Over the last months I have written several blogs concerning the burgeoning problem of ransomware attacks. Ransomware has been evolving rapidly of late and is liable to explode. According to Kapersky’s predictions for cybercrime in 2021, “cybercrime is set to evolve, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used to target victims.” When you add to this such problems as rising business email compromise problems and the difficulties of information security in the age of Covid, you can picture a pretty bleak outlook for data breaches and ransomware attacks next year.

Unfortunately, compromised business email information, weak remote working security practices and advanced vulnerability exploits can all be employed by organized gangs of cybercriminals to perpetrate ransomware; a type of attack that can present businesses with no-win solutions. If you pay the ransom, what is to keep the cybercriminals from revealing your stolen information publicly anyway, or coming back to you again with additional demands for money? If you pay, you can also possibly be in violation of U.S. laws and regulations. If you don’t pay, your private client information could be exposed publicly, possibly exposing you to regulatory sanctions and legal actions.

Of course, the best protection possible is to harden your business and personnel against successful social engineering attacks and cyber exploits. The problem is, no matter how good your information security program, you still may be compromised. To protect your business responsibly in this environment, you need to embrace all aspects of a good information security program: identify, protect, detect, respond and recover. These activities make up the framework core of the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov).

Identify basically refers to knowing your business. It includes asset management (i.e. software and hardware inventories), examining the business environment, identifying risk, coming up with a risk management and governance strategy and examining supply chain and third-party risk. If you don’t know your business deeply and exactly, you have little chance of protecting it properly.

Protect refers to all those programs you put in place to prevent cybercriminals from compromising your systems and information in the first place. These functions include access controls, data security measures (i.e. protection for data at rest and in transit), information protection processes and procedures (i.e. configuration and change management control, security policies and procedures, etc.), protective technologies (i.e. email security systems, SIEM, etc.), security maintenance (i.e. patching and updating), and the ever-important security awareness and training.

This leads into the “detect” part of the framework. As we have pointed out in past blogs, all the security systems in the world won’t keep you safe if you don’t actually monitor them and leverage their output to detect anomalies when they occur. And to perform this function properly, you need to involve humans. The human mind remains the most effective detection tool there is.

The last two parts of the framework core are “respond” and “recover”. These basically refer to your incident response and business continuity/disaster recovery programs. As was stated earlier, no matter how good your program is, there is always the possibility of compromise. That is why responding quickly and effectively is so important. This entails both planning and practice. As does business continuity/disaster recovery. Proper planning and realistic testing programs are essential.

Cybercriminals are looking forward to their best year ever in 2021. Do what you can to thwart their ambitions. A good, well rounded information security program is the best you can do in this respect. We recommend embracing the paradigms included in the NIST Cybersecurity Framework in this effort for their clarity, effectiveness and relative ease of implementation.

No matter what industry you are in, you need to practice emergency procedures to build proficiency and identify glitches in your planning. For example, we all went though fire drills back in grade school, or if you’ve been on a cruise ship, you have received lifeboat drills. These kinds of exercises have proven their worth time and again over the years. For wealth management firms, one such program that needs practice exercises is the incident response program. And tabletop incident response exercises are an effective way to conduct these practices.

We at MSI have had years of experience in developing and conducting tabletop incident response exercises for organizations in a number of industries. In the financial industry, the most prevalent and dangerous attack type currently is ransomware. Ransomware attacks can lead to data breaches, lawsuits, regulatory involvement, loss of reputation and financial loss. Let MSI assist your firm in tabletop exercises designed to test your response preparations and to make adjustments and improvements in your response.

First, we will work with your firm to design a real-world ransomware attack scenario that is relevant to your particular organization. From there we will construct the scenario and set a time with your firm to conduct the exercise. MSI will provide two personnel for the exercise: the exercise moderator and the exercise observer/recorder. It should be noted here that these exercises can be conducted in either the real or virtual world. During these days of pandemic emergency this can be an important consideration.

Once the tabletop begins, the moderator will unfold the details of the exercise one by one, just as they’d come to notice if a real incident were occurring. Your incident response team will then follow your incident response plan, communicate with each other and relate just how they would address each issue as it unfolds. As the exercise continues, the moderator will continue to introduce complexities built into the ransomware exercise scenario. Once the exercise concludes, MSI will help your team conduct a “lessons learned” discussion that points out what worked well during the exercise and what didn’t seem to work well and needs improvement. Finally, your firm will receive a report from MSI recapping the exercise and including suggestions for improving your response techniques and mechanisms.

In our experience, incident response tabletop exercises have never failed to expose flaws in the incident response plan. These exercises also lead to spirited discussion and innovative thinking among the team members. Remember, the key to minimizing the negative effects of any cyber-attack, including ransomware attack, is quick and accurate response.

If your wealth management firm suffers a ransomware attack, should the firm pay the ransom or not? This seems like a straight-forward question, but in reality, is anything but. A number of factors have to be taken into account, including what kind of ransomware attack you have suffered, the possible financial costs associated with the attack and the attack aftermath, the possible reputational damage and attendant loss of clients, and also legal and regulatory consequences that may arise from the attack.

Let’s start by looking at the two main types of ransomware attacks your firm might encounter. In the “traditional” ransomware attack, cyber-criminals break into your network and encrypt your important data so that you cannot access it without the key they used. They then demand a ransom payment for this key. This is an attack on only one of the three pillars of information security: availability. If your firm doesn’t have safely stored backups, you must pay or suffer likely permanent loss of your data. If your firm has safely stored backups, all you have to do is restore your system from these backups. The decision to pay or not in this case seems simple for a wealth management firms: if you pay you get your data back quickly. If you don’t pay, you still get your data back, but not so quickly. It may take days to go through the restoration process. If you think your clients will stand for this downtime, you don’t pay. If you don’t think the business interruption will be tolerated, then maybe it is better to pay and take the financial loss.

The other type of ransomware attacks we’re seeing today are not so simple. If your important data is not properly encrypted, the attackers may not only re-encrypt your data, they may also copy it and threaten to release it publicly if they are not paid. This is a much thornier problem because it also affects another pillar of information security: confidentiality. Financial institutions are heavily regulated and are required to adequately protect the confidentiality of their client’s financial and personal private information. If the firm pays the ransom, they may get the key to unencrypt their data and a promise not to post this data publicly. But what level of trust can you put in the word of criminals?! What is to prevent them from publicly releasing the data anyway, or keeping the data and demanding further payments in the future? This complicates the decision to pay or not considerably. If the firm doesn’t pay the ransom, they are in for public scandal that might cause present clients to go elsewhere and prospective clients to choose a different firm. They may also be subject to regulatory sanction if their information security program is judged to be inadequate. In addition, the firm may be sued by affected clients which can lead to even more scandal and reputational loss.

But wait, there is more! Paying the ransomware is actually illegal is some instances. Under the International Emergency Economic Powers Act or the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions with individuals or entities that are on OFAC’s Specially Designated Nationals and Blocked Persons List or with persons from embargoed regions and countries (see the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf for more information). And how is the firm to know if the blackmailers they are dealing with are among those on the proscribed list? I would hate to have to be the one to make the decision to pay ransomware or not in these cases. To quote an old cliché, these decision makers are caught between a rock and hard place!

There is no simple, easy or right decision to make if your firm is caught up in this second type of ransomware attack. The real answer is to not be in such a position in the first place. Financial firms should ensure that their information security program is compliant with regulatory and best practices standards at all times. You should ensure that your data is properly encrypted and backed up, patch and update your systems religiously, test and monitor your systems and ensure that your partners and services providers are doing the same. To quote another old cliché: an ounce of prevention is worth a pound of cure!

Credential stuffing is a truly thorny security problem that exploits weaknesses in both human nature and Internet access controls. A credential stuffing attack is using user name/password combinations stolen from one website to try to gain access to other websites. It exploits the tendency of all of us to use the same passwords for multiple websites. Although this is a human weakness, it is also perfectly understandable; it is tedious and difficult to remember many complex passwords. It is also difficult to reliably protect password lists that are in any way accessible over the Internet. I see many articles about password management tools or cryptographic techniques that have been compromised while preparing the MSI Infosec Précis. Even MFA is not invulnerable. Attackers have come up with a number of different MFA bypass attacks lately, and more are certain to follow. Couple all this with the fact that there already are literally billions of user name/password pairs available for sale out there that have already been compromised, and you can see why credential stuffing is such a danger to the security of our private information. It is used constantly by attackers to gain the network foothold they need to launch further attacks such as Ransomware.

How are you supposed to protect yourself and your business from password stuffing attacks? The best solution is for everyone to use strong, unique passwords for each different online account they have. Good luck with that! Even the best of us get lazy or stupid once in a while. Or you can (and probably should) employ strong password managers and MFA. These are good techniques that are largely successful. But as I stated above, even these techniques are not sacrosanct. So, if you can’t stop credential stuffing attacks, you had better be able to detect them quickly and react appropriately.

One way to detect these attacks is through monitoring and analysis. As Scott Matteson, the man who coined the term “credential stuffing,” recommended in a 2019 interview: “Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates.” Plus: “Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.”

In addition, there are tools and services available that can help you detect password stuffing attacks. As the MSI CEO, Brent Huston, discussed in his blog posted on November 11, MicroSolved’s data leakage detection engine ClawBack™ is one such tool that is useful in detecting stolen credentials that show up on pastebin sites or that have been leaked inadvertently through a variety of ways.

However, detection is not enough. You also need to be able to react quickly and surely when a leak has been detected. This means incorporating credential stuffing into your incident response (IR) plan. The incident response team as a whole should discuss response methods, incorporate them in the written IR plan and include them in their periodic IR training sessions. The combination of awareness of the credential stuffing problem, implementation of rational protection and detection mechanisms and documented response measures are a combination that can help your organization protect itself to best effect.

As the complexity of a computer system increases so does the difficulty of securing it against cyber-attack. In fact, difficulty of protection rises at a more than one-to-one ratio with complexity. This is one of the reasons we at MSI so highly tout extensively segmenting complex networks into “enclaves” with individual firewalls and access controls, as well as strict trust rules on how each enclave can communicate with each other and the outside world. Although this process is complex to develop and implement, once in place it greatly simplifies the protection of critical assets such as industrial controls systems and administration networks.

One reason why it behooves utilities to consider cyber-protections at this level is the exponential rise in the availability and use of Internet of Things (IoT) devices. It seems like every kind of device there is now has a computer in it and can be accessed and administered over a network of some kind. And usually this network is the Internet or is routable to the Internet.

Systems at threat include industrial control systems and the enterprise networks that administer them; they employ more remote access devices every day. IoT devices that are connected to enterprise networks can be just about anything. Smart light bulbs, cameras, heat sensors, voice controllers, televisions, robots… the list is daunting and grows constantly.

Exacerbating this problem for most of the last year has been the pandemic emergency. The need for social distancing and remote working has exploded because of it. And as we all know, in an emergency functionality trumps security every time. Concerns have set up remote conferencing and remote administration systems at a record pace. And even if they have performed some form of risk analysis before, during or after implementation, chances are that they may not have been holistic in their threat and risk analysis.

This brings me back to the enclave computing scheme I mentioned above. To set up proper network segmentation, the first things you need to know are what data/devices are on the network, how data flows between these entities and what trust relationships are implemented in their setup. Until you have a grasp on all of these factors, there is no way you can gauge the full range of negative security effects hooking IoT devices to your enterprise network can have.

So, my advice to Utilities and other users of industrial controls systems is this: do a thorough business impact analysis (BIA) of your enterprise network and all of its connections. The BIA will reveal the factors I mentioned above. It reveals what devices and data are there and their relative criticality. It shows you how data moves and what trusts what. This information is the necessary precursor to accurate risk and threat assessment, and can be the beginning of a new level of information security at your enterprise.

Data breaches are happening every day, and presently, they are often accompanied by ransom demands. It used to be that most ransomware simply encrypted a firm’s data and wanted to get paid for the key to decrypt it again. The answer to this kind of attack is pretty simple: make and securely store backups of your data so that you can reload your systems without paying ransom. This works, but some concerns still pay the ransom to avoid downtime while backups are accessed and systems restored. Unfortunately, the bad guys have a worse trick up their sleeves: threatening to publish your data on the Internet if you don’t pay the ransom.

This is a very thorny problem. If you don’t pay, you are going to have private personal and financial data of your clients exposed, which is going to lead to regulatory scrutiny and loss of business. If you do pay, you are out the expense and you have no guarantee that the cybercriminals won’t publish your data anyway.

Besides ensuring that your data doesn’t get compromised in the first place, the only thing that wealth management firms can do to thwart this problem is ensure that their incident response plan is complete and ready to invoke at a moments notice. This takes good communications, especially internally. This is the responsibility of the CISO in most firms.

The first thing the CISO should do once the incident is validated is to notify the incident response team and get them working on containing the incident and researching how it was perpetrated. From there, the CISO should handle communications. All incident-related communications should go through the CISO. The team should communicate their findings with the CISO, and the CISO in turn should communicate pertinent information with the Board of Directors. They are primarily responsible for the information security program at the firm, and decisions on further communications with regulators, law enforcement and clients should come from them. It is also their responsibility to decide how ransomware demands are to be addressed.

To perform all these functions quickly and efficiently, communications methods and responses to incidents should all be pre-planned and included in the incident response plan. It is also important to practice responses to various likely incident scenarios (table-top exercises are generally used for this). These practice sessions help to speed up actual incident responses and expose holes in the plan that could cripple the response if not corrected.