What’s HOT What’s NOT: Cyber Security 2018

What are the main cyber security trends and focus areas for IT Managers and Chief Security Officers so far in 2018?

One thing we know for sure is that cyber security won’t be taking a lower profile as IT embeds itself at the core of organisations becoming a true business enabler.
IT is at the core of organisations and if there is a glitch then the business impact is profound. It is therefore beneficial to be able to focus limited resources and efforts on the priorities that will really
make the biggest difference.
 So the question is what will be HOT and what will NOT in 2018. The list below, while not being exhaustive, gives a focus on what you should be prioritising.

 HOT

  • GDPR
  • Ransomware
  • Cloud

NOT

  • Anti-Virus
  • VPNs

HOT: GDPR

25th May 2018 is the date the GDPR will come into force. The regulation will affect literally every organisation that holds personal data. With the increasing regulatory powers for investigation and enforcement, firms not complying with the regulation could face severe penalties.
GDPR must, therefore, be high on the list of business priorities and a comprehensive approach to GDPR compliance will necessitate a comprehensive review of policy, process and technology.
In a recent article we discovered that 52% of medium sized business have NOT made changes/prepared for GDPR!

NOT: Anti-Virus

In the face of the new breed of sophisticated, adaptable forms of cyber attacks, traditional Anti-Virus is becoming redundant. The approach of traditional Anti-Virus which is based of signatures relies on threats having been detected and updates being propagated to clients before an attack occurs.
Organisations need multiple layers of protection to stand any chance of detecting and blocking new threats some of which can dynamically probe and adapt to the host environment.
Anti-Virus is still essential especially if it also monitors for abnormal behaviour, however if it is your primary line of defence, expect the worst, as Robert Mueller says, you will be attacked, depending solely on Anti-Virus increases the likelihood of it happen sooner and more frequent.

Related Resources

HOT: Ransomware

2017 saw the spread of global ransomware variants Wannacry and Nyetya. Wannacry made significant parts of the NHS powerless while Nyetya caused major losses for businesses. Fedex counted losses in excess of $300m and at one stage had to resort to WhatsApp for internal communications due to compromised email systems.
The ransomware ‘business model’ has stepped up a notch with it being made available to buy as a service. The avatar of the attacker has suddenly changed from a stereotypical hoody wearing geek to just about anyone who can pay with some Bitcoin.
Ransomware has been the most profitable form of cyber attack to date and franchising it just made it cement it’s pole position as the number one threat in 2018.

Related Resources

NOT: VPNs

Statistics indicate that nearly 50% of workforces are mobile, meaning they access their organisation’s IT applications from remote locations to the organisation’s offices. The ubiquitous VPN has been the secure way of connecting.
 With the various flavours and increasing range of users requiring connections, VPNs are becoming a greater management overhead and an increasing security risk especially if the controls are not kept up to date with the threats.
A need for a more sophisticated and granular method of providing remote access is emerging where users are connected only to what they require, when they require it and furthermore their security posture is established even before they are allowed any connectivity.

Cloud: HOT

Organisations having realised the benefits of cloud adoption have embraced it while mitigating the risks as best they can. The benefits of the cloud in many instances include lower operational costs, agility, increased resilience and scalability.
Cloud adoption is also well suited to the growth of a mobile workforce who need anytime anywhere access to their applications. Securing the cloud data and user access is however an area of cloud implementation that is emerging as a focus area that businesses have not paid sufficient attention to.
Technologies such as secure DNS and the secure Internet gateway are solutions that are highly likely to gain a lot of traction as organisations audit and protect cloud connectivity from a range of emerging cyber threats.

Related Resources

There will inevitably be questions about security topics such as BlockChain, IoT and Phishing just to name a few. Let us know how your list wouldn’t be different.

Trial Cisco Umbrella for 14 Days, completely free and no obligations!

If you have read the last few updates you should now have a deeper understanding of Cloud Security, that’s great! But what can YOU do about it? 

We are offering a 14 day trial of Cisco Umbrella, the industry’s first Secure Internet Gateway in the cloud.

Cisco Umbrella provides the first line of defence against threats on the internet. Because Umbrella is delivered from the cloud, it is the easiest way to protect all of your users in minutes.

It takes no time to install and you don’t have to provide any payment details (or even have a phone call).

So what’s to lose? 

Click here to start your trial! 

Want a Quick Win? Secure your DNS

 

Ransomware is currently the number one form of cyber attack due to its profitability and simplicity in execution. It is now evolving as a business model where any ‘Joe Bloggs’ can buy ransomware code for a monthly fee – ransomware as a service. Ransomware thrives partly because of bitcoin and the associated anonymity of attackers who get paid via an untraceable cryptocurrency transaction. The stages of a typical ransomware attack include;

 

  • Stage 1 – Infection

Ransomware always starts with some host infection of malware via phishing attacks, or a website hosting malware

 

  • Stage 2 – Command and control setup stage

This handles the key exchange process to encrypt the files on the infected host

 

  • Stage 3 – Extortion stage

Payment of the ransom and then ‘hopefully’ getting the key to decrypt the encrypted files.

 

Ransomware is constantly evolving and not being breached yet is no guarantee that it won’t happen in the future.

 

Many organisations are using hope and anonymity as a risk mitigation strategy against ransomware – assuming they are small and have not been attacked yet. The fact is that the supply chain is now an increasing focus of malware attacks as a means of accessing valuable data through the back door of larger enterprises.

 

 

Anti-Ransomware Best Practices

 

As with every effective security approach you need a policy and a risk assessment of the threats so this is a given before we get into the type of approach and solutions that need to be in place. Please see some of our previous blogs or check out the NCSC website for some invaluable resource.

 

Phishing can be very sophisticated making it hard to tell if a link is bad or not. Effective protection cannot rely solely on end users, it must be engineered into the system with the right protection mechanisms correctly configured.

 

To start off with you need good anti-spam, anti-phishing and web controls to control the Internet traffic, this could be incorporated into a good endpoint protection solution. Use an email and malware analysis gateway to inspect executables for malware. The gateway should be configured to block files if there is any doubt about it’s authenticity. It is better to stop/delay web downloads so that they can be inspected and properly classified than to run the risk of infection.

 

78% of attacks exploit phishing so it is a good thing to correlate known exploits to the vulnerabilities in your organisation and prioritise patching based on known exploits.

Use network analysis and visibility tools to analyse traffic on the network so you can see what is changing and be alerted to abnormal behaviour.

 

If you do get infected, have effective Backup and DR policies and processes, and ensure that the recovery procedure has been tested and works.

 

DNS Security is the Quick Win

 

92% of cyber attacks make use of DNS at some stage or another through the execution of the attack. DNS is therefore the greatest opportunity to secure your network while having an immediate impact.

 

What if your systems know that a website url a client is trying to access via DNS resolution is a bad site, hosting malware. You could just block it and prevent any interaction with the malware in the first place. This form of protection can be immediate with no impact on client or application performance.

 

A web based infection is usually a 2 step process –  which redirects your web browser to another domain created using an exploit kit which finds a vulnerability in say Flash or Silverlight. The malware will then do a command and control (CnC) call back using DNS resolution to get an encryption key. Until the CnC connection happens there is no damage created.

 

Analysis has shown that most ransomware does a DNS call back, ransomware payment notification also uses DNS. The ability therefore to block a malware connection via DNS security at one or another step of the malware execution process can therefore prove to be the most effective way to implement malware protection.

 

An effective DNS security protection control can have the ability to identify the endpoints attempting the malware connection and therefore feed into the clean-up and mitigation plan.

 

An important service in addition to the above is the ability to query domains and file hashes from a central intelligence platform that has up to the  minute data on the bad domains so that your security incident response team has the ability to conduct intelligent investigations independently of any infections. For instance if you keep doing a DNS query for a site in Russia and you don’t have any business relationship in Russia, that’s something that you should query.

 

Another challenge is the decentralised nature of organisations due to remote working and the increasing importance of branch offices. Mobile devices such as laptops are the primary devices where user changes could compromise security. Around 80% of remote workers disable their VPNs when they browse the web. A DNS based security mechanism can help to maintain the security posture where these remote workers able to still make use of this form of protection even when they disable their VPNs. DNS security can protect any device including IoT, guest devices and roaming clients.

 

Correct implementation of DNS security could make it the first line of defence even before a connection is established by checking the DNS request and blocking bad sites. This will help the IT teams by freeing them up from a large number of alerts that would be generated if the malware had been downloaded.

DNS Security – The Forgotten Lynchpin

 

So it’s all happening in the cloud. Wholesale adoption of cloud services is now a business imperative as the opportunities and benefits of SaaS become ever clearer.

Here are some numbers though that tell us not only what’s happening but also some concerns that we need to have at the forefront of our minds.

  • 82% of mobile workers admit they always turn off their VPN
  • 15% of command and control threats evades web security
  • 60% of attackers penetrate an organisation in minutes and steal data in hours
  • 100 days is the average detection time for an attack
  • 100% of networks interact with malware sites
  • 92% of attacks make use of DNS

Clearly, there is a wide range of threats that organisations need to address in crafting and implementing an effective approach to cyber security. One area that has and is receiving very little attention is the area of DNS.

DNS is the most ubiquitous protocol on the Internet and is deployed in literally every connection that takes place whether surfing a website, watching youtube videos or accessing corporate cloud applications. This ubiquitous use of DNS means that it is also involved in some very undesirable connections to sites like malware sites, known bad sites, command and control centres etc. Other attacks have involved data exfiltration in packets disguised as DNS.

The fact that DNS is involved in around 92% of web attacks strongly suggests that it is an area that is worthy of further efforts in the fight against cyber attacks. DNS is one of those protocols that just works in the background like a utility and as long as resolution is working then no one pays attention to it. DNS is a lynch pin, if it doesn’t work then most applications will stop working and the IT services will grind to a halt. It is vital therefore that DNS gets more prominence and is monitored and secured to ensure continued running of services.

 

Tackling DNS Security 

DNS should be elevated from a connectivity item to a network security component vital to the operation of the organisations IT. DNS monitoring and the implementation of an active security policy that cannot be circumvented by staff can have untold security benefits. Such an approach could be used to block malware and phishing attacks in real time as opposed to after the event. Also, the use of DNS to resolve requests for known malware sites could also prevent attacks before they happen. The DNS controls could hold a regularly updated list of known malware sites and block devices from accessing these sites. Active monitoring could also provide valuable information about whose machine has been compromised and where they are connecting from.

DNS monitoring can also provide a baseline of what normal behaviour looks like for your organisation. Anomalous behaviour is, therefore, easier to detect and acted on. A number of high profiles sites such as Tesla, that have been hacked could have been prevented if the DNS records were being monitored and these organisations were then able to detect and block changes to their DNS records.

Visibility of who is connecting to what site is also a great benefit of DNS monitoring. The explosive growth of IoT devices poses significant threats if they are not properly secured. DNS security could play a vital role by enforcing policy e.g. if the CCTV network should be blocked from Internet access, DNS security controls could prevent these devices being used as a backdoor that could be used for malware propagation or data exfiltration.

Failing to monitor and control DNS is a lost opportunity not only to secure your organisation’s network but also to gain visibility into who is doing what.

10 Steps to Cyber Security – Parts 6-10

The cyber security threat landscape is constantly changing with the ever growing number and scale of attacks. The consequent measures necessary to combat the threats need to be robust, comprehensive and agile. Simply put, it is about developing an effective approach and constantly testing and refining it. The sections below cover the second 5 sections of some 10 essential recommended steps that should be taken to achieve an effective level of cybersecurity and is based on guidance from NCSC.

Incident Management

A security incident is inevitable for all organisations. An effective systems of incident management policies and processes will reduce any likely impact, enable speedier recovery and improve business resilience. Without an effective management system in place, some of the possible risks of an attack include;

  • Greater business impact of an attack through failure to realise the attack early enough and consequent slowness to respond resulting in more significant and ongoing impact
  • Potential for continuous or repeated disruption due to failure to find the root cause
  • Failure to conform with legal and regulatory standards which could result in financial penalties

It is important to manage the risk by taking some of the following steps;

  • Establish an incident management capability using in-house or specialist external service provider, create a plan and test its effectiveness.
  • Define reporting requirements
  • Define roles and arrange specialist training to ensure the correct skill base
  • Establish and regularly test a data recovery strategy including offsite recovery
  • Collect and analyse post incident evidence for root cause analysis, lessons learned and evidence for crime and/or compliance reporting

Malware Prevention

Malware is the most common form of security compromise and it is a fact that all organisations interact with known malware sites. The risk of malware can include; email with malicious content or links to malicious sites, web browsing to sites containing malicious content, introduction of malware through uncontrolled devices such as USB media or smartphones.

Inadequate controls for protection against malware could result in business disruption and/or loss of access to critical data.
Malware risks can be managed effectively using some of the following techniques;

  • Create and implement effective malware policies
  • Control import and export of data and incorporate malware scanning
  • Use blacklisting to block access to known malicious sites
  • Establish a defence in depth approach which includes security controls for endpoints, anti-virus, content filtering to detect malicious code, disable browser plugins and auto run features, ensure baseline security configurations are in place
  • Users should be educated regularly to understand the risk of malware, their role in preventing it and the procedure for incident reporting

Systems Monitoring

Systems monitoring provides the ability to determine how systems are being used and whether they have been attacked or compromised. No or poor monitoring prevents organisations from; detecting attacks against infrastructure or services, slows reaction to an attack resulting in increased severity of an attack, cause non compliance with legal or regulatory requirements
Systems monitoring risks can be prevented by taking the following steps;

  • Develop and implement a monitoring strategy based on the business risk assessment
  • Ensure that all systems are monitored, should include the ability to detect known attacks as well as having heuristic capabilities
  • Monitor network traffic to identify unusual traffic or large uncharacteristic data transfers
  • Monitor user activity for unauthorised use of systems
  • Fine tune monitoring systems to collect relevant events and alerts
  • Deploy a centralised logging solution with collection and analysis capability, and automated anomaly and high priority alerts
  • Align policies and processes to manage and respond to incidents detected by monitoring systems

Removable Media

Removable media such as USB memory devices are often involved in introduction of malware or removal of sensitive data. A comprehensive cyber security strategy must implement controls such as those listed below to effectively manage the risk posed.

  • Devise and implement a policy to govern the use of removable media. A standard for information exchanged on corporate systems should use appropriate and protected measures
  • If essential, the use of removable media should be limited only to designated devices
  • Automatically scan removable media for malware before any data transfer
  • Issue removable media formally to users and prohibit use of personal media sticks
  • Encrypt information at rest on removable media
  • Manage reuse and disposal of media to ensure data is effectively deleted or media destroyed and data retrieval prevented

Remote Working

Remote working for staff or remote support from suppliers is an effective and popular trend but can expose organisations to risk. Mobile working will necessitate the transfer of data across the Internet, sometimes to public spaces. These risks could lead to; loss or theft of data if mobile devices get stolen, compromise of credentials or data if screens are overlooked in public places, loss of user credentials if stored on a device, remote tampering through insertion of malware or monitoring of activity
Some of the recommended controls are listed below;

  • Create a robust policy to address the risk, this should include identifying who is authorised, what kind of information they can access, increased monitoring for remote connections
  • User training to include; awareness of the risks, securely storing and managing credentials, incident reporting
  • Develop and apply a secure baseline for remote devices
  • Encrypt data at rest and data in transit for remote/mobile devices

10 Steps to Cyber Security – Parts 1-5

The cyber security threat landscape is constantly changing with the ever growing number and scale of attacks.  The consequent measures necessary to combat the threats need to be robust, comprehensive and agile. Simply put, it is about developing an effective approach and constantly testing and refining it. The sections below cover the first 5 sections of some 10 essential recommended steps that should be taken to achieve a effective level of cybersecurity and is based on Guidance from NCSC. The second part will be featured in a future blog post.

 

Executive Risk Management

Because of the vital role that technology plays in most organisations today, information and their supporting systems need to properly categorised in the business risk profile. The impact of information and systems compromise could be more critical than many other types of business risks and result in reputational and financial damage.

It is important for the risks to be defined and communicated from executive level thus conveying the importance of information and systems.

Further essential steps that the Board should take include;

  • Establish a governance framework
  • Identify risks and approach to risk management
  • Apply standards and best practices
  • Educate users and maintain awareness
  • Constantly review policies

 

Education and Awareness

Training and awareness can help to establish a security conscious culture in the organisation. This could help to reduce the number of people clicking links in phishing emails or writing down passwords on post-it notes. Lack of awareness could result in; users connecting personal removable media that is compromised, users being subjects of phishing attacks, users seeing security as prohibitive and therefore trying to circumvent it. User ignorance to handling sensitive information may result in legal and regulatory sanction as will failure to report certain breaches.

Effective management of the user awareness risk include some of the following;

  • Create a user security policy as part of the overall corporate policy
  • Include cyber security in the staff induction – making them aware of their personal responsibilities to comply with the security policy
  • Security risk awareness – maintain awareness of ongoing security risks and guidance
  • Formal training and assessment – staff in security roles should embark on ongoing formal training and certification to keep up to date with the challenges they face
  • Incident reporting culture – enable staff to voice their concerns and report poor security practices

 

Secure Configuration

Systems that are not securely configured will be vulnerable to attack. A baseline secure configuration of all systems is essential to reduce risk of attacks and the potential for compromise. A lack of secure configurations and updated patching carries risks such as; unauthorised system changes occurring, exploitation of software bugs in unmatched systems and exploitation of insecure systems.

To avoid poor system configuration it is necessary for effective security controls be put in place such as the following;

  • Use supported software
  • Develop and implement policies to update and patch systems
  • Maintain hardware and software inventory
  • Maintain operating systems and software
  • Conduct regular vulnerability scans and act on results in a timely manner
  • Establish configuration  and control management
  • Implement white listing and positively identify software that can be executed
  • Limit privileged user accounts and user’s ability to change configurations

 

Network Security

Network connections could expose your systems and technologies to attack. A set of policies, architectural strategy and technical controls will help to reduce the chances of a successful attack which could include exploitation of systems, compromise of information in transit, propagation of malware, damage or illegal posting to corporate systems.

To effectively manage network security it is important to follow best practices and industry standard design principles at least.

All inbound and outbound traffic should be controlled, monitored and logged. This could be done with an advanced or next generation firewall, intrusion prevention techniques and anti-malware at the perimeter – in addition to endpoint anti-malware

Internal network protection is often ignored especially in the case of small networks. They should however include the following techniques

  • Segregate networks into groups based on functions and security roles
  • Secure wireless networks – only secure authorised devices should be allowed access to corporate networks
  • Secure administration – ensure administrative access is secure and defaults are changed
  • Monitor the network – monitor all traffic with intrusion prevention systems so that indications of attacks can be blocked and altered immediately
  • Testing and assurance- conduct regular penetration testing and simulate cyber attack exercises to ensure controls work

 

Managing User Privileges

Controlling user privileges to the correct level is important to ensure they have what they need to work effectively. Users with unnecessary rights should be avoided and is generally a major risk. If these accounts are compromised it could have a severe impact on your cyber security. Some of the potential harm that could be caused by such a compromise include; users could accidently or deliberately misuse their privileges and cause unauthorised information access

Attackers could also exploit these privileges to gain administrative level access and even negate security controls to increase the scope of their attack.

Some sensible steps that should be taken to manage these risks include;

  • Effective account management – manage the lifecycle of accounts from start to finish when staff leave, including temporary accounts
  • User authentication and access control – issue and enforce an effective password policy and incorporate two factor authentication for secure systems
  • Limit privileges – give users the minimum rights that they need
  • Limit the use of privilege accounts – limit the access to privileged rights and ensure administrators use normal accounts for standard business use
  • Monitor and logging – monitor user activity and log all events to an audit and accounting system for future analysis
  • Education – educate users of their responsibilities to adhere to corporate security policies

Cyber Security Awareness Month

For the EU, the U.S., and many countries around the world, October is Cyber Security Awareness Month, a time to broaden awareness and expand the conversation on staying safe and secure online. This time of year presents an opportunity to reflect on the state of cybersecurity.

 

The Era of Exponential Connectivity

We live in ultra-connected digital world where people, processes, data, and things are connected in ever more imaginative ways. The digital age has spawned an era where 30 million new devices are connected to the Internet every week. IoT devices create almost 300 times the data that people create and that number will increase exponentially as we connect more devices. Mobility, cloud computing, smart devices, and our ability to connect globally in real time are so pervasive today that we already take them for granted.

Recent Cisco research forecasts that there will be at least 50 billion connected devices by 2020. By 2018, 78 percent of all computing will be done in the cloud. By 2025, 1 million new devices are projected to be connected to the Internet every hour. Global mobile data traffic will reach 11 exabytes (EB) per month by year’s end, and 49 EB per month by 2021. To put that in perspective: 1 EB is equivalent to 1 billion gigabytes; 5 EB equals all the words ever spoken by human beings.

Who could have anticipated this level of connectivity and growth even a decade ago?

 

Preparing for Tomorrow

So how can we prepare today for tomorrow’s threats? To be successful in the age of digital disruption, we need to commit to cybersecurity that enables as a critical foundation. To capture the benefits of this digital age, cybersecurity must be sewn tightly into the fabric of every business and it’s processes. It has to be a mindset that permeates governments, businesses, education, and our lives.

According to the National Association of Corporate Directors’ Handbook on Cyber-Risk Oversight, “some estimates predict that between $9 and $21 trillion of global economic value creation could be at risk if companies and governments are unable to successfully combat cyber threats.”

Cyber and financial controls need to be on par, businesses must ensure the protection of their customer’s as well as their own information.

With the imminent enforcement of GDPR across the EU and having global reach, businesses obligations now exceed protection against a breach. It extends to disclosing the risks companies face from cyberattacks and revealing more readily and quickly when a breach occurs.

Businesses need to approach cybersecurity as a strategic business imperative, not a defensive necessity. Cybersecurity needs to be a cornerstone of our digital strategy and the business strategy.

 

Skills Gap is a Big Challenge

Looking to the future one of the greatest hindrances to executing a comprehensive security strategy is a growing skills gap. With more than 1 million global cybersecurity jobs unfulfilled there is an urgent need for diverse thinking, diverse candidates, and a diverse workforce to fill these roles.

While globally women hold about half of the nontechnical positions, they account for only 25 percent of computing-related jobs, and 11 percent of the information security workforce. We can’t possibly meet the needs of the Digital Age if only one in four STEM professionals are women, and less than half of them are focusing on security.

Building a culture of cybersecurity is critical for any organization as is creating advocates in functions beyond the security team. Industry and government can help by partnering with learning institutions to raise awareness and promote available opportunities to train IT and security professionals, as well as the general public. Educators must continuously develop creative new training approaches that will prepare the next-generation workforce for the cybersecurity needs of the future.

 

The Future is Still Bright, Despite These Challenges

Every individual with an online presence must get involved. Stay informed, apply the appropriate security controls, share what’s working and work on what needs to improve. Help one-another to be cyber resilient and raise our collective security posture. Safe web, email, and social media habits, patching and updating systems, and better password management are actions we can all take today.

October is a time to lean in and engage. Learn new techniques and share your insights with your colleagues, family, friends, and us. The European Cyber Security Month, as well as other cybersecurity advocacy programs around the globe offer tremendous resources.

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Nyetya Global Ransomware – actual costs

You may recall our recent blog post below which was posted in June.

A new ransomware virus variously named Nyetya, Petrwrap and GoldenEye has been spreading globally over the last 24 hours.


This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is evolving apace. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

This and other recent virus attacks serves to reinforce the need for a defence in-depth approach to security with comprehensive controls at all levels of an organizations IT infrastructure.

Some figures have been released about the actual financial damage caused by the virus

It cost the TNT division of parcel delivery company FedEx over $300m, losses are continuing and the company has not yet fully restored its systems. At one stage they had to resort to WhatsApp for internal communication because email systems were not useable.

Shipping company Maersk has announced damage around the $300m mark also.

Reckitt Benckiser the company behind household brand names such as Dettol and Durex have also taken a massive hit announcing potential attributable losses at a minimum of $140m. This figure is due to be updated when they announce results in October.

More details about these costs and impact on the businesses can be found in the BBC article below.

View the article

With such eye-watering figures from just a few selected companies who have been transparent enough to share the information, you really wonder the full scale of damage that this and other cyber attacks have caused.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Ransomware 101 – How To Combat It

Ransomware has grown to become the most popular cyber attack method on the Internet today. Growing at a rate that will see it become a $1 trillion dollar industry within a few years.

It is imperative that every business develop and execute a comprehensive ransomware defense strategy to ensure the survival of their business. An invaluable tool to help with this plan is provided by Cisco in the form of flipbook aimed at combating Ransomware.

The flipbook includes;

  • An overview of Ransomware
  • Infection methods
  • How to prevent infections
  • Detecting and containing infections
  • Learning lessons after an attack
  • Elements of a multi-layered defense

We know you will find this resource highly valuable and well worth investing a little of your time.

Click to view the Flipbook

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

5 Top Tips to Secure Your Business from Cyber Attacks

Security is a topic that can cover many volumes so treat the list below as just snapshot quick-fire summary. Nothing will substitute doing the hard work necessary to put together a comprehensive security policy and operational procedures to underpin it.

  1. Have a security strategy with executive level backing

It is a fundamental requirement for executives to define what the valuable assets hence what needs to be secured above everything else. The strategy will then underpin the protection of these assets via policies, procedures and governance.

  1. Design your systems with security at the core

Security has traditionally been tagged on business systems as an afterthought. As security threats are pervasive so must security mitigation. Hence security design needs to be incorporated into all elements of a business; clients, networks, services, applications and people. Some basic design techniques are listed below.

  • Segment your network into logical system based zones so you can segregate critical systems and apply network security controls to them.
  • Protect your Internet Edge but also internal traffic (east-west), cover the most used vectors of attack (email, web).
  • Pay special attention to wireless connectivity – use strong authentication based on individual credentials or personal certificates, strong encryption (AES) and proper guest/BYOD access.
  • Plan carefully home and remote users access – they should have equal security controls as users on the office network.
  • Have a central point for system monitoring (SIEM) that is integrated within your environment and provides a single point that holds all relevant logs and events for your systems.
  • Design for secure management and physical access to your IT assets.
  1. Protect your endpoints/servers

Once endpoints are compromised they can be used to propagate threats throughout the business. It is therefore critical to constantly protect endpoints and isolate that quickly if they become compromised. Endpoint protection tips include;

  • Create and maintain and policy for patching and updates – keep up to date with patches and security updates
  • Create a maintain a hardware and software repository – know what you have in your network
  • Limit user rights to do changes to endpoint
  • Access to sensitive information should be done in a secure manner and data encrypted in transit and at rest.
  • Use endpoint protection mechanism (Anti-Virus, Anti-Spyware, Software Firewalls, which support centralized management and can be integrated with your network security controls and monitoring tools
  • Regularly do backup of important data in a safe manner (encrypt and secure data in rest in motion) – mitigates the effects of ransomware attacks
  1. Train your personnel

Security is as good as its weakest link which often times are people working in the business.

Users should be made aware of the importance of security measures in place, what threats are out there and triggers that should raise their suspicion – simple things like:

  • unsolicited emails with strange hidden links – aka think before you click
  • file attachment with general but well-sounding names

Users should be given Social Engineering training and be aware of the techniques used. The training and education of personnel should be an ongoing process not a one-time thing

  1. Test, test and test!

The only way to really know your security level is to regularly test it!

Security tests should cover all parts of your environment and should be performed on procedures/processes, network equipment, endpoint systems and personnel. The range of test should include;

  • Formal security audits that would look at procedures and if they are being followed/enforced
  • Automated vulnerability assessments – usually performed every 2-3 months and done internally
  • Penetration tests – external annual security tests that usually give the most accurate information for the company’s security posture and effectiveness of all security measures deployed
  • Social engineering tests on personnel – attempts to get employees to discard sensitive information to none-authorized people either via phone or in person or to get physical access to company restricted areas

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Ransomware Medical Devices – MEDJACK

Ransomed medical devices: It’s happening

The following blog is an extract from Cisco’s recent Mid Year Cyber Security Report. It highlights how cyber attackers have identified and are exploiting a niche area of healthcare technologies which carry higher levels of risk and ransomware vulnerability. Lessons can be learnt from such an attack as the methods deployed by cyber attackers could certainly be easily applied in other industries.

To operate effectively in today’s increasingly interconnected world, many businesses must integrate their IT and operational technology. Coinciding with this trend, known security weaknesses in devices and systems that were previously isolated from each other now present a greater risk to businesses. By using proven tactics like phishing emails to compromise users, cyber attackers can penetrate a network, establish a foothold in a device with an outdated operating system, and from there move laterally within the network to steal information and lay the groundwork for a ransomware campaigns.

The recent WannaCry ransomware attack illustrated how the increasing connectedness of healthcare systems and weak security practices can put both organizations and patients at risk. While it was not the first ransomware attack that appeared to target the healthcare sector, the campaign is notable in that it affected Windows-based radiology devices at some hospitals.

Threat researchers with TrapX Security warns that the targeting of medical devices with ransomware and other malware is only going to expand. It refers to this attack vector as MEDJACK, or “medical device hijack.”

The potential impact is obvious when you consider that the average small to midsize hospital with five or six operational units have about 12,000 to 15,000 devices. Of those devices, about 10 to 12 percent are IP-connected, according to TrapX.

Like many other IoT devices today, medical devices were
not, and are not, designed or built with security in mind. They are often running old and unpatched systems and are rarely monitored by hospital IT staff. Even when security teams are aware of vulnerabilities, they may not be able to act because only the vendor has access to those products. In other cases, security teams must put patching on hold because the business simply cannot afford to take critical equipment offline.

Oncology System Exploit

Many cyber criminals want to compromise medical devices, which TrapX researchers say have become a key pivot point for attackers to move laterally within hospital networks. Adversaries also know they are likely to see big returns from ransomware campaigns that hold life-saving medical devices for ransom. More nefarious actors could also, potentially, take control of these devices—including implantable devices—and do harm to patients.

In a recent exploitation of an oncology system with known Windows XP vulnerabilities, the attackers had infected three machines (one of which was used to control a powerful laser) and turned one into a botnet master that spread malware across the hospital network (see Figure 37).

Another recent incident involved a compromised MRI system via Windows XP exploit. The attackers found patient data on the system, but soon realized there was an opportunity to move laterally to gain control of the hospital’s PACS systems. (These systems are used to centralize and archive patient records and other critical information.) Forensics research of the attack showed the adversaries had been able to operate in the hospital’s network for more than 10 months.

MRI System Exploit

Windows XP is a primary underlying system for operational technology in healthcare, energy, manufacturing, and other verticals. Adversaries know the operating system is an Achilles’ heel because it is no longer actively supported by Microsoft, and it is extremely difficult and costly for businesses to update mission-critical devices that run XP. That’s what makes these devices an especially enticing target for attackers who use ransomware: They know that businesses would rather pay the ransom than face having the machine offline—or, worse, taken down completely.

 

Ways to tackle the threat

TrapX researchers suggest that organizations take the following steps to reduce the likelihood, and impact, of a ransomware attack that targets medical devices and other critical operational systems:

  • Understand what and how many medical assets in your environment are IP-connected
  • Refresh contracts with suppliers, and make sure that they are meeting promises outlined in those contracts to update or replace software, devices, and systems
  • Discuss this problem at the senior management and board levels to get their attention and commitment to the process
  • Deploy technology tools that provide visibility into the network and automate threat detection and remediation

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.