The rapid pace of change and confusion caused by the COVID 19 epidemic seems to have super charged the cybercriminals that continue to plague us. 2020 has seen a tremendous rise in the number and sophistication of ransomware attacks across the board. Also, the number and sophistication of phishing attacks, notably targeting Office 365 users, have also increased of late. In addition, the recent very successful supply chain attacks that affected high-value SolarWinds users were incredibly well conceived, coordinated and executed. These attacks required great cyber skill, meticulous planning and manual interaction and monitoring by the attackers. They should be of particular interest to utilities, since utilities may face the same level of sophistication if attacked by nation-state level cybercriminals.

Since cybercriminals have upped their game significantly, it behooves utilities to up their game as well. They need to make it very difficult for cybercriminals to get a foothold on their systems in the first place, and if those efforts fail, they need to be able to detect, react and recover from attacks quickly and surely.

However, utilities are in a particularly bad position to implement adequate operational and technical security controls to properly secure these systems. For one thing, industrial controls systems and components used by utilities are long lived and generally were not designed with network security controls in mind. They are hard to retrofit, and so must be replaced with modern equipment or be secured with operational controls rather that technical controls. One fix means money and time for new equipment, the other fix means money and time for increased personnel.

Another problem is that, one way or another, many utilities can be attacked from remote locations over the Internet. To be efficient, centralization of control systems has increased, and inevitably it seems, industrial control networks are linked up at some point with administrative networks and the Internet. So, if your back-room network and the personnel who use it aren’t perfectly vigilant, they can be used as a vector for attackers to access the industrial control system. Also, industrial control devices can often be administered directly over web-based applications. This makes another vector for clever attackers to take advantage of.

In my opinion, the answer to fixing the utilities security problem does not lie solely or even primarily in technological fixes. I think the most effective way to resist modern cyberattack is through implementing operational controls and ensuring there are enough well-trained personnel to implement them. For example, all possible routes of access to industrial control systems need to be fully mapped and updated constantly. Any access from the administrative network or the Internet to industrial controls systems needs to be strictly white-listed and monitored. Administrative-level access controls should be fully implemented, and networks should be configured so as to make lateral movement across the network or elevation of privileges extremely difficult to accomplish. Dual controls should be implemented where appropriate, and utilities should consider using all three possible types of identification for particularly sensitive access to the system (i.e. remote administration and control of systems, adding and removing users).

Embrace the latest in information security guidance, what we like to call “best practices” level security. It’s difficult, frustrating and expensive, but nothing compared to what could happen in the event a sophisticated, coordinated and wide-spread attack on our utilities occurred.

The ransomware problem just seems to be getting worse and worse. A recent study showed that ransomware increased from 39% to 51% just from Q2 to Q3 this year. This was record growth, and put ransomware attacks as one of the top threat vectors out there. But we have noticed that many organizations, including financial institutions such as wealth management firms and credit unions, have yet to include ransomware attack as a specific threat vector in their incident response plans. Because of this, we recommend that financial institutions should conduct a specific ransomware risk assessment to determine how this threat could impact them, and to examine the probable effectiveness of the security controls they currently have in place in ameliorating it.

When conducting such risk assessments, the organization should start with threats and threat vectors. For ransomware, the primary threat vectors according to CIS include:

• Malicious attachments or links sent in email messages.
• Network intrusion through poorly security ports and services, notably Remote Desktop Protocol (RDP) and Server Message Block (SMB).
• Dropped by other malware infections such as an initial TrickBot infection leading to Ryuk ransomware attack.
• Wormable and other forms of ransomware that exploit network vulnerabilities such as WannaCry.
• Employing compromised managed service providers to push ransomware to multiple entities.

In addition, attackers have been employing legitimate pen test and network administration tools as a part of their attacks. These tools can be used to help minimize detection and maximize the impact of attacks. Use of these tools as attack mechanisms is increasing the scope of attacks possible to cyber criminals. Just this week there was a report of a massive fraud operation using emulators that allowed attackers to steal millions of dollars from online banking accounts. Emulators are tools used by legitimate developers and researchers to test how apps run on mobile devices. Using these, criminals were able to spoof many thousands of accounts in a very short time, leading to massive illicit profits.

The next step in the risk assessment process is to examine your business processes and security controls to see where vulnerabilities that could be exploited by attackers to promulgate ransomware may lie. In other words, the organization should list the threat vectors (such as those listed above), and determine for each where the organization’s own systems may be vulnerable and what can be done about it if they are. Once that list is complete, the organization can decide if and how they are going to implement these needed controls.

One of the controls that is sure to arise from this process is proper incident response planning. Incorporating the results of your risk assessment can greatly enhance the organization’s ability to effectively detect and respond to ransomware attacks. Knowledge of how ransomware is going to come at you and the proper way to react to it is invaluable! And, as with any good incident response program, ransomware attacks should be included in incident response practice exercises. Lessons learned from these exercises will help to prevent chaos in the event of an actual ransomware attack against your organization.

It’s the end of the year again (already!), and as usual, there are lots of scams out there having to do with the holidays and tax time. Cybercriminals use such scams every year because they work. People are busy trying to shop and get ready for the holidays, and often become a little frazzled and careless. Prepping for tax time often just adds to these burdens. A perfect time to pull a scam! Here are a couple that were in the news this week.

This one was in Security News, and this is the gist: “Experts Urge Users to Ignore Facebook Christmas Bonus Scam. Identity theft experts are warning Facebook users to be on the lookout for a “Christmas bonus” scam which appears to be endorsed by their friends on the social network. Variations on these scams appear to have been circulating on Facebook since at least 2015. Most recently, users are being targeted by messages claiming to offer them a “Christmas bonus” or “Christmas benefit,” according to the non-profit Identity Theft Resource Center (ITRC). …Although there are variations on this theme, the bottom line is that the scammers want either victims’ personal information or their money, or both. They will usually ask for personal details in order to process the ‘bonus.’ They may also ask for a small ‘transfer fee’ in order to wire the winnings into the victim’s bank account”. Social media: always a ripe venue for scamming.

This is another one that was in Security News about a fraudulent IRS form. Here is a sample: “New IRS Form Fraud Campaign Targets G Suite Users. A new scam using an IRS form as its mechanism has been found targeting users of Google’s G Suite, with as many as 50,000 executives and “important” employees affected so far. The campaign, discovered and reported by researchers at Abnormal Security, claims to contain an IRS W-8BEN form in PDF format. The attached form asks for far more personal information than required on the actual W-8BEN, which is the form needed to maintain a nonresident tax-exemption status. While there is no malware payload attached to the email, providing all the requested information would give the attacker’s a treasure trove of personal info that could be used for identity theft and other fraud.”

Watch out for these and other scams like them. Never trust that simply because a website or document looks legitimate it really is. Smoke, mirrors and misdirection updated for the age of cybercrime!

I have written a number of blogs lately about the dangers of ransomware to all industries including the financial industry. Ransomware is proving to be the most dangerous and prevalent form of cyber attack today. Realizing this, the Bankers Electronic Crimes Task Force, State Banking Regulators and the United States Secret Service has developed and Ransomware Self-Assessment Tool to be employed by credit unions and other financial institutions to provide them with an overview of their preparedness towards identifying, protecting, detecting, responding and recovering from ransomware attacks. Many financial institutions already have, or soon will be, asked to complete this tool.

As many of you may recognize, “identify”, “protect”, “detect”, “respond” and “recover” make up the five functions of the Framework Core of the NIST Cybersecurity Framework. This is a good clue that credit unions would be wise to base their information security program on this framework if they wish to be proactively compliant with regulatory scrutiny and current “best practices” standards. In my blog post of December 3, I discussed the importance of embracing the Cybersecurity Framework if you want to resist ransomware attacks to the extent possible.

But the Self-Assessment Tool is not limited to questions about your adherence to this framework. In fact, the very first question in the tool asks if Center for Internet Security (CIS) controls are used to mitigate common cybersecurity attacks at your institution. Unless you have actually mapped your information security controls against CIS Top 20 you may not be able to answer this question. The current version of these controls is 7.1 and the control categories included are:

1. Inventory and control of hardware assets
2. Inventory and control of software assets
3. Continuous vulnerability management
4. Controlled use of administrative privileges
5. Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
6. Maintenance, monitoring and analysis of audit logs
7. Email and web browser protection
8. Malware defenses
9. Limitation and control of network ports, protocols and services
10. Data recovery capabilities
11. Secure communication for network devices, such as firewalls, routers and switches
12. Boundary defense
13. Data protection
14. Controlled access based on need to know
15. Wireless access control
16. Account monitoring and control
17. Implement a security awareness and training program
18. Application software security
19. Incident response and management
20. Penetration tests and red team exercises

Mapping your controls against the Top 20 is not only useful in responding to the Self-Assessment questionnaire, but is another good way of comparing your information security program to best practices recommendations.

However, the Self-Assessment tool does not stop there. To complete the tool, you will have to have to be able to pinpoint the location of your critical data and who manages it, identify third party vendors who have remote access to your network, identify how all your administrative and user-level access controls are implemented and much more.

If your credit union needs to prepare for responding to this tool, I highly recommend starting out by mapping your information security program to the NIST Cybersecurity Framework and the CIS Top 20 controls. Doing such will pay benefits far beyond completing the tool itself.

Over the last months I have written several blogs concerning the burgeoning problem of ransomware attacks. Ransomware has been evolving rapidly of late and is liable to explode. According to Kapersky’s predictions for cybercrime in 2021, “cybercrime is set to evolve, with extortion practices becoming more widespread, ransomware gangs consolidating and advanced exploits being used to target victims.” When you add to this such problems as rising business email compromise problems and the difficulties of information security in the age of Covid, you can picture a pretty bleak outlook for data breaches and ransomware attacks next year.

Unfortunately, compromised business email information, weak remote working security practices and advanced vulnerability exploits can all be employed by organized gangs of cybercriminals to perpetrate ransomware; a type of attack that can present businesses with no-win solutions. If you pay the ransom, what is to keep the cybercriminals from revealing your stolen information publicly anyway, or coming back to you again with additional demands for money? If you pay, you can also possibly be in violation of U.S. laws and regulations. If you don’t pay, your private client information could be exposed publicly, possibly exposing you to regulatory sanctions and legal actions.

Of course, the best protection possible is to harden your business and personnel against successful social engineering attacks and cyber exploits. The problem is, no matter how good your information security program, you still may be compromised. To protect your business responsibly in this environment, you need to embrace all aspects of a good information security program: identify, protect, detect, respond and recover. These activities make up the framework core of the NIST Cybersecurity Framework (Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (nist.gov).

Identify basically refers to knowing your business. It includes asset management (i.e. software and hardware inventories), examining the business environment, identifying risk, coming up with a risk management and governance strategy and examining supply chain and third-party risk. If you don’t know your business deeply and exactly, you have little chance of protecting it properly.

Protect refers to all those programs you put in place to prevent cybercriminals from compromising your systems and information in the first place. These functions include access controls, data security measures (i.e. protection for data at rest and in transit), information protection processes and procedures (i.e. configuration and change management control, security policies and procedures, etc.), protective technologies (i.e. email security systems, SIEM, etc.), security maintenance (i.e. patching and updating), and the ever-important security awareness and training.

This leads into the “detect” part of the framework. As we have pointed out in past blogs, all the security systems in the world won’t keep you safe if you don’t actually monitor them and leverage their output to detect anomalies when they occur. And to perform this function properly, you need to involve humans. The human mind remains the most effective detection tool there is.

The last two parts of the framework core are “respond” and “recover”. These basically refer to your incident response and business continuity/disaster recovery programs. As was stated earlier, no matter how good your program is, there is always the possibility of compromise. That is why responding quickly and effectively is so important. This entails both planning and practice. As does business continuity/disaster recovery. Proper planning and realistic testing programs are essential.

Cybercriminals are looking forward to their best year ever in 2021. Do what you can to thwart their ambitions. A good, well rounded information security program is the best you can do in this respect. We recommend embracing the paradigms included in the NIST Cybersecurity Framework in this effort for their clarity, effectiveness and relative ease of implementation.

No matter what industry you are in, you need to practice emergency procedures to build proficiency and identify glitches in your planning. For example, we all went though fire drills back in grade school, or if you’ve been on a cruise ship, you have received lifeboat drills. These kinds of exercises have proven their worth time and again over the years. For wealth management firms, one such program that needs practice exercises is the incident response program. And tabletop incident response exercises are an effective way to conduct these practices.

We at MSI have had years of experience in developing and conducting tabletop incident response exercises for organizations in a number of industries. In the financial industry, the most prevalent and dangerous attack type currently is ransomware. Ransomware attacks can lead to data breaches, lawsuits, regulatory involvement, loss of reputation and financial loss. Let MSI assist your firm in tabletop exercises designed to test your response preparations and to make adjustments and improvements in your response.

First, we will work with your firm to design a real-world ransomware attack scenario that is relevant to your particular organization. From there we will construct the scenario and set a time with your firm to conduct the exercise. MSI will provide two personnel for the exercise: the exercise moderator and the exercise observer/recorder. It should be noted here that these exercises can be conducted in either the real or virtual world. During these days of pandemic emergency this can be an important consideration.

Once the tabletop begins, the moderator will unfold the details of the exercise one by one, just as they’d come to notice if a real incident were occurring. Your incident response team will then follow your incident response plan, communicate with each other and relate just how they would address each issue as it unfolds. As the exercise continues, the moderator will continue to introduce complexities built into the ransomware exercise scenario. Once the exercise concludes, MSI will help your team conduct a “lessons learned” discussion that points out what worked well during the exercise and what didn’t seem to work well and needs improvement. Finally, your firm will receive a report from MSI recapping the exercise and including suggestions for improving your response techniques and mechanisms.

In our experience, incident response tabletop exercises have never failed to expose flaws in the incident response plan. These exercises also lead to spirited discussion and innovative thinking among the team members. Remember, the key to minimizing the negative effects of any cyber-attack, including ransomware attack, is quick and accurate response.

If your wealth management firm suffers a ransomware attack, should the firm pay the ransom or not? This seems like a straight-forward question, but in reality, is anything but. A number of factors have to be taken into account, including what kind of ransomware attack you have suffered, the possible financial costs associated with the attack and the attack aftermath, the possible reputational damage and attendant loss of clients, and also legal and regulatory consequences that may arise from the attack.

Let’s start by looking at the two main types of ransomware attacks your firm might encounter. In the “traditional” ransomware attack, cyber-criminals break into your network and encrypt your important data so that you cannot access it without the key they used. They then demand a ransom payment for this key. This is an attack on only one of the three pillars of information security: availability. If your firm doesn’t have safely stored backups, you must pay or suffer likely permanent loss of your data. If your firm has safely stored backups, all you have to do is restore your system from these backups. The decision to pay or not in this case seems simple for a wealth management firms: if you pay you get your data back quickly. If you don’t pay, you still get your data back, but not so quickly. It may take days to go through the restoration process. If you think your clients will stand for this downtime, you don’t pay. If you don’t think the business interruption will be tolerated, then maybe it is better to pay and take the financial loss.

The other type of ransomware attacks we’re seeing today are not so simple. If your important data is not properly encrypted, the attackers may not only re-encrypt your data, they may also copy it and threaten to release it publicly if they are not paid. This is a much thornier problem because it also affects another pillar of information security: confidentiality. Financial institutions are heavily regulated and are required to adequately protect the confidentiality of their client’s financial and personal private information. If the firm pays the ransom, they may get the key to unencrypt their data and a promise not to post this data publicly. But what level of trust can you put in the word of criminals?! What is to prevent them from publicly releasing the data anyway, or keeping the data and demanding further payments in the future? This complicates the decision to pay or not considerably. If the firm doesn’t pay the ransom, they are in for public scandal that might cause present clients to go elsewhere and prospective clients to choose a different firm. They may also be subject to regulatory sanction if their information security program is judged to be inadequate. In addition, the firm may be sued by affected clients which can lead to even more scandal and reputational loss.

But wait, there is more! Paying the ransomware is actually illegal is some instances. Under the International Emergency Economic Powers Act or the Trading with the Enemy Act, U.S. persons are generally prohibited from engaging in transactions with individuals or entities that are on OFAC’s Specially Designated Nationals and Blocked Persons List or with persons from embargoed regions and countries (see the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf for more information). And how is the firm to know if the blackmailers they are dealing with are among those on the proscribed list? I would hate to have to be the one to make the decision to pay ransomware or not in these cases. To quote an old cliché, these decision makers are caught between a rock and hard place!

There is no simple, easy or right decision to make if your firm is caught up in this second type of ransomware attack. The real answer is to not be in such a position in the first place. Financial firms should ensure that their information security program is compliant with regulatory and best practices standards at all times. You should ensure that your data is properly encrypted and backed up, patch and update your systems religiously, test and monitor your systems and ensure that your partners and services providers are doing the same. To quote another old cliché: an ounce of prevention is worth a pound of cure!

Credential stuffing is a truly thorny security problem that exploits weaknesses in both human nature and Internet access controls. A credential stuffing attack is using user name/password combinations stolen from one website to try to gain access to other websites. It exploits the tendency of all of us to use the same passwords for multiple websites. Although this is a human weakness, it is also perfectly understandable; it is tedious and difficult to remember many complex passwords. It is also difficult to reliably protect password lists that are in any way accessible over the Internet. I see many articles about password management tools or cryptographic techniques that have been compromised while preparing the MSI Infosec Précis. Even MFA is not invulnerable. Attackers have come up with a number of different MFA bypass attacks lately, and more are certain to follow. Couple all this with the fact that there already are literally billions of user name/password pairs available for sale out there that have already been compromised, and you can see why credential stuffing is such a danger to the security of our private information. It is used constantly by attackers to gain the network foothold they need to launch further attacks such as Ransomware.

How are you supposed to protect yourself and your business from password stuffing attacks? The best solution is for everyone to use strong, unique passwords for each different online account they have. Good luck with that! Even the best of us get lazy or stupid once in a while. Or you can (and probably should) employ strong password managers and MFA. These are good techniques that are largely successful. But as I stated above, even these techniques are not sacrosanct. So, if you can’t stop credential stuffing attacks, you had better be able to detect them quickly and react appropriately.

One way to detect these attacks is through monitoring and analysis. As Scott Matteson, the man who coined the term “credential stuffing,” recommended in a 2019 interview: “Monitor your business metrics for signs that you may already be experiencing credential stuffing or other automation attacks, including poor or declining login success rates, high password reset rates, or low traffic-to-success conversion rates.” Plus: “Analyze the hourly pattern of traffic to your login and other attackable URLs for traffic spikes or volume outside of normal human operating hours for your markets: Real users sleep, automated attacks do not.”

In addition, there are tools and services available that can help you detect password stuffing attacks. As the MSI CEO, Brent Huston, discussed in his blog posted on November 11, MicroSolved’s data leakage detection engine ClawBack™ is one such tool that is useful in detecting stolen credentials that show up on pastebin sites or that have been leaked inadvertently through a variety of ways.

However, detection is not enough. You also need to be able to react quickly and surely when a leak has been detected. This means incorporating credential stuffing into your incident response (IR) plan. The incident response team as a whole should discuss response methods, incorporate them in the written IR plan and include them in their periodic IR training sessions. The combination of awareness of the credential stuffing problem, implementation of rational protection and detection mechanisms and documented response measures are a combination that can help your organization protect itself to best effect.