In the realm of cyber-security, all of the advantages are with the attacker. To be successful, defenders have to guard against and defeat all possible attack types all of the time; attackers only need to find one hole in those defenses to win the game. That is why information security programs need to be dynamic and flexible in order to work properly.

I have worked with all types and sizes of organizations during my years in the information security field including government agencies, regulatory bodies, retail concerns, service providers, financial institutions and medical organizations. No matter what kind of organization I am working with, I have found it to be an immutable truth that the larger and more complex the organization, the more difficult and time consuming it is to make changes and to their information security program. It’s not really anybody’s fault, it’s just the nature of the beast. Bigger organizations have more checks and balances to deal with, more personality clashes to arbitrate, more committees to wrestle with and more ‘rice bowls’ to protect. However, this is no reason to throw up our hands and admit defeat. Now is the time to recognize that we have a problem and try to find ways to work around it.

One idea I wish to propose in this regard is the ‘top-down, bottom-up’ approach to information security. First, the people in top positions in large organizations need to be made fully aware that a real problem exists and how serious it is. They also need to be made aware of the business advantages of a flexible and effective information security program. Most important of all, they need to be willing to visibly show their full support for the program and the changes that are to come. After all, no organizational security initiative can get very far without full buy-in at the Board Room level.

Another part is the ‘bottom up’ part of the process. Some years ago I worked with a software suite that allowed anyone in the organization to easily access and view security policy on the company intranet. Not only could personnel view the policy, they could make suggestions to improve and change it, propose new techniques, recommend ways to streamline the process, etc. Nobody in an organization knows more about business processes and how to protect them than the people that work with them every day. Why not encourage them to make suggestions and report problems? All it takes is a little encouragement and minor reward. In fact, I’ve found that simply recognizing personnel for their security efforts is enough. Praise them in group meetings, put their pictures up on the wall, that sort of thing. Why should the organization hire expensive consultants to tell them the same things that they can learn from their own personnel?

The last part is acting upon the suggestions produced by management encouragement. Once valid suggestions have been made, the initiative needs to flow through the normally recalcitrant and obstructionist mid-levels of the organization to make it back to the top. Can this group be made to set aside their differences and encourage the adoption of rational and workable suggestions for change? If they can, then large organizations can truly improve the flexibility and effectiveness of their information security program, and save money doing it.

Ransomware has been around for decades. In 1989 the AIDS Trojan was used to hide directories and encrypt all files on the C drive of infected computers. Users were then asked to “’renew the license” which involved sending $189.00 to a Panama P.O. box. This is an example of “crypto-ransomware.” Then around 10 years ago, other families of crypto-ransomware such as Cryzip, Krotten and Gpcode appeared on the scene.

Crypto-ransomware is particularly dangerous because it encrypts files on computer systems using strong and often unique encryption algorithms. This means that if these files were not properly backed up, users could lose this information forever unless they agreed to pay the price asked by the extortionists. And even if proper backups were extant, users still faced the hassle of rebuilding their machines; a time-consuming task that many would happily pay to avoid.

Another type of ransomware (that has been with us for more than 15 years) uses “blockers” to render computers unusable. Blockers are windows that cover all other windows on your desktop. These blocker windows usually contain a message from the extortionists telling users how and where to send the ransom in order to get their computer screens or browsers unlocked. This type of ransomware was the first to reach “epidemic” proportions back in 2010. Both of these ransomware types were originally used to attack mostly user machines, but now attacks on businesses are increasing rapidly.

Recently, especially within the last 6 to 10 months, things have changed. In April of this year, Kaspersky Lab noted that more than half of all ransomware is now crypto-ransomware; a figure up from barely 10% just a year earlier. In addition, there are new, more insidious types of crypto-ransomware appearing on the scene.

In January of this year the first JavaScript ransomware, “Ransom32” was noted. This ransomware uses the NW.js framework to infect computers, and so can probably be used to attack not only Windows OS, but Linux and Mac OS as well. This type of ransomware is being sold on the dark web as ransomware-as-a-service in exchange for a 25% cut in the ransom profits.

Another recently noted ransomware is called “Cerber.” Cerber encrypts user files using AES encryption, and costs the victim 1.24 bitcoins ($500.00) in ransom. Cerber itself is easy to remove, but encrypted files that have not been backed up will be lost if users fail to pay.

Now, there are even more dangerous ransomware types appearing. ZCryptor acts like a worm and can be spread from machine to machine. It is distributed through spam and email infection vectors, but can also be spread through Macro malware, removable/network drives or fake installers. It encrypts a number of different file types on infected computers using strong AES encryption algorithms, and changes the file extension to “.zcrypt.”

The sophistication and variety of these newer ransomware types shows that cyber criminals are investing plenty of resources on this malware. Users (and businesses) should expect more and more of these types of attacks in the future, and should protect themselves accordingly. Suggestions include:

• Backup your important files very regularly. You will still lose any files/documents created after the last backup, so adjust your backup frequency accordingly.
• Ensure that all of your systems and software are current for security maintenance and are configured in a secure manner.
• Train your personnel about ransomware and how it spreads.
• Keep your security software up to date and employ pop-up blocker software.
• Monitor file system activity and extensions.
• Employ Honeypots (such as MSI HoneyPoint software) on your systems.
• Employ User Behavior Analytics (UBA) on your network.
• Employ anti-ransomware products and mechanisms.
• Ensure your Incident Response and Disaster Recovery plans are up to date and well-practiced.

One of the tasks I perform at MicroSolved is working on our Daily Threat Briefing. We use our TigerTrax™ threat intelligence gathering platform to pull in security information from all over the web and social media sphere. And one of the things I notice constantly is data breaches and other security compromises that are caused not by poor security at the affected organizations, but by security failures in their supply chain. This week’s example is the Bizmatics hack that exposed the private health information of patients from institutions such as the Pain Treatment Centers of America and the Interventional Surgery Institute. It is still unclear if the hacker actually collected this information, but it is sure he had access to it. Since this information is protected under HIPAA and HITECH, there could be regulatory and legal consequences from the breach. And, ultimately, the responsibility for protecting this patient health information lies with the medical organizations affected, not Bizmatics. The name of the game here is performing “Due Diligence” when you chose and maintain relationships with a third party service provider or vendor. Did you examine their information security policies and assessment results? Did you check out their financial standing? Did you check their history to see if they have had problems in the past? Did you check with other users of their services to see if they have experienced any difficulties with the provider? Have you been performing such checks not just once, but on a recurring basis? If you have been performing due diligence in these matters, chances are you will fare well legally. If you haven’t, chances are your organization will suffer for it. Despite this, many organizations do not perform proper due diligence. They find it is difficult to get the information needed, and even if the information is available, they find accessing it uses up lots of man hours. This is an area where the new MicroSolved passive assessment platform can help. The platform employs the powerful TigerTrax™ platform to perform automated research, intelligence gathering and correlation from hundreds of sources, both public and private, that describe the effective security posture of organizations. And best of all, it performs these tasks very quickly and without touching the target’s network or systems directly in any way. So if yours is one of the organizations out there that is having trouble performing proper due diligence in choosing and maintaining supply chain relationships, try doing it the easy and effective way. Contact MicroSolved today and see how we can help.