THE IT SECURITY PROFESSIONAL |
Barlowtek
The It security Pro
Helping Organizations Understand IT Security
&
Best Practices
Growth of Ransomware Attacks: Strategies for Preventing & Isolating Them in Your Organization5/24/2021 As the days continue to drag on with the most resent high-profile ransomware attack here in the US (Colonial Pipeline that started on May 6th 2021), the east coast and the south are feeling the brunt of the effects of this recent attack the most. This is not a new thing; ransomware has been around for a few years now and organizations of all sizes should be prepared for its potential effects on their business. We have seen attacks against municipalities infrastructure and also governmental services as well. Ransomware is indiscriminate in who or what they attack, and let’s be clear here, these are individuals that are out to extort money from whomever and wherever they can. It is that plain and simple. This was a targeted attack on a system that was vulnerable. Preparation for Attack One of the key aspects that is coming to light after the initial shock of it is that the infrastructure that supports the US economy is the largest target on the face of the planet for these types of attacks. Whether it is the lack of a Patch Management Process, or simply using outdated and unsupported equipment, the attackers have done their research in preparation for the attack. Additionally, it was also revealed that they were able to exfiltrate a large amount of data prior to the attack taking place. Is this preparation for more to come? Paying the Ransom or Not? As most IT Security Pros know, the company or organization will have to determine what is in their best interests to do. Is it to pay the ransom and get on with your business, or is it better to work to find the culprits who are behind it, or even to simply replace the systems that have been locked? This is the biggest decision that must be made, and it can’t be made in a vacuum, it must be made in public. But this has consequences for either decision or the potential impacts those may have on the organization. Social Stigma The issue that seems to come up is what sort of publicity is going to be generated by the ransomware attack? The Colonial Pipeline attack has proven that this key infrastructure is vulnerable and that security measures must be taken in order to address them. It’s a terrible thing to have the world know that you have lack security measures in place and that your organization has been using outdated processes and equipment on a vital piece of infrastructure. What has come out in the last day (May 12th, 2021) is that Colonial Pipeline has told the world that they were not going to pay the ransom that was demanded of them. But as it turns out, they actually did, to the tune of over $5 million dollars. And when they got the key to unlock their systems, it didn’t work. Talk about having egg on your face! How will Colonial Pipeline explain what happened? Increasing Threats As organizations continue to keep quite on how much they are actually paying for the ransoms of their own information, attackers are ever increasing the amounts that they are asking for. As of the writing of this article, CNA Financial has recently disclosed that they have paid up to $40 Million dollars in order to obtain access to their information. (A link the article is provided below). This shows that depending on the organization that is targeted, it could end up being a huge payday for the criminals involved in the extortion. Stemming the tide of Infection One of the key components of ransomware is that it will usually migrate from system to system depending on the type and complexity of the infection apparatus that is being utilized. The following may be considered as ways of helping to stem the tide of infection and preventing more systems from being compromised:
The End User Delma When it comes to security of the network, the key factor in all of the outbreaks of ransomware has been the end user doing or downloading something that they know they should not. This education process comes in the form of Security Awareness training and how often it is performed. People are creatures of habit and curiosity, and so they will perform tasks without really thinking of the consequences that it may cause them. Here are a few of the ways that a potential ransomware attack can compromise your network:
Solutions
These are current solutions or ways in which to mitigate or lesson the potential impact of a ransomware attack:
Even with all the actions that have been provided here, organizations are still going to be compromised and will be held ransom for the data that they can’t access. This is also an ever-evolving area of IT Security and the IT Security Pro will need to know what it takes to help prevent an outbreak to their systems. No matter what strategy is employed by the organization, there will be a way to defeat it or work around it. The easiest way as pointed out above, is to focus on the end user and their potential actions when provided a compromised system of file. User education will allow the IT Security Pro to know where a potential attack may be coming from and what form it may be coming in. Educating the end user will help to secure up the frontline in the threat of a potential ransomware attack or may end up preventing one. Reference: www.theverge.com/2021/5/20/22446388/cna-insurance-ransomware-attack-40-million-dollar-ransom
0 Comments
Holding your data hostage: What you can do to prevent the impact of ransomware on your business4/19/2018 Preparing for Disaster When it comes to security issues hitting the news, nothing has the impact these days like a ransomware attack that has locked up a company’s data and demanded a Bitcoin ransom. While there are several areas of thought on this topic, what keeps the IT Security Professional up at night is whether the company or organization will pay the ransom or not? Moreover, what would happen to the business? What steps can we take to protect our data now? While this may seem to be, an area that is best decided at the top levels of the business. There are actions that you can take right now that can at least limit the impact to the company. While nobody wants to be a victim of ransomware attack, you should at least prepare for it in case it does happen to you. Decisions, Decisions Many companies or organizations will just pay the ransom and not let anyone know that they have been attacked or compromised. There are several reasons that a company may choose to do this, but this action only emboldens the attackers to continue their efforts to attack networks. Senior management will have to make the ultimate decision as to what they will do, but hopefully it is the right one for the business. Why pay? When an organization has failed to do what some would call "basic precautions" to reduce their overall risk to this type of threat, the impetus would be to pay the ransom due to not knowing if you would be able to recover the encrypted data that is being held hostage. It comes down to limiting the impact to the business and preventing any impact to the reputation of the organization. The critical need of the data being held is also a consideration in the decision making process. Depending on what industry the organization works in may also impact this process, with hospitals, banks, and public services industries being the most difficult to provide rapid access. Hindering access could need the difference between a loss of life or in most cases, a loss of potential business for the company or service provider. Preventive Action Plan
Protecting your organization from a ransomware attack begins having a plan in place that addresses what steps you will be taking in order to reduce your overall risk to this threat and what steps you will be taking if you are compromised. Some areas of focus are listed below: 1.Employee Training/ Communication Employees are our frontline troops in this battle against ransomware and they need to be informed. We rely on them to notify us if they start seeing something wrong on the network. Having a training session or communications sent to the employees on a regular basis will keep them informed as to the possible threat. 2.Patch Management Installing patches and updates on a regular basis is one area in which some organizations have difficulty in accomplishing on a regular basis. This is the area that can be a huge risk for an organization and one that could do a lot to prevent a compromise. Patches should not only be deployed, but they should be determined to be effective as well. Following up and auditing the process should also happen to ensure that the organization is doing all they can to protect against this threat. 3.Malware Protection Antivirus applications or systems should be deployed throughout the network, and especially on all endpoints (servers, workstations, mobile devices). These applications should be updated on a regular basis and should be employed at all times. Ransomware attacks can attack without leaving a trace, and most of the antivirus applications will use some sort of signature identification process in order to flag the malware. 4.Network Scanning/ Monitoring The use of a network monitoring system should also be looked at as a way to always be on the look out for the potential threats that are out there, including ransomware. Heuristics (behavioral) is becoming a way that some new services are using in order to alert the security staff of company of a compromise. Monitoring not just the access or specific actions taking place, but also the activities as a whole as well. 5.Data Backups This should be a no-brainer, but unfortunately, it is not. Backup your data and have both your critical and non-critical information secured and available for when you need it. Ransomware should be treated as a disaster and should be included in your manmade disaster threats. 6.Testing Backup Plan Not only should an organization have a backup plan, but the plan should be tested as well to make sure that it works as intended. Validate the backups and the processes. This will help with proving confidence in your process and systems. 7.Vulnerability Monitoring Review and conduct assessments that review your organizations security posture and the processes that you have in place to deal with potential threats. Conducting scans against the network and looking not just at the systems, but also the software applications that are running on them as well. Documenting a ransomware attack You will should document the specific steps that the organization takes when a ransomware attack has been detected and how it responds. All of the processes should be in very clear detail (this may be used in court or for further investigations depending on the type of information that has been compromised). Ransomware can spread and once an infection has been detected, the goal should be to contain it and limit the spread. Summary While ransomware is a huge threat to any organization, it is possible to deal with it and lessen the impact to your business. While there are many decisions to be made in how to deal with your data being held hostage, businesses have recovered and continue to thrive. Do not let the impact of a ransomware attack stop your organization. If you take some of the steps that I mentioned here in this blog, you might be able to keep your data safer than it is today. Atlanta ransomware follow-up - 04/02/2018After my initial blog about the SamSam ransomware taking Atlanta hostage, the one thing that keeps coming up is the impact that this one attack will have one other cities in the future. There are several things that stick out to me when I’m reading about the attack.
First Things This is the first time that a U.S. city has been attacked by a ransomware and held hostage. (We have had hospitals or private businesses’ files held ransom before).This does not bode well for those initiatives that have been introduced in recent years for the adoption of “smart cities” and the integrated architecture that they will require. This leaves a huge question for those that are in government, what are you going to do about addressing the obviously HUGE issue of securing citywide networks? We are at least luck in that nobody has died as of yet from this attack (let’s hope that still is the case when this is all resolved). Secondly What sort of fines or punishment can this group face (if and when) they are caught? This is a big issue since this is new territory for ransomware. In addition, businesses and law enforcement have been teaming up to take down the bad guys, but other than making things tougher on the city employees, what crime was committed? I’m not condoning the actions of this group at all, and I think that they need to be caught and brought to justice. Nevertheless, there so far have not been any reports of the exfiltration of any data outside of the city network. Is not permitting access to the data, just as much of a crime as deleting it (its called obstruction of justice Hillary) by the use of specially designed malware off the city owned servers? The data still resides on the city servers, just the users can’t access the data. Third Issue With the potential for success in this situation for the attackers, is this gonna spawn additional attacks? The answer to this question is an absolute “YES” and I believe that we will see larger targets effected and copycat attempts as well. While I believe that some will be successful, I also believe that some will not and as the adversary changes how they operate, we will see a continuing lag in the response from IT Security Teams in responding to the threats. Conclusion While this is a situation that I would not wish on any of my colleagues, it is a learning experience that all of us need to take note of. Here are some questions to ask yourself:
It’s been well over a week now since the City of Atlanta, Georgia have disclosed that they have been under a ransomware attack that has crippled key services. The city is being held hostage until they can pay $50,000.00 in BitCoins to the hackers that have infiltrated the network. The attackers are forcing the police, water bureau workers, and maintenance crews to go back to basics and spending hours in order to write things out on paper.
While the ransomware has shown that there are vulnerabilities in any size organization, this is especially troubling when it is against those services that we all depend on. While there is an inconvenience to all because of the attack, ultimately Atlanta will get on with the business of taking care of the citizens of the city. Municipal Vulnerabilities While businesses are able to address issues that come their way in a timely manner, municipalities of all sizes run into an issue of needing to do more for less. This is one of the reasons that governmental agencies, organizations, or municipalities are so vulnerable to this type of attack. They spend their resources on helping their citizens, but IT Security is an area that seems to have been left behind on the way to making access more convenient. The issues can be varied depending on who you are talking to, but it will most likely come down to money or grants that will help pay for the needed improvements. While that is not an excuse for failing to protect a public network, it is the one most identified. If they had taken care of their security needs earlier, they would not be in the position they are in now. Process Improvements If there were any particular area that stands out in this attack, it has to be that they vulnerabilities that SamSam took advantage of have been out for a while. The IT Security group responsible for protecting the network failed to apply patches and update systems that had these vulnerabilities. The reason that will no doubted be the reason for this is that they are under staffed or they did not have the resources to do all the work that they needed done. This can be addressed by changing some of their processes and focusing on key areas that a businesses would focus on.
Aftermath While this incident is still playing out, and the ending still has to be written with the City of Atlanta. Other jurisdictions should take note about how they react to this attack. Whether it is the lack of resources or overworked personnel that are blamed for the ransomware attack, regardless, we can do better and we must. This should be a wakeup call for both cities and states and the need to focus on hardening their infrastructure in order to prevent these types of attacks occurring. Taking preventive steps in advance and addressing vulnerabilities as they are discovered could have gone a long way in protecting the Atlanta city network. |
IT Security ProSecuring the future one byte at a time! Mr. Barlow is here, staying ahead of the curve in Information Security Leadership. Ready to help your company stay safe and secure. Categories
All
Archives
January 2023
|