THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Atlanta ransomware follow-up - 04/02/2018After my initial blog about the SamSam ransomware taking Atlanta hostage, the one thing that keeps coming up is the impact that this one attack will have one other cities in the future. There are several things that stick out to me when I’m reading about the attack.
First Things This is the first time that a U.S. city has been attacked by a ransomware and held hostage. (We have had hospitals or private businesses’ files held ransom before).This does not bode well for those initiatives that have been introduced in recent years for the adoption of “smart cities” and the integrated architecture that they will require. This leaves a huge question for those that are in government, what are you going to do about addressing the obviously HUGE issue of securing citywide networks? We are at least luck in that nobody has died as of yet from this attack (let’s hope that still is the case when this is all resolved). Secondly What sort of fines or punishment can this group face (if and when) they are caught? This is a big issue since this is new territory for ransomware. In addition, businesses and law enforcement have been teaming up to take down the bad guys, but other than making things tougher on the city employees, what crime was committed? I’m not condoning the actions of this group at all, and I think that they need to be caught and brought to justice. Nevertheless, there so far have not been any reports of the exfiltration of any data outside of the city network. Is not permitting access to the data, just as much of a crime as deleting it (its called obstruction of justice Hillary) by the use of specially designed malware off the city owned servers? The data still resides on the city servers, just the users can’t access the data. Third Issue With the potential for success in this situation for the attackers, is this gonna spawn additional attacks? The answer to this question is an absolute “YES” and I believe that we will see larger targets effected and copycat attempts as well. While I believe that some will be successful, I also believe that some will not and as the adversary changes how they operate, we will see a continuing lag in the response from IT Security Teams in responding to the threats. Conclusion While this is a situation that I would not wish on any of my colleagues, it is a learning experience that all of us need to take note of. Here are some questions to ask yourself:
0 Comments
Managing Threats
The area of Risk Management can be all-consuming and can be difficult to address due to all the variables that need to be included in the process. The process for addressing risk should be thought out ahead of time and then communicated to all those with the responsibility for the mitigation process. Having these discussions ahead of time will keep everyone on the same sheet of music when it comes to remediation of the findings after an audit or some other process, which found potential risks. Risk Identification Organizations of various sizes try to identify risks as soon as possible and remediate them in an effective manner in order to reduce the overall threat that the risks pose to the company. While some audits or review processes will quickly pick up potential risks, the way that most businesses will accomplish this task will be to utilize a vulnerability management application to scan the network assets in order to determine what risk they pose to the business. Some vulnerabilities pose a greater risk than others due to the severity of the potential impact or the amount of damage they might post to the organization. Risk Rating While rating risks can be very subjective, it is important to understand that various organizations and service businesses will rate the same vulnerability or risk differently. This is an issue with most organizations, since nobody has a standard that they all go by. This causes a lot of confusion and leads to mislabeling of possible risks. A risk rating is needed by any IT Security Team in order to address the highest risk areas first. As it turns out, there are a couple of ways in which to rate risks and score them. Qualitative vs. Quantitative The main advantage of the qualitative impact analysis is that it prioritizes the risks and identifies areas for immediate improvement in addressing the vulnerabilities without requiring extensive financial analysis. The disadvantage of the qualitative analysis is that it does not provide specific quantifiable measurements of the magnitude of the impacts, therefore making a cost-benefit analysis of any recommended controls difficult. The major advantage of a quantitative impact analysis is that it provides a measurement of the impacts magnitude, which can be used in the cost-benefit analysis of recommended controls. While determining risk can be a very subjective exercise, it can also lead to ways to help your business or organization address risks or threats in a systematic manner. With all of the various areas that IT Security personnel have to deal with, this process elevates the any sort of issues and takes the human factor out of the equation. Mitigation Strategy A mitigation plan will need to be developed for each of the identified potential risks to the business or organization. The mitigation strategy will be based on the potential impact of the risk and what would be needed to remediate the risk to the business. Some of the types of mitigation strategies are listed below:
Controls Controlling risks to an organization is one of the keys to effective IT Security Management. Controls can be implemented in a variety of ways and may take on many forms depending on the needs and the amount of risk that needs to be mitigated in order to be within the realm of comfort for the business. Whether the controls are process changes or physical controls, such as, magnetic door locks, or secured manufacturing sites. Controls are developed and put into place in order to help the organization to better manage its overall risk exposure. Logical controls or procedural controls are important as well as the physical one since they will affect how the business operates and how certain procedures are completed. One of these controls may be to implement and Change Management Board (CMB) in order to validate any sort of change that is done to the network or the addition to, or deletion of network resources. This one control may help to eliminate the risk to a business for making frequent changes to its network or effecting its customers. Monitor An important aspect of Risk Management that seems to get lost in the shuffle sometimes is the need to monitor the risk and the mitigation strategy used for lowering the risk level. While some mitigation strategies will eliminate the risk altogether, others will leave some sort of residual risk that will be unable to transfer. These solutions will need to be monitored to make sure they are effective at reducing the risk that they have been designed for. Failure to monitor the remediation strategy may leave the business open to a greater threat than the risk potentially exposed in the first place. An improperly monitored remediation for a risk can be worse than not having a strategy at all. Summary While unidentified risks pose the largest threat to any organization. It is important to identify them as soon as possible, and to manage them in an effective manner. This will help the business to better address further threats or vulnerabilities that may arise from the risk. Most of the data breaches that continue to happen are because organizations don’t address risks in an effective manner. This gap is where the attackers focus their efforts since this will be the easiest areas of the business in which to attack. Failure to have an effective and responsive Patch Management Program will be a huge risk for a business. However, conversely, having an effective Patch Management Program can help to reduce an organizations overall risk exposure. It comes down to the organizations risk appetite and what they are willing or able to accept. In order to remediate a risk, the company will have to do something. Moreover, that something will cost them money, time, and effort of their staff. Failure to do anything may be worse since the organization knows about it, but fails to take the required actions to mitigate it. It comes down to the leadership of the organization want to handle things, and this is the battle that IT Security Professionals have to wage on a daily basis. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|