5 Top Tips to Secure Your Business from Cyber Attacks

Security is a topic that can cover many volumes so treat the list below as just snapshot quick-fire summary. Nothing will substitute doing the hard work necessary to put together a comprehensive security policy and operational procedures to underpin it.

  1. Have a security strategy with executive level backing

It is a fundamental requirement for executives to define what the valuable assets hence what needs to be secured above everything else. The strategy will then underpin the protection of these assets via policies, procedures and governance.

  1. Design your systems with security at the core

Security has traditionally been tagged on business systems as an afterthought. As security threats are pervasive so must security mitigation. Hence security design needs to be incorporated into all elements of a business; clients, networks, services, applications and people. Some basic design techniques are listed below.

  • Segment your network into logical system based zones so you can segregate critical systems and apply network security controls to them.
  • Protect your Internet Edge but also internal traffic (east-west), cover the most used vectors of attack (email, web).
  • Pay special attention to wireless connectivity – use strong authentication based on individual credentials or personal certificates, strong encryption (AES) and proper guest/BYOD access.
  • Plan carefully home and remote users access – they should have equal security controls as users on the office network.
  • Have a central point for system monitoring (SIEM) that is integrated within your environment and provides a single point that holds all relevant logs and events for your systems.
  • Design for secure management and physical access to your IT assets.
  1. Protect your endpoints/servers

Once endpoints are compromised they can be used to propagate threats throughout the business. It is therefore critical to constantly protect endpoints and isolate that quickly if they become compromised. Endpoint protection tips include;

  • Create and maintain and policy for patching and updates – keep up to date with patches and security updates
  • Create a maintain a hardware and software repository – know what you have in your network
  • Limit user rights to do changes to endpoint
  • Access to sensitive information should be done in a secure manner and data encrypted in transit and at rest.
  • Use endpoint protection mechanism (Anti-Virus, Anti-Spyware, Software Firewalls, which support centralized management and can be integrated with your network security controls and monitoring tools
  • Regularly do backup of important data in a safe manner (encrypt and secure data in rest in motion) – mitigates the effects of ransomware attacks
  1. Train your personnel

Security is as good as its weakest link which often times are people working in the business.

Users should be made aware of the importance of security measures in place, what threats are out there and triggers that should raise their suspicion – simple things like:

  • unsolicited emails with strange hidden links – aka think before you click
  • file attachment with general but well-sounding names

Users should be given Social Engineering training and be aware of the techniques used. The training and education of personnel should be an ongoing process not a one-time thing

  1. Test, test and test!

The only way to really know your security level is to regularly test it!

Security tests should cover all parts of your environment and should be performed on procedures/processes, network equipment, endpoint systems and personnel. The range of test should include;

  • Formal security audits that would look at procedures and if they are being followed/enforced
  • Automated vulnerability assessments – usually performed every 2-3 months and done internally
  • Penetration tests – external annual security tests that usually give the most accurate information for the company’s security posture and effectiveness of all security measures deployed
  • Social engineering tests on personnel – attempts to get employees to discard sensitive information to none-authorized people either via phone or in person or to get physical access to company restricted areas

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Ransomware Medical Devices – MEDJACK

Ransomed medical devices: It’s happening

The following blog is an extract from Cisco’s recent Mid Year Cyber Security Report. It highlights how cyber attackers have identified and are exploiting a niche area of healthcare technologies which carry higher levels of risk and ransomware vulnerability. Lessons can be learnt from such an attack as the methods deployed by cyber attackers could certainly be easily applied in other industries.

To operate effectively in today’s increasingly interconnected world, many businesses must integrate their IT and operational technology. Coinciding with this trend, known security weaknesses in devices and systems that were previously isolated from each other now present a greater risk to businesses. By using proven tactics like phishing emails to compromise users, cyber attackers can penetrate a network, establish a foothold in a device with an outdated operating system, and from there move laterally within the network to steal information and lay the groundwork for a ransomware campaigns.

The recent WannaCry ransomware attack illustrated how the increasing connectedness of healthcare systems and weak security practices can put both organizations and patients at risk. While it was not the first ransomware attack that appeared to target the healthcare sector, the campaign is notable in that it affected Windows-based radiology devices at some hospitals.

Threat researchers with TrapX Security warns that the targeting of medical devices with ransomware and other malware is only going to expand. It refers to this attack vector as MEDJACK, or “medical device hijack.”

The potential impact is obvious when you consider that the average small to midsize hospital with five or six operational units have about 12,000 to 15,000 devices. Of those devices, about 10 to 12 percent are IP-connected, according to TrapX.

Like many other IoT devices today, medical devices were
not, and are not, designed or built with security in mind. They are often running old and unpatched systems and are rarely monitored by hospital IT staff. Even when security teams are aware of vulnerabilities, they may not be able to act because only the vendor has access to those products. In other cases, security teams must put patching on hold because the business simply cannot afford to take critical equipment offline.

Oncology System Exploit

Many cyber criminals want to compromise medical devices, which TrapX researchers say have become a key pivot point for attackers to move laterally within hospital networks. Adversaries also know they are likely to see big returns from ransomware campaigns that hold life-saving medical devices for ransom. More nefarious actors could also, potentially, take control of these devices—including implantable devices—and do harm to patients.

In a recent exploitation of an oncology system with known Windows XP vulnerabilities, the attackers had infected three machines (one of which was used to control a powerful laser) and turned one into a botnet master that spread malware across the hospital network (see Figure 37).

Another recent incident involved a compromised MRI system via Windows XP exploit. The attackers found patient data on the system, but soon realized there was an opportunity to move laterally to gain control of the hospital’s PACS systems. (These systems are used to centralize and archive patient records and other critical information.) Forensics research of the attack showed the adversaries had been able to operate in the hospital’s network for more than 10 months.

MRI System Exploit

Windows XP is a primary underlying system for operational technology in healthcare, energy, manufacturing, and other verticals. Adversaries know the operating system is an Achilles’ heel because it is no longer actively supported by Microsoft, and it is extremely difficult and costly for businesses to update mission-critical devices that run XP. That’s what makes these devices an especially enticing target for attackers who use ransomware: They know that businesses would rather pay the ransom than face having the machine offline—or, worse, taken down completely.

 

Ways to tackle the threat

TrapX researchers suggest that organizations take the following steps to reduce the likelihood, and impact, of a ransomware attack that targets medical devices and other critical operational systems:

  • Understand what and how many medical assets in your environment are IP-connected
  • Refresh contracts with suppliers, and make sure that they are meeting promises outlined in those contracts to update or replace software, devices, and systems
  • Discuss this problem at the senior management and board levels to get their attention and commitment to the process
  • Deploy technology tools that provide visibility into the network and automate threat detection and remediation

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Cyber Report – Detection time reducing to 4 hrs

Once Malware breaches a business, it goes about whatever activity it has been programmed to undertake to be that CnC, file encryption or just general reconnaissance and infection of other devices and networks. The longer the malware remains undetected, the more potential damage it can do.

Cisco’s inception the Cisco Security report has tracked the time to detection of malware. Time to detection, or TTD, is the window of time between a compromise and the detection of a threat. The industry average for 20 known malware was a staggering 100 days and while it has fallen this year, it still means that for 20 known malware types, cyber attackers have on average a vast amount of time to probe and create maximum damage. Cisco research base on telemetry contained with it’s globally deployed devices has steadily seen it’s own detection time reduce to 3.5 hours as of April 2017.

Increases in the median TTD indicate times when cyber attackers introduce new threats. Decreases show periods where defenders are identifying known threats quickly. Since the summer of 2016, the ongoing tug-of-war between attackers and defenders has been less dramatic, with the latter taking back ground quickly after each attempt by adversaries to gain—and maintain—the upper hand.

Developments in the cyber threat landscape, especially within the past six months, show that cyber criminals are under even more pressure to evolve their threats to evade detection and devise new techniques.

The figure below shows the median TTD for the top 20 malware families by percentage of detections that researchers observed from November 2016 to April 2017. Many of the families that Cisco products are detecting within their median TTD of 3.5 hours are industrialized threats that move fast and are widespread. Old and prevalent threats are also typically detected below the median TTD.

Many malware families can still take a long time for defenders to identify even though they are known to the security community. That’s because the attackers behind these threats use various obfuscation techniques to keep their malware active and profitable. Some of these malware families include —Fareit (a remote access Trojan or “RAT”), Kryptik (a RAT), Nemucod (a downloader Trojan), and Ramnit (a banking Trojan)—use specific strategies to stay ahead of defenders.

Many malware families can still take a long time for defenders to identify even though they are known to the security community. That’s because the attackers behind these threats use various obfuscation techniques to keep their malware active and profitable. Some of these malware families include —Fareit (a remote access Trojan or “RAT”), Kryptik (a RAT), Nemucod (a downloader Trojan), and Ramnit (a banking Trojan)—use specific strategies to stay ahead of defenders.

Their methods are effective: As the Figure above shows, all these families were outside the Cisco median TTD window of 3.5 hours— Kryptik significantly so. Even Nemucod, the most frequently detected among the top families shown, takes longer to identify because it evolves so rapidly.

In many instances, businesses are using outdated modes of protection against these threats and may typically fall in the industry average which days not hours. Many businesses are still dependent on Anti-Virus software and Firewalls rules as their principle means of protection.

Given the evolved nature of threats and their ability to easily evade traditional methods of detection, the traditional approach is akin to using a colander to catch water.

A more sophisticated approach to cyber threat defences involving a combination of adaptive, integrated detection techniques with automated protection is necessary for business today.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Ransomware Defence Checklist

Do you know anyone who has suffered a Ransomware attack? Most likely the answer is yes. That is because Ransomware is the fastest growing and most profitable cyber crime today, grossing over $1bn last year. Many businesses still do not have a plan to mitigate such a common cyber attack.

On the other hand, following a best practices approach to protect and mitigate a cyber attack is a question of adopting a security culture within your business. Either you do or you don’t. If you don’t the likelihood is that this growing breed of cyber attack will come knocking on your door some day soon and you will be powerless to prevent it.

I have spoken to many business owners who have been victims of Ransomware or know someone who has, some have learnt from this experience and are now much better prepared if it happens again. The consequences of not recovering are unimaginable without wanting to sound too dire.

The best practices guideline below can be used as a checklist to focus on where you are in your Ransomware threat preparation and what still needs to be done.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Is Your Small Business Ready For a Data Breach?

“Best practices” are intended to be a good thing — the gold standard we should all strive for. But they can be a source of frustration for smaller businesses. Reading about your industry’s best practices can be a lot like a roll call of the things that you have yet to do.

One reason for that frustration is that a lot of people see best practices from an “all or nothing” framework. They decide that, since they can’t afford the whole nine yards, they just won’t worry about it. But that’s a short-term view, especially when it comes to something like your company’s online integrity. That integrity faces a number of challenges, ranging from data breaches and regulatory requirements to customer demands and branding consistency across channels.

“Digital integrity” might not make you sit on the edge of your seat with excitement. Nor will “digital policy” make it into the top three spots of dinner conversation topics. But both should be on your radar screen now because it is easier to put a bit of work into it today than to try to figure things out in panic mode after there’s been a breach. So here are some things that you should consider.

What is digital integrity?

“Digital integrity” refers to the ways in which you manage your company’s digital presence: what it is, where you keep it, who can access and manage it, etc.

Why is digital integrity so important?

Your online presence is the face you present to the world. The information needs to be accurate. The branding needs to be consistent. It needs to be in line with your business strategies. And it needs to protect the customers who place their trust in you. That’s especially true when it comes to data breaches.

Having digital integrity in the context of data breach means that you are protecting your prospect and customer data from a number of bad actors trying to steal it. In 2015 alone, almost 3.1 billion records containing personal information were compromised. And if you think you’re too small to be a target, you’re wrong. Small businesses are the target of 43% of all cyber attacks. Most criminals understand that small businesses don’t have the resources to enact security on the same level as a large enterprise. Unprepared businesses are the proverbial low-hanging fruit.

There’s another statistic about small businesses that’s even scarier: 60% of small businesses that suffer a breach shut the doors within six months. Small businesses just don’t have the liquidity to absorb the overwhelming costs associated with mitigating a data breach.

Whose job is it?

While enterprises may have entire departments dedicated to their data security, in small organizations the responsibility tends to fall on the person who first realizes the enormity of the risks and is motivated enough to take action. Eventually, however, a thorough digital policy will need to include marketing, information technology, loss prevention, human resources, and sales, with one individual having the official responsibility for getting the policy written and implemented. Your organization can develop its policy without outside support, but only if you have the expertise in house.

So is there an “essentials” version of the best practices?

Obviously, the more thorough your policies are, the safer you, your partners, and your customers will be. But you have to start somewhere. If you’ve been taking your chances and hoping for the best, the first thing you need to do is examine your risks in detail. To continue with our data breach example, here are some things you should consider:

Do you accept online payments and/or in-store credit card purchases?

There are strict standards for how payment information is procured, processed, and stored. These standards are a collaborative effort between credit card brands and the PCI-DSS (Payment Card Industry Data Security Standards) Council. The Council has some great resources specifically designed for small businesses.

Where do you operate?

While the PCI Council sets global standards, standards aren’t the same as laws. And when you operate across national borders, that adds several additional layers of complexity. You could be compliant with one nation’s laws while being in violation of the laws of several other countries.

And that’s just for processing payments. Each country also has its own laws for things like accessibility, ownership, encryption, notification, cookies, etc. Professional legal advice may be necessary to help you navigate these treacherous waters.

How secure are you today?

Knowing where you are today gives you the baseline for what still needs to be done. That includes asking questions like:

  • What security protocols are in place to prevent data breaches?
  • How many attacks have those protocols prevented? What kind of attacks were they?
  • How are breaches detected?
  • How are they stopped, and how long does it typically take?
  • How will you maintain the policy’s relevance by staying in touch with new laws, trends, breaches, etc.?

It also means taking the answers to these questions and making them actionable for the organization by educating and mentoring those who must adopt the policies.

This is not ideal approach to digital integrity, on the contrary, it is a very basic, nuts-and-bolts approach, because data breaches are just a single example among a long list of online issues that you ought to consider. However, you have to start somewhere. These are some of the most critical issues that every business, no matter how small, needs to think about. Hopefully, this will be a resource to help you get started in your planning for a data breach.

What will you do if when there’s a breach?

The severity and damage can vary, but some kind of breach is inevitable. When that happens, you won’t have time to figure out what to do. You need an action plan that can be implemented immediately, covering everything from how you stop an attack to how you notify customers whose information may have been compromised.

What’s next?

A digital policy that winds up as a random PDF file on your intranet or shared drive doesn’t accomplish anything. A true digital policy is actionable and sustainable. That means asking yourself questions like:

    • Which jobs or job functions are affected by this policy?
    • What changes need to be made so that the people in those jobs can apply the policies in their day-to-day business processes?
    • How will you communicate the new policies, and where will they be kept?
    • Who will monitor compliance, and how will that be done?
    • How will you maintain the policy’s relevance by staying in touch with new laws, trends, breaches, etc.?
        It also means taking the answers to these questions and making them actionable for the organization by educating and mentoring those who must adopt the policies.

Let me emphasize that I’m not describing an ideal approach to digital integrity. On the contrary, what I’ve described is a very basic, nuts-and-bolts approach, because data breaches are just a single example among a long list of online issues that you ought to consider. However, you have to start somewhere. These are some of the most critical issues that every business, no matter how small, needs to think about. Hopefully, this will be a resource to help you get started in your planning for a data breach.

This article was authored by Kristina Podnar and is reprinted with kind permission.

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Do your Cyber Defences know a good doc from a bad one?

Cisco’s recent mid year Cybersecurity report concludes that it is necessary to raise the security warning flag even higher. Cisco security experts are becoming increasingly concerned about the accelerating pace of change and sophistication in the global cyber threat landscape.

While cyber defenders are generally improving their ability to detect threats, prevent attacks and recover from them more quickly, their efforts are being thwarted by the escalating impact of breaches and the pace and scale of technology change. Rapid growth of mobile and cloud computing have served to dramatically increase the attack surface available for cyber criminals.

We have extracted data below that focuses on commonly observed malware.

figure-3-most-commonly-observed-malware-top-malicious-blocks-november-2016-may-2017

The graphic represents the most commonly observed malware during the period covered by Cisco’s report.

The list features a range of some of the most reliable and cost-effective methods for compromising large populations of users and infecting computers and systems.

The graphic clearly indicates the diverse range of attack methods which businesses now need to protect against.

The traditional protection methods including anti virus and traditional firewalls are no match for many of these attack methods which can be seen to be concealed in ‘normal’ traffic.

All the above appear regularly on lists of most commonly observed malware. The consistency in the list suggests that the Internet has matured to the point where cyber criminals know, with certain confidence, which web attack methods will be most effective at compromising users at scale and with relative ease.

The information may well confirm what you already know, cyber security threats are now unparalleled in scale. Effective protection demands a comprehensive policy backed up by the necessary controls to detect, prevent and remediate the various phases of an attack.

What next?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.