important to remember that when you hire a service provider or use a developer’s code on your network, you are essentially making them an integral part of your business, just like one of your regular employees. If your private information is compromised because of a vendor security failure, the ultimate responsibility for that information compromise is on your shoulders, not theirs.

You should also ensure that you and your vendors have strong security monitoring and incident response programs in place. Logging on your network should be verbose, and enabled on all devices and programs that are capable of it. In addition, those logs need to be aggregated, parsed and examined by qualified human analysts. And if a compromise of the supply chain occurs, you should have incident response plans in place so you can react quickly and correctly. Practice the plan and be sure to incorporate lessons-learned so that improvement is constant. Doing all of these things is not the whole answer, but will give your organization a good start in dealing with supply chain security problem.

Fight Email Spoofing with DMARC

Ransomware reached an all-time high in 2020, and ransomware usually begins with phishing or spoofing emails. In fact, more than 90% of all cyber-attacks worldwide begin with a bogus email message of one type or another. One of the most common types of bogus email messages you will encounter is the spoofed email message. Spoofing emails contain a forged sender address that makes them appear to be from a colleague or legitimate business. Naturally, people are more liable to trust such a spoofed email message than even a clever alternate phishing email scam. Luckily there is a good way to fight spoofed emails at your organization and it’s called DMARC.

Domain-based message authentication, reporting and conformance (DMARC) is an email protocol that was designed to protect email domains from email spoofing. It was created by PayPal together with Google, Microsoft and Yahoo and was first published in 2012. DMARC extends two existing email authentication mechanisms: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). It allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain, how to check the “From” field presented to end users, how the receiver should deal with failures and a reporting mechanism for actions performed under those policies.

Once the DMARC DNS entry is published, any receiving email server can authenticate the incoming email based on the instructions published by the domain owner within the DNS entry. If the email passes the authentication, it will be delivered and can be trusted. If the email fails the check, depending on the instructions held within the DMARC record the email could be delivered, quarantined or rejected. For example, one email forwarding service delivers the mail, but as “From: no-reply@<forwarding service>”.

However, even using DMARC your organization can still get spoofed. Businesses often relax their security settings to accommodate partners and third parties whose email security may not be as good as their own. It’s important to configure SPF, DKIM and DMARC with the strictest settings your organization can tolerate. It is also important to monitor and review the DMARC reports that are produced by the protocol. This allows you to see what the deliverability rate is for outbound emails, and also allows you to verify who is sending email messages using your organizations name. This can not only help you prevent spoofed emails from reaching your personnel, it helps boost your business reputation when communicating with customers and business partners.

Virtual CISOs & Small Utilities Often a Good Fit

Cybercrime has reached a new level and can certainly now be categorized as an epidemic; maybe not the same kind of epidemic as COVID-19, but sharing many of the same characteristics. Like a plague, cybercrime spreads from victim to victim, gaining traction as it goes. And also like a plague, it requires draconian efforts and plenty of resources to thwart. This can be a particular burden on smaller organizations such as utility co-ops with small IT departments and limited budgets. In this kind of threat environment, such companies need to maximize the effectiveness of every dollar they spend.

So how do you ensure that you are getting the biggest bang possible for cybersecurity buck? Well, the first thing is to have a sound cybersecurity strategy in place, one that fits your organization’s needs specifically. And for that task, you need a person with the skills of a good Chief Information Security Officer, more commonly known as a CISO. The first job of a CISO is to gain an understanding of your business environment, goals, strategies and resources. From there the CISO can work with you to construct or improve your cybersecurity program and strategy. Other tasks that CISOs regularly undertake include threat monitoring and analysis, risk and security assessment planning, risk remediation planning and incident response program oversight just to name a few.

However, CISOs are much in demand and rate high salaries. In addition, for years now, there has simply not been enough qualified CISOs out there to meet the demand. This puts smaller organizations in a real bind. If they spend the money to salary a full time CISO they are using up an inordinate amount of their security budget, thereby negating much of the benefit to be gained by the CISO’s services. Happily, the computer age has gifted us with an answer to this dilemma: the virtual CISO.

Don’t be fooled. Virtual CISOs are not a software packages or AIs. They are actual CISOs that provide services to several organizations instead of just one. They often conduct meetings and conferences with your personnel remotely, which saves the lost work time and expense entailed with traveling for in-person meetings. In addition, reputable virtual CISOs have real-world experience that has been derived by serving many differing organizations. This gives them both perspective over the current information security problem as a whole, and the specific knowledge needed to recommend various technical and operational controls that will fit your organization like a glove.

Formula for Calculating Cyber Risk

As I have been writing about lately, we are experiencing a new level of cyber-attack sophistication and effectiveness. 2020 has seen not only very effective ransomware attacks, but also equally effective supply chain and DNS vulnerability attacks. Regulators and security personnel were shocked and somewhat at a loss on how to combat these threats other than by strengthening information security program and controls requirements. They are pressing down hard, and financial institutions such as wealth management firms are at the spear tip of their efforts.

To understand the cyber-risk that faces them, financial institutions need conduct risk assessments. Risk assessments can be limited in scope or can include the entire organization, but they all include many common steps and determinations. I still adhere to the processes outlined in NIST 800-30 2002. These include threat analysis, vulnerability assessment, probability of occurrence analysis, impact determination and controls analysis. Combining these factors allows you to assign a risk exposure rating. The formula is: risk = (threat x vulnerability x probability of occurrence x impact)/controls in place. But how do you actually apply this formula to the results of the various steps of the risk assessment?

One way, of course, is to just calculate it by feel. What I mean by that is looking at the threats, vulnerabilities, probabilities of occurrence and likelihood of impact information you have come up with, and balancing that against the controls that are already in place at the organization. Then, either unilaterally or in discussion among the group, you determine if the residual risk you are facing is high, medium or low. This is really the way most organizations determine their risk levels.

NIST has a few tools to help you with determining some of these steps. For probability of occurrence (likelihood determination), they advise considering three governing factors:

  • Threat-source motivation and capability.
  • Nature of the vulnerability.
  • Existence and effectiveness of current controls.

They also have a likelihood table to help you decide:

Likelihood Level Likelihood Definition
High The threat-source is highly motivated and sufficiently capable, and controls to prevent the vulnerability from being exercised are ineffective.
Medium The threat-source is motivated and capable, but controls are in place that may impede successful exercise of the vulnerability.
Low The threat-source lacks motivation or capability, or controls are in place to prevent, or at least significantly impede, the vulnerability from being exercised.


For impact, they have produced another table that helps you rate the magnitude of impact:

Magnitude of Impact Impact Definition
High Exercise of the vulnerability (1) may result in the highly costly loss of major tangible assets or resources; (2) may significantly violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human death or serious injury.
Medium Exercise of the vulnerability (1) may result in the costly loss of tangible assets or resources; (2) may violate, harm, or impede an organization’s mission, reputation, or interest; or (3) may result in human injury.
Low Exercise of the vulnerability (1) may result in the loss of some tangible assets or resources or (2) may noticeably affect an organization’s mission, reputation, or interest.


Then, for the actual risk determination step, they have produced a risk level matrix and risk scale:

Threat Likelihood Impact
Low (10) Medium (50) High (100) Low (10) Medium (50) High (100) Low (10) Medium (50) High (100)
High (1.0) Low

10 x 1 = 10


50 x 1.0 = 50


100 x 1.0 = 100

Medium (0.5) Low

10 x 0.5 = 5


50 x 0.5 = 25


100 x 0.5 = 50

Low (0.1) Low

10 x 0.1 = 1


50 x 0.1 = 5


100 x 0.1 = 10


The risk scale for this matrix is: High (>50 to 100); Medium (>10to 50); Low (1 to 10).

The risk level scale table is:

Risk Level Risk Description and Necessary Actions
High If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.
Medium If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions within a reasonable period of time.
Low If an observation is described as low risk, the system’s DAA must determine whether corrective actions are still required or decide to accept the risk.


Although NIST 800-30 2002 has been retired, I still find their risk assessment methodology useful. The tables and matrix shown above help me in making my risk determinations without resorting entirely to feelings. Perhaps they will be useful to you as well when you are faced with the thorny problem of assigning cyber-risk levels. They will at least give you some justification for making the decisions that you do.

We All Need to Prepare for More Supply Chain Attacks

The SolarWinds supply chain hack has really thrown organizations and businesses of all sorts for a loop! The scale, complexity, duration and effectiveness of the attack was awesome, and it is not over yet. On top of that, other supply chain attacks may even now be underway with all of us none the wiser. The problem lies in protecting ourselves from such attacks in the future. This, however, is a thorny problem.

Supply chain applications are designed for things like easy interoperability, connectivity and ease of use, just like the original code for what became the Internet was designed; functionality and user friendliness are the primary considerations in such applications. With these kinds of functions build into the chain, security problems are inevitable. People in the industry have known this for some time and have forwarded warnings about the vulnerabilities in the supply chain. NIST began to develop their cyber supply chain risk management (C-SCRM) program in 2008. They released a draft of NISTIR 8276: Key Practices in Cyber Supply Chain Risk Management in February of 2020.

This risk management paradigm was developed with input from across a number of organizations and disciplines, and was open for comment from early February to early March last year. This effort (in draft) produced eight practices that include:

  1. Integrate C-SCRM across the organization.
  2. Establish a formal program.
  3. Know and manage your critical suppliers.
  4. Understand your supply chain.
  5. Closely collaborate with your key suppliers.
  6. Include key suppliers in your resilience and improvement activities.
  7. Assess and monitor throughout supplier relationship.
  8. Plan for a full life cycle.

This seems like sound advice for the risk management part of the problem, although it will have to be tested in implementation. But what can you do now to help prepare yourself for supply chain attacks? One thing you can do is deconstruct a supply chain attack, see how it works and plan controls and procedures for thwarting the attack. In military terms, this would be called disrupting the kill chain.

There are several versions of cyber kill chain phases out there, but they all have much in common. The basic steps in a supply chain attack could include:

  1. Reconnaissance – Mapping your organization from personnel and business functions to examining your network, the protocols you use and the security measures you have in place.
  2. Intrusion – Leveraging flaws found during reconnaissance, using social engineering techniques or employing zero-days to gain access to the network.
  3. Exploitation – Exploiting vulnerabilities you found during the reconnaissance phase to implant malware or perform other tasks.
  4. Lateral Movement – Exploiting weaknesses in administrator password practices or system onboarding configuration practices to move to different systems across the network.
  5. Privilege Escalation – exploiting weaknesses in privileged access control, configuration control, etc. to elevate your privileges on the system.
  6. Finding the Gold – Accessing various systems to locate valuable information.
  7. Exfiltration of Data – Copying and removing all that juicy data from the system.

Of these steps in the kill chain, a couple stand out to me as the easiest for most organizations to control: lateral movement across the network and privilege escalation. For years we at MSI have been harping on the dangers of taking shortcuts when administering systems on the network. Attackers are often able to move laterally across a network because a group of systems all use a common administrative password. As big a pain as it can be, each system on a network should have a unique administrative password just like each user on the network should have unique access credentials.

Another problem that allows lateral movement is system administrators using the same password for simple network access and for administrative access. If an attacker can compromise a user system and crack the password hashes, there is a good chance that they can identify and use one of these passwords to gain admin-level access on the network’

Finally, privileged access to the system is the key attackers need to fully compromise the system and exfiltrate data. There cannot be too many precautions you can take when it comes to allocating and monitoring privileged access to the system! You should employ heuristics to identify odd behavior or odd time of system access for privileged users. Addition of a new privileged user to the system should generate alerts. All privileged access and use of the system should be logged and monitored. If you are really serious about protecting your system, you may want to implement dual controls for certain privileged user functions. These are just a few of the controls that could be implemented. My advice is to do a risk assessment, determine where your vulnerabilities may lie and design and implement controls that disrupt the cyber kill chain in a way that work for you.

Credit Unions Should Ensure Their ATMs are Well-Secured

Some credit unions own their ATM machines, others lease them or have a service in place. But however credit unions handle ATMs at their locations, they should ensure that proper physical and logical security controls are in place, and that security maintenance is regularly performed on the machines and their back end systems. It is unfortunately true that ATM machine vulnerabilities are still being exploited to empty machines of cash or to corrupt their back end operating systems and servers with malware, which could lead to possible compromise of private member data. Threat sources for these compromises include both external attackers and insiders such as credit union employees or employees of third-party ATM service providers.

Not only is member trust at issue if there is an ATM security breach, the credit union has to consider their responsibilities under Regulation E of the Electronic Fund Transfer Act. According to this act, risks to electronic fund transfers (including ATM transfers) should be included in the risk awareness program, and both physical and logical security controls should be in place to address these risks. In addition, policies addressing these risks should be included in the credit union’s written information security program and approved by the Board of Directors.

Some of the control needs that should be addressed include:

  • Dual controls for ATM access and maintenance, as well as dual controls for card stock and printer refills access.
  • Security maintenance including updates and patches for ATMs and back end servers, applications, firmware and operating systems.
  • Removal of default, easily guessed or dated passwords on ATM systems. Passwords should be changed often, and multi-factor authentication techniques should be implemented if at all possible.
  • All the normal network security measures such as user access and account management, email security, internet access, change management, configuration control, malware protection and detection, logging and monitoring, etc.
  • Fraud monitoring and protection.
  • Control for electronic communications devices such as:
    • Access time-outs and logon attempt limits.
    • Anti-skimming software and hardware.
    • Monitoring for physical tampering.
    • Payment card security controls
  • Consider implementing the highest level of endpoint security on ATM machines to prevent connection of devices or uploading of malware onto the machines.
  • Ensure that autorun and boot features have been disabled on ATMs,

In addition to these controls, credit unions should have periodic security audits or risk assessments performed on ATMs and the policies and procedures surrounding them performed by qualified third-party information security firms. Another set of eyes and a different perspective are always beneficial to any information security program.

Cyber Threats to Utilities Intensifying Rapidly

The rapid pace of change and confusion caused by the COVID 19 epidemic seems to have super charged the cybercriminals that continue to plague us. 2020 has seen a tremendous rise in the number and sophistication of ransomware attacks across the board. Also, the number and sophistication of phishing attacks, notably targeting Office 365 users, have also increased of late. In addition, the recent very successful supply chain attacks that affected high-value SolarWinds users were incredibly well conceived, coordinated and executed. These attacks required great cyber skill, meticulous planning and manual interaction and monitoring by the attackers. They should be of particular interest to utilities, since utilities may face the same level of sophistication if attacked by nation-state level cybercriminals.

Since cybercriminals have upped their game significantly, it behooves utilities to up their game as well. They need to make it very difficult for cybercriminals to get a foothold on their systems in the first place, and if those efforts fail, they need to be able to detect, react and recover from attacks quickly and surely.

However, utilities are in a particularly bad position to implement adequate operational and technical security controls to properly secure these systems. For one thing, industrial controls systems and components used by utilities are long lived and generally were not designed with network security controls in mind. They are hard to retrofit, and so must be replaced with modern equipment or be secured with operational controls rather that technical controls. One fix means money and time for new equipment, the other fix means money and time for increased personnel.

Another problem is that, one way or another, many utilities can be attacked from remote locations over the Internet. To be efficient, centralization of control systems has increased, and inevitably it seems, industrial control networks are linked up at some point with administrative networks and the Internet. So, if your back-room network and the personnel who use it aren’t perfectly vigilant, they can be used as a vector for attackers to access the industrial control system. Also, industrial control devices can often be administered directly over web-based applications. This makes another vector for clever attackers to take advantage of.

In my opinion, the answer to fixing the utilities security problem does not lie solely or even primarily in technological fixes. I think the most effective way to resist modern cyberattack is through implementing operational controls and ensuring there are enough well-trained personnel to implement them. For example, all possible routes of access to industrial control systems need to be fully mapped and updated constantly. Any access from the administrative network or the Internet to industrial controls systems needs to be strictly white-listed and monitored. Administrative-level access controls should be fully implemented, and networks should be configured so as to make lateral movement across the network or elevation of privileges extremely difficult to accomplish. Dual controls should be implemented where appropriate, and utilities should consider using all three possible types of identification for particularly sensitive access to the system (i.e. remote administration and control of systems, adding and removing users).

Embrace the latest in information security guidance, what we like to call “best practices” level security. It’s difficult, frustrating and expensive, but nothing compared to what could happen in the event a sophisticated, coordinated and wide-spread attack on our utilities occurred.

Financial Institutions Should Ensure that Ransomware Attack is Included in Incident Response Plans

The ransomware problem just seems to be getting worse and worse. A recent study showed that ransomware increased from 39% to 51% just from Q2 to Q3 this year. This was record growth, and put ransomware attacks as one of the top threat vectors out there. But we have noticed that many organizations, including financial institutions such as wealth management firms and credit unions, have yet to include ransomware attack as a specific threat vector in their incident response plans. Because of this, we recommend that financial institutions should conduct a specific ransomware risk assessment to determine how this threat could impact them, and to examine the probable effectiveness of the security controls they currently have in place in ameliorating it.

When conducting such risk assessments, the organization should start with threats and threat vectors. For ransomware, the primary threat vectors according to CIS include:

  • Malicious attachments or links sent in email messages.
  • Network intrusion through poorly security ports and services, notably Remote Desktop Protocol (RDP) and Server Message Block (SMB).
  • Dropped by other malware infections such as an initial TrickBot infection leading to Ryuk ransomware attack.
  • Wormable and other forms of ransomware that exploit network vulnerabilities such as WannaCry.
  • Employing compromised managed service providers to push ransomware to multiple entities.

In addition, attackers have been employing legitimate pen test and network administration tools as a part of their attacks. These tools can be used to help minimize detection and maximize the impact of attacks. Use of these tools as attack mechanisms is increasing the scope of attacks possible to cyber criminals. Just this week there was a report of a massive fraud operation using emulators that allowed attackers to steal millions of dollars from online banking accounts. Emulators are tools used by legitimate developers and researchers to test how apps run on mobile devices. Using these, criminals were able to spoof many thousands of accounts in a very short time, leading to massive illicit profits.

The next step in the risk assessment process is to examine your business processes and security controls to see where vulnerabilities that could be exploited by attackers to promulgate ransomware may lie. In other words, the organization should list the threat vectors (such as those listed above), and determine for each where the organization’s own systems may be vulnerable and what can be done about it if they are. Once that list is complete, the organization can decide if and how they are going to implement these needed controls.

One of the controls that is sure to arise from this process is proper incident response planning. Incorporating the results of your risk assessment can greatly enhance the organization’s ability to effectively detect and respond to ransomware attacks. Knowledge of how ransomware is going to come at you and the proper way to react to it is invaluable! And, as with any good incident response program, ransomware attacks should be included in incident response practice exercises. Lessons learned from these exercises will help to prevent chaos in the event of an actual ransomware attack against your organization.