THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Growth of Ransomware Attacks: Strategies for Preventing & Isolating Them in Your Organization5/24/2021 As the days continue to drag on with the most resent high-profile ransomware attack here in the US (Colonial Pipeline that started on May 6th 2021), the east coast and the south are feeling the brunt of the effects of this recent attack the most. This is not a new thing; ransomware has been around for a few years now and organizations of all sizes should be prepared for its potential effects on their business. We have seen attacks against municipalities infrastructure and also governmental services as well. Ransomware is indiscriminate in who or what they attack, and let’s be clear here, these are individuals that are out to extort money from whomever and wherever they can. It is that plain and simple. This was a targeted attack on a system that was vulnerable. Preparation for Attack One of the key aspects that is coming to light after the initial shock of it is that the infrastructure that supports the US economy is the largest target on the face of the planet for these types of attacks. Whether it is the lack of a Patch Management Process, or simply using outdated and unsupported equipment, the attackers have done their research in preparation for the attack. Additionally, it was also revealed that they were able to exfiltrate a large amount of data prior to the attack taking place. Is this preparation for more to come? Paying the Ransom or Not? As most IT Security Pros know, the company or organization will have to determine what is in their best interests to do. Is it to pay the ransom and get on with your business, or is it better to work to find the culprits who are behind it, or even to simply replace the systems that have been locked? This is the biggest decision that must be made, and it can’t be made in a vacuum, it must be made in public. But this has consequences for either decision or the potential impacts those may have on the organization. Social Stigma The issue that seems to come up is what sort of publicity is going to be generated by the ransomware attack? The Colonial Pipeline attack has proven that this key infrastructure is vulnerable and that security measures must be taken in order to address them. It’s a terrible thing to have the world know that you have lack security measures in place and that your organization has been using outdated processes and equipment on a vital piece of infrastructure. What has come out in the last day (May 12th, 2021) is that Colonial Pipeline has told the world that they were not going to pay the ransom that was demanded of them. But as it turns out, they actually did, to the tune of over $5 million dollars. And when they got the key to unlock their systems, it didn’t work. Talk about having egg on your face! How will Colonial Pipeline explain what happened? Increasing Threats As organizations continue to keep quite on how much they are actually paying for the ransoms of their own information, attackers are ever increasing the amounts that they are asking for. As of the writing of this article, CNA Financial has recently disclosed that they have paid up to $40 Million dollars in order to obtain access to their information. (A link the article is provided below). This shows that depending on the organization that is targeted, it could end up being a huge payday for the criminals involved in the extortion. Stemming the tide of Infection One of the key components of ransomware is that it will usually migrate from system to system depending on the type and complexity of the infection apparatus that is being utilized. The following may be considered as ways of helping to stem the tide of infection and preventing more systems from being compromised:
The End User Delma When it comes to security of the network, the key factor in all of the outbreaks of ransomware has been the end user doing or downloading something that they know they should not. This education process comes in the form of Security Awareness training and how often it is performed. People are creatures of habit and curiosity, and so they will perform tasks without really thinking of the consequences that it may cause them. Here are a few of the ways that a potential ransomware attack can compromise your network:
Solutions
These are current solutions or ways in which to mitigate or lesson the potential impact of a ransomware attack:
Even with all the actions that have been provided here, organizations are still going to be compromised and will be held ransom for the data that they can’t access. This is also an ever-evolving area of IT Security and the IT Security Pro will need to know what it takes to help prevent an outbreak to their systems. No matter what strategy is employed by the organization, there will be a way to defeat it or work around it. The easiest way as pointed out above, is to focus on the end user and their potential actions when provided a compromised system of file. User education will allow the IT Security Pro to know where a potential attack may be coming from and what form it may be coming in. Educating the end user will help to secure up the frontline in the threat of a potential ransomware attack or may end up preventing one. Reference: www.theverge.com/2021/5/20/22446388/cna-insurance-ransomware-attack-40-million-dollar-ransom
0 Comments
As the investigation continues into the breach of the computer system for the Bruce T. Haddock Water Treatment Plant in Oldsmar, Florida on February 5th. What is becoming clearer is that this hack was due to several different failures in security that led to the site to be compromised by attackers. While the damage was little, it could have been a lot worse. Security Failures While this investigation into the breach of security is still ongoing at the time of this blog post, the common theme is that the facility was using older equipment with lax security protocols. These issues were compounded by the other and helped to provide a path for an attacker to take advantage of these vulnerabilities. Additionally, remote management software could connect to these systems without being blocked. Here is the list on known security failures as of this post:
While each of these failures are not the only reason for the compromise, all of them in conjunction with one another led to what could have been a serious issue if it were not for someone watching the system and taking corrective action to return the systems to normal. Attacker Accomplished The FBI was called in to investigate the compromise and found that the levels of sodium hydroxide in the water treatment had been raised from 100 parts per million to 11,100 parts per million for only a few minutes. This chemical is used to clear clogged drains and could have caused potential deaths if ingested by members of the public. Corrective Action Addressing the failures that have been identified by this attach should be remediated so that a similar type of attack does not occur. But this threat has showed what IT Security Pros already know, our infrastructure is not keeping up to date with evolving technologies. This creates vulnerabilities where it should be more secure. Municipalities are notorious for not updating or upgrading systems or software due to not having the funds to replace or update them. While taking corrective measures now will address these issues, this is a systemic issue that will only be solved when municipalities, and jurisdictions start taking security seriously and not putting off the much-needed upgrades and enhancements that are required to stay up to date. Microsoft for one puts out notices to the public to let them know that there is going to be an end-of-life date for its systems and applications. Why didn’t the municipality head those warnings and transition to supported hardware and software applications? Remaining Threat Due to the attention that this event is getting, it seems that these corrective actions will be taken as the city tries to deal with the fall out of it. But the underlying fact remains that all public utilities face, a crumbling infrastructure and the management systems that are needed to keep them up and running. This is a high visibility event, and the attention will be on the city to see how they handle these issues in the future. These remaining threats are going to continue to plague our technologically evolving infrastructure as well. As mentioned in infrastructure-security-securing-the-grid-of-the-future.html there are growing threats to the use of new technologies as well as securing the already well established infrastructure by upgrading the network hardware, software, and IT Security posture. Security for Infrastructure
Here are some of my recommendations for dealing with these same issues, whether you are a small business, or a large municipality, here are some commonsense guidance that you can follow: 1.Only use supported hardware/software This means to use only those systems and applications that are fully supported by the manufacturer and that if they are not, you replace them ASAP. This is one of the most common mistakes organizations make, waiting to upgrade later. Do not put it off, when it’s the end of life for a system or application, replace it. 2.Have a patch management program With the hardware and the OS not receiving updates on a regular basis, these systems continue to increase in the amount of risk and potential vulnerabilities that they pose to the organization. Have an established patch management program and update software and hardware systems as soon as the patches come out. This helps to limit vulnerabilities while also ensuring that potential risks are mitigated in a timely manner. 3.Establish Strong Security Policies/ Standards The need to establish strong policies and standards can’t be understated here. The use of the following types of characters should be used:
With all of these measures, access account passwords would be more complex and more difficult to potential cracks by an attacker. While no password is 100% secure, there are steps that administrators can take to improve the security of these accounts. 4.Restrict VPN Access to Key Systems This can be accomplished by preventing incoming connection requests from being responded to, or by securing systems behind a firewall or in a DMZ with restricted IP access points. While there may be ways in which these steps can be overcome, those steps are made more difficult than by not having them in place. This should be especially true to those systems such as a water purification plant or even an electric distribution center. Summary While nobody was killed during this attack and someone was quickly able to respond to changes within the purification process, it could have been much worse. Like a lot of other assets that are government owned and operated, our infrastructure is prime for being targeted by those that want to do our country or our cities harm. No matter what is found when the actual source of the attack is eventually discovered, this should be a wake-up call for all governmental organizations and jurisdictions that they can be compromised and that they need to be up to date with their security posture, just like in the private sector. The worst thing about this attack on the purification plant is that all these security issues should have been addressed a long time ago. Even if just upgrading and patching their systems could have helped deter a potential attack. Some of the simplest things make the biggest difference when it comes to these sorts of events. We can only hope that they employ a well-respected IT Security Pro to help them address these issues in the most effective and expedient manner possible. Reference Site abcnews.go.com/US/outdated-computer-system-exploited-florida-water-treatment-plant/story?id=75805550 |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|