Daily Archives: May 13, 2019

6 Common Compliance Conundrums to Know About

Cyber security assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002. The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity […]… Read More

The post 6 Common Compliance Conundrums to Know About appeared first on The State of Security.

Women and Nonbinary People in Information Security: Stacey Holleran

Last week I spoke with Trica Howard about social engineering attacks and user education. Considering how social engineering and poorly trained users are two of the most significant cybersecurity problems ever, it was a great conversation. This week I spoke with another security communications specialist, tech writer Stacey Holleran. We both write about cybersecurity professionally, […]… Read More

The post Women and Nonbinary People in Information Security: Stacey Holleran appeared first on The State of Security.

Privacy Awareness Week 2019 – Are You In The Dark About Your Online Privacy?

If you haven’t given your online privacy much attention lately then things need to change. In our era of weekly data breaches, the ‘I’ve got nothing to hide’ excuse no longer cuts it. In my opinion, ensuring your privacy is protected online is probably more important than protecting your home and car! A sloppy approach to online privacy can have devastating ramifications to your financial health, your career and even your physical wellbeing.

This week is Privacy Awareness Week in Australia – a great reminder to give our online privacy a ‘check-up’ and work out what we can do to ensure the information we share online (and who sees it) is locked down.

What Do We Need to Protect?

When we think about online privacy, we often think about protecting our password and financial data online. But it’s a little more complicated. There are 2 categories of information that we share in our online life that requires protection.

  1. Personally Identifying Information (PII) – this includes our name, birthdate, address and Medicare number
  2. Non-Personally Identifying Information – this includes the information about what we do online. It’s a combination of the websites we visit, what we buy online, our online searches and the pages we like on our social media profiles. Our online activity creates a digital folder about ourselves and many companies just love this data so they can send targeted ads your way. Ever wondered why you receive ads about holiday destinations after a few wishful holiday Google searches?

Without adequate online privacy, all the information about our online activities can be collected and analysed by third parties. In fact, data collected (legally) about you by websites can be very lucrative! Companies, known as data brokers, collect and maintain data on millions on people and charge handsomely for their services!

Why Do I Need To Worry About My Online Privacy?

Just think for a moment about some of the information that is stored about you online…

  • Your PII is stored in the background of probably every online account you have including social media, news and banking
  • Your online banking and superannuation sites contain details of all your accounts and your net worth
  • Your health and taxation records maybe accessible online which may contain sensitive information you would prefer not to be shared
  • If you haven’t disabled location services on your phone, your whereabouts can be tracked by clever parties on a daily basis
  • Your pictures and videos

While some of this information is stored without your control, there are steps you can take to tighten up access.

Now, think about your daily online activity…

  • Anything you order online via your web browser can be recorded
  • Anytime you send an email with sensitive information, there is a risk this will also be shared
  • Anytime you pay on the go using a facility like Apple Pay, your purchase will be tracked
  • Anything you search for, the articles you read, the movie tickets you buy and even your weekly online grocery order can be tracked

If this comes as a shock to you then you’re not alone. Many Aussies have been in the dark about what information is available about them online. But, don’t throw the towel in – there are strategies to tighten up your online privacy.

How To Get Your Online Privacy Under Control

There are a few simple steps you can take to lock down your valuable online information. So, make yourself a nice cuppa and let’s get to work:

  1. Manage Your Passwords

Your online passwords are as important as your house keys. In fact, in many cases, it is the only thing stopping cybercriminals from accessing our vital information that we have saved online. So, if you want to tighten up access to your online banking, your social media platforms and your favourite online shopping sites then you need to think carefully about how you manage your passwords.

Passwords need to be complex and unique with at least 8-10 characters and a combination of letters, numbers and symbols. And each of your online accounts should have a separate password which should be changed regularly. Too hard? Consider a Password Manager which creates and manages complex passwords for each of your online accounts – a complete no brainer!! McAfee’s Total Protection software includes a Password Manager which stores, auto-fills and generates unique passwords for all your online accounts. All you need to do is remember one master password! Easy!

And don’t forget, if one of your online accounts is affected by a data breach, then you need to change that password ASAP. If you have a password manager, simply have it generate another password for you.

  1. Use Public Wi-Fi With Caution

If you are serious about your online privacy then you need to use public Wi-Fi sparingly. Unsecured public Wi-Fi is a very risky business. Anything you share could easily find its way into the hands of cybercriminals. So, please avoid sharing any sensitive or personal information while using public Wi-Fi. If you travel regularly or spend the bulk of your time on the road then consider investing in a VPN. A VPN (Virtual Private Network) encrypts your activity which means your login details and other sensitive information is protected. McAfee has a great VPN product called Safe Connect. An excellent insurance policy!

  1. Use 2-Factor Authentication

Adding an additional layer of security to protect yourself when accessing your online accounts is another great way of guarding your online privacy. Turn on two-factor authentication for Google, Dropbox, Facebook and whatever other site offers it. For those new to this option, this means that in addition to your password, you will need to provide another form of identification to ensure you are who you say you are. Most commonly, this is a code sent to your mobile phone or generated by a smart phone app.

  1. Keep Your Software Updated

Software updates and patches are often designed to address a security vulnerability so ALWAYS install them so the bad guys can’t take advantage of security hole in your system. If it all becomes to hard, why not automate the updates?

  1. Invest in Security Software for ALL Your Devices

Installing comprehensive security software on all your devices including laptops, tablets and smartphones adds another layer of protection to your vital online information. Check out McAfee’s Total Protection software that will ensure you and your devices are protected against viruses, malware spyware and ransomware.

  1. Consider a Search Engine that Doesn’t Track Your Every Move Online

If you would prefer that your search engines didn’t collect and store the information you enter then consider an alternative ‘privacy focussed’ search engine. Check out DuckDuckGo that doesn’t profile users or track or sell your information to third parties.

  1. Delete All Cookies

Cookies are another way your online activity can be tracked. While some are harmless and used to simply remember things about you such as your login information and language, others known as  tracking cookies remain permanently constantly gathering information about your behaviour and what you click on. So, let’s get rid of them! Head into your web browser’s Privacy settings and clean them out.

So, let’s get our online privacy under control this Privacy Awareness Week. But don’t forget about your kids and elderly relatives too! Proactively managing one’s online privacy needs to be a priority for everyone. Why not start a conversation at the dinner table? Perhaps give the family a daily privacy related task every day during Privacy Awareness Week? For example:

Monday – Clean up your passwords or set up a Password Manager

Tuesday –  Research a VPN

Wednesday – Set up 2 factor authentication

Thursday – Ensure all your software is up to date and set up auto-updates where possible

Friday – Research privacy focussed search engines and delete all cookies

Over to you mums and dads. Would love to hear how you go.

Alex xx

 

 

The post Privacy Awareness Week 2019 – Are You In The Dark About Your Online Privacy? appeared first on McAfee Blogs.

CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8

Security experts have found a race condition vulnerability (CVE-2019-11815) in Linux Kernel Prior to 5.0.8 that expose systems to remote code execution.

Linux systems based on kernel versions prior to 5.0.8 are affected by a race condition vulnerability leading to a use after free that could be exploited by hackers to get remote code execution.

Attackers can trigger the race condition issue that resides in the rds_tcp_kill_sock TCP/IP implementation in net/rds/tcp.c to cause a denial-of-service (DoS) condition and to execute code remotely on vulnerable Linux machines.

The vulnerability could be exploited by sending specially crafted TCP packets to vulnerable Linux systems.

The vulnerability tracked as CVE-2019-11815 received a CVSS v3.0 base score of 8.1, it could be abused by unauthenticated attackers without user interaction.

Anyway, the NIST assigned to the vulnerability an exploitability score of 2.2 and an impact score of 5.9 because it is difficult to exploit.

“An issue was discovered in rds_tcp_kill_sock in net/rds/tcp.c in the Linux kernel before 5.0.8. There is a race condition leading to a use-after-free, related to net namespace cleanup.” reads the description provided by Mitre.

The exploitation of the flaw could allow attackers to access resources, modify any files, and deny access to resources.

CVE-2019-11815 linux flaw

The development team of Linux kernel already released a security patch that addressed the CVE-2019-11815 flaw at the end of March. The vulnerability was completely fixed with the release of Linux kernel 5.0.8 version.

Below the security advisories published by the major Linux distributions:

Pierluigi Paganini

(SecurityAffairs – CVE-2019-11815, Linux Kernel)

The post CVE-2019-11815 Remote Code Execution affects Linux Kernel prior to 5.0.8 appeared first on Security Affairs.

Expanding Our Cyber Range Portfolio

The Security Innovation CMD+CTRL Cyber Range team has been busy! With the growing acceptance of simulated and gamified environments to better train a variety of skills, our team is delivering more events for our customers and security community than ever. We’re also receiving a ton of great ideas on new ranges to build, different technologies to focus on, different and ways to educate those new to security, while still challenging those that have decades of experience.

Chinese National Indicted For Anthem’s 2015 Massive Data Breach

The U.S. Department of Justice State Prosecutors found probable cause to charge 32-year old Fujie Wang, a Chinese national for allegedly responsible for the data breach in Anthem, a health insurance firm, four years ago in 2015. The incident which resulted in Anthem losing control of at least 78.8 million records. Accused as a member of a Chinese hacking syndicate, Wang is now facing four cases of:

  • Intentional damage to a Protected Computer
  • Conspiracy to Commit Wire Fraud
  • Conspiracy to Commit Fraud
  • And other Related Activity in Connection with Computers

Anthem in 2015 confirmed that 78.8 million of their customers had their information was stolen, which included their full names, birth dates, addresses, employment information, and its corresponding income data, medical information and social security numbers. Aside from him, the other suspects that are still at large at the time of this writing were using their online aliases of Zhou Zhihong, Kim Young and Deniel Jack.

The Federal Bureau of Investigation before Wang was arrested posted a wanted notification to inform the public that the authorities was looking for him:

Federal Bureau of Investigation

The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history. These defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, and violated the privacy of over 78 million people by stealing their personal identifiable information,” explained Brian Benczkowski, U.S. Assistant Attorney General.

Unlike a typical breach where an attacker takes out the information stored in the target company’s website, cloud storage or server in a 1-time, big time event, Wang’s team were very deliberate with the infiltration by using stealthy techniques. The indictment decision of the DOJ coincides with the current trade negotiations between China and the United States in hopes to harmonize if not end the current trade war happening between the two top economies of the world.

Aside from Anthem, Wang is also facing charges for infiltrating three more businesses which the DOJ has refused to name but hinted that those were from the communication, technology industry and basic industrial material sector respectively. Anthem was also lax when it comes to training their employees with cybersecurity topics such as anti-phishing techniques to minimize the chance for them to fall for online frauds and scams. The primary suspect on how Anthem’s system was infiltrated was due to an employee with privileged access to the system opened a malicious email, through clever social engineering method, the contents of the email was able to convince the user to open a phishing link or an attachment which contains a malware dropper.

October 20, 2018, hackercombat.com broke the story about Anthem’s decision to pay their affected stakeholders $16 million as settlement for their data breach episode. It was labeled as the “biggest sum gathered by the government in a healthcare data breach”. This was the result of Anthem’s verification of their own systems, and most of the amount will be paid for the credit monitoring and identity theft protection of all its affected customers.

Source: https://threatpost.com/chinese-hackers-anthem-data-breach-indicted/144572/

Also, Read:

Data Breaches in Healthcare Comes From Within

Data Breach at Georgia Tech Impacts 1.3 Million People

Tougher Legislation Proposed in California For Data Breaches

All about Data Breaches, How They Happen and Their Impact

500px’s Data Breach, Happening Since July 2018

 

The post Chinese National Indicted For Anthem’s 2015 Massive Data Breach appeared first on .

Email Is the Biggest Threat to Business, So Why Is Everyone Using It?

Microsoft’s Outlook.com service suffered a major breach earlier this year. The compromise allowed hackers to potentially access user email accounts, and that was the case for more than six months. This news was no shocker. Outlook has always been, and continues to be a perennial target.

Saying that email is a major service of the Internet is a bit like saying Donald Trump doesn’t like CNN. Email is foundational. In fact, it pre-dates the Internet by decades. (Lest we forget, the first email was sent in 1971).

Email currently has a 90.1% penetration rate among Internet users in the United States, compared to 68% for Facebook and 23% for Twitter. It’s the main communication tool for 95% of businesses. Email addresses are still the main way we authenticate ourselves to do business online, and because of that email as a category represents an extremely weak link in our collective cybersecurity. It doesn’t have to be this way, but as Yogi Berra once said, “We made too many wrong mistakes.”

It’s this familiarity and this reliance on email that has made it the target of choice for hackers, and with that a major liability for businesses and consumers alike. If you think social media networks and data mining organizations have juicy digital assets, consider for a moment the El Dorado of information transmitted daily via email, ranging from intimate correspondences to tax information, travel plans, financial transactions, photos, and shopping lists to real-time data on a user’s emotional state and how their important relationships are going.

Because email isn’t deleted from most servers by default, this target-rich digital information environment is often accessible to anyone with a login and password–something that is regularly served up to hackers by the billions.

The cybersecurity threat posed by email isn’t limited to sensitive data sitting passively on account servers. Email is the preferred tool hackers use to access their targets’ networks: 83% of organizations reported phishing attacks in 2018, up from 76% in 2017. Fully two thirds of malware is installed by clicking on an email attachment.

Email is equal parts Achilles heel and Trojan Horse, so why are we still using it?

“Just Because” Isn’t a Good Answer

It’s not an original thought to say that email is problematic, or that a replacement of some sort would be welcome. Its obsolescence, if not demise, has been predicted repeatedly over the years. A murderers’ row of newer technologies like SharePoint, Slack, Skype, Messenger, and many, many others have seemed like contenders, but email still dominates in the realm of communication.

The reason for email’s ongoing existence despite its obvious shortcomings and major security issues is counter-intuitive. People use it because it’s insecure. That’s why it doesn’t matter that Bill Gates didn’t come through with the promise of eradicating spam by 2006. Spam is something we’re willing to accept to stay Internet nativists. It is the digital equivalent of gnats in nature.

True story: The Internet was not made with security in mind. It was made to communicate fast. While the underlying structures seem naïve, none of it was designed for the general public. Domain names were initially intended as a means of identifying remote academic, military, and government locations. Their corresponding numerical (IP) addresses were limited to roughly 4 billion possible variations. That was more than enough for every single person on the planet at the time of its creation. That this structure didn’t anticipate the rise of Internet-enabled telephones, vacuum cleaners, nuclear reactors, or personal assistants is as much a part of the problem as the fact that they didn’t anticipate every small-time crook switching from convenience store stick-ups and smash and dash crimes to the much less risky practice of email phishing campaigns with the cornucopia of identity-related crimes made possible by them.

Email has none of the strings-attached vibe that the Mark Zuckerbergs of the world have attached to our information, no terms and conditions or privacy policies subject to change, and it doesn’t rely on any specific hardware or software to be able to access it as a service. Looking at its liabilities without understanding its appeal is one of the key factors that has made it a communication mainstay, seemingly against all odds and to the consternation of IT departments around the world.

In this way, email is an object lesson in the cybersecurity quagmire: We’re over-reliant on the idea of technology providing a silver bullet instead of changing our behavior. No Slack or Messenger or any other killer app is going to solve the email problem (although traffic may continue to migrate from email to other modes of communication). The only thing that will change the situation, Yogi Berra might have said, is to change the situation. Meanwhile, he did say this: “If the world were perfect, it wouldn’t be.”

This article originally appeared on Inc.com.

The post Email Is the Biggest Threat to Business, So Why Is Everyone Using It? appeared first on Adam Levin.

Microsoft SharePoint Servers Actively Targeted By Hackers

Hackers are actively exploiting recent patched remote code execution vulnerabilities in the Microsoft SharePoint Servers version to inject the China Chopper web shell, which allows hackers to inject various commands.

Canadian and Saudi Arabian cybersecurity raised awareness about the ongoing attack targeting the outdated systems.

The vulnerability affects all versions of SharePoint Server 2010 to SharePoint Server 2019, and vulnerabilities can be tracked as CVE-2019-0604, it was patched by Microsoft in February, releasing security updates on March 12 and again April 25.

“An attacker who exploits the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. The exploitation of this vulnerability requires a specially crafted SharePoint application package.”

In this case, the attackers used the China Chopper web shell to access the compromised servers remotely and issue commands and manage files on the victim server.

The web shell allows an attacker to upload and download any files from the compromised server and to edit, delete, copy, rename and even to change the timestamp of existing files.

Alien vault security researcher Chris doman tweeted about the ongoing campaign and published some additional IoCs.

SharePoint CVE-2019-0604 now being exploited in the wild – reports by Saudi (https://t.co/m6VmF7n2Js) and Canadian (https://t.co/yhzY8qgxi8) National Cyber-Security Centres. Some additional IOCs @ https://t.co/gsGOoh6h9r pic.twitter.com/70LQCOmuTn

— chris doman (@chrisdoman) May 9, 2019
According to cybersecurity agencies, the targeted industries are academic, utility, heavy industry, manufacturing and technology sectors.

Mitigations

The organization running share point servers recommended updating the servers to addresses the vulnerability.

Indicators of compromise

SHA256 Hash
05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4
b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688
7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604
2e4b7c022329e5c21e47d55e8916f6af852aabbbd1798f9e16985f22a8056646
c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e

SHA1 Hash
f0fb0f7553390f203669e53abc16b15e729e5c6f
ee583451c832b07d8f2b4d6b8dd36ccb280ff421
dc8e7b7de41cac9ded920c41b272c885e1aec279
4c3b262b4134366ad0a67b1a2d6378da428d712b

MD5 Hash
0eebeef32a8f676a1717f134f114c8bd
198ee041e8f3eb12a19bc321f86ccb88
708544104809ef2776ddc56e04d27ab1
b814532d73c7e5ffd1a2533adc6cfcf8

Filename
pay[.]aspx
stylecss[.]aspx
IP Address
114.25.219.100

Source: https://gbhackers.com/hackers-microsoft-sharepoint-servers/

Related Resources:

Unpatched Remote Code Execution in Ghostscript Revealed by Google

Git Repository Vulnerability Causes Remote Code Execution Attacks

The post Microsoft SharePoint Servers Actively Targeted By Hackers appeared first on .

Episode 491 – Example Of Why 3rd Party Component Security Is Important, Jenkins Plug-ins

Open source communities have made application development faster than ever before. However there is a downside when it comes to security, you need to stay on top of all your components. The episode talks about a research report that showed over 100 plug-ins for Jenkins that have vulnerabilties. Be aware, be safe. *** Support the […]

The post Episode 491 – Example Of Why 3rd Party Component Security Is Important, Jenkins Plug-ins appeared first on Security In Five.

I am an AI Neophyte

I am an Artificial Intelligence (AI) neophyte. I’m not a data scientist or a computer scientist or even a mathematician. But I am fascinated by AI’s possibilities, enamored with its promise and at times terrified of its potential consequences.

I have the good fortune to work in the company of amazing data scientists that seek to harness AI’s possibilities. I wonder at their ability to make artificial intelligence systems “almost” human. And I use that term very intentionally.

I mean “almost” human, for to date, AI systems lack the fundamentals of humanness. They possess the mechanics of humanness, qualities like logic, rationale, and analytics, but that is far from what makes us human. Their most human trait is one we prefer they not inherit –  a propensity to perpetuate bias.  To be human is to have consciousness. To be sentient. To have common sense. And to be able to use these qualities and the life experience that informs them to interpret successfully not just the black and white of our world but the millions of shades of grey.

While data scientists are grappling with many technical challenges associated with AI there are a couple I find particularly interesting. The first is bias and the second is lack of common sense.

AI’s propensity to bias is a monster of our own making. Since AI is largely a slave to the data it is given to learn from, its outputs will reflect all aspects of that data, bias included. We have already seen situations where applications leveraging AI have perpetuated human bias unintentionally but with disturbing consequences.

For example, many states have started to use risk assessment tools that leverage AI to predict probable rates of recidivism for criminal defendants. These tools produce a score that is then used by a judge for determining a defendant’s sentencing. The problem is not the tool itself but the data that is used to train it. There is evidence that there has historically been significant racial bias in our judicial systems, so when that data is used to train AI, the resulting output is equally biased.

A report by ProPublica in 2016 found that algorithmic assessment tools are likely to falsely flag African American defendants as future criminals at nearly twice the rate as white defendants*. For any of you who saw the Tom Cruise movie, Minority Report, it is disturbing to consider the similarities between the fictional technology used in the movie to predict future criminal behavior and this real life application of AI.

The second challenge is how to train artificial intelligence to be as good at interpreting nuance as humans are. It is straight forward to train AI how to do something like identifying an image as a Hippopotamus. You provide it with hundreds or thousands of images or descriptions of a hippo and eventually it gets it right most if not all the time.

The accuracy percentage is likely to go down for things that are perhaps more difficult to distinguish—such as a picture of a field of sheep versus a picture of popcorn on a green blanket—but  with enough training even this is a challenge that can be overcome.

The interesting thing is that the challenge is not limited to things that lack distinguishing characteristics. In fact, the things that are so obvious that they never get stated or documented, can be equally difficult for AI to process.

For example, we humans know that a hippopotamus cannot ride a bicycle. We inherently know that if someone says “Jimmy played with his boat in the swimming pool” that, except in very rare instances likely involving eccentric billionaires, the boat was a toy boat and not a full-size catamaran.

No one told us these things – it’s just common sense. The common sense aspects of interpreting these situations could be lost on AI. The technology also lacks the ability to infer emotion or intent from data. If we see someone buying flowers we can mentally infer why – a romantic dinner or somebody’s in the doghouse. We can not only guess why they are buying flowers, but when I say somebody’s in the dog house you know exactly what I mean. It’s not that they are literally in the dog house, but someone did something stupid and the flowers are an attempt at atonement.

That leap is too big for AI today. When you add to the mix cultural differences it exponentially increases the complexity. If a British person says put something in the boot it is likely going to be groceries. If it is an American it will likely be a foot. Teaching AI common sense is a difficult task and one that will take significant research and effort on the part of experts in the field.

But the leap from logic, rationale and analytics to common sense is a leap we need AI to make for it to truly become the tool we need it to be, in cybersecurity and in every other field of human endeavor.

In my next blog, I’ll discuss the importance of ensuring that this profoundly impactful technology reflects our human values in its infancy, before it starts influencing and shaping them itself.

*ProPublica, Machine Bias, May 23, 2016

The post I am an AI Neophyte appeared first on McAfee Blogs.

Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today

During the past year, Cisco Security Incident Response Services has provided emergency incident response services for many customers dealing with incidents that sometimes become a ransomware event. In many cases, we were engaged by the company at the first sign of trouble and were able to help contain the initial incident and reduce the ability of the attacker to shift to a ransomware phase. In other incidents, we were asked to help long after the attackers were in the environment and the systems were already encrypted.

In this blog post, I will share some practical tips that our team use with our customers to help mitigate the risk of ransomware causing a significant business outage.

Figure 1: Phases of an attack.

If we follow the standard attack lifecycle (Figure 1), the first step that we need to consider is how we would address the initial attack vector. For this blog post, let us assume the initial access vector is email (which we have observed is often the case).

Initial Attack

The first thing to consider is intelligence-based email monitoring and filtering. An example of this would be the Cisco Email Security Appliance (ESA) product which integrates Cisco Talos threat intelligence into an active email inspection platform.

ESA should be deployed to examine email, both inbound and outbound, from the organization. This filtering should be tied to an intelligence feed that dynamically adds new known malicious domains, IP addresses, behavioral indicators, signatures, etc.

By itself, this will not fully protect an organization but without this, you expose your users and your environment to preventable email-based attacks. This control should create log events into the security monitoring system. These events should be reviewed regularly by a member of the monitoring team and if possible correlated with other events (involving the same time, internal hosts, external IP/Domain, and any malware detected). The capability of being able to also review email historically for suspicious attachments or previously unidentified malicious files is helpful for scoping and understanding the scale of the incident and can be used for hunting if the initial detection somehow fails.

User Actions

Subsequent to the initial malicious email entering an environment, the next obvious question is “did the user open it” or “did the user click the link”? To answer these questions, we require some specific log telemetry from within the environment.

DNS logs such as those available by using Cisco Umbrella, can be invaluable to identify if a user/IP address/device made a request that is related to a known suspicious domain or IP address. If there is an active incident, these logs should be examined for any requests associated with the incident. These DNS logs should be part of the overall logging environment and the events should also be used to block and track requests to known malicious domains. Again, this should be correlated into events of interest for the monitoring team to consider. This helps us understand if the domain was requested, but does not by itself indicate what the interaction was between the user and the destination.

To gather information on the interaction between the user and the destination, we require logs from a deployed web proxy system that captures the outbound web requests and the responses. Cisco Web Security Appliance (WSA) is an example of an active web proxy/filtering system, powered by Cisco Talos threat intelligence. These systems can often block or filter known malicious sites (based again on intelligence) and also retain the http transaction between the user’s web browser and the destination. This can help us to answer the question of what was done on the site, or what the site sent as a response.

To address the question of “did the user open the file” we recommend the implementation of the Windows SysInternals System Monitor (Sysmon) which can help to answer the question of user behavior and activity. Alternatively, many endpoint security tools may also be able to answer this question. Be sure to test your tools before an incident, so you know what normal activity looks like before you get into an incident and have to try to parse the alerts.

Account Compromise

Following the attack life-cycle, the next phase is account compromise:  did the user either provide their credentials (e.g., if they were prompted to enter their password to access what appeared to be a legitimate company web page) or did the malware gather local cached account data from the system? This is where we recommend multi-factor authentication (MFA) as the standard for all environments.

We frequently recommended multi-factor for “high risk” accounts, or for “all externally facing services”, but with the current attack patterns we recommend multi-factor for all Active Directory environments. There can be technical limitations on implementing MFA for some legacy systems, legacy access types, etc. Those exceptions should be identified and very closely monitored for unexpected activity, or isolated into separate Organizational Units or Groups. This may allow early detection of misuse and may limit the impact of these systems or credentials, should they become compromised.

Another key consideration is to monitor the system used to manage the multi-factor authentication. We have seen attackers attempt to bring these systems offline, to attempt to access these systems, or to successfully access these systems and either create one-time use passcodes or create a new account that was allowed to bypass the multi-factor requirement. These systems must be closely monitored for all access and modifications to the users, groups, or creation of one-time use codes.

Privilege Escalation

The next phase is privilege escalation.  In this phase, we recommend a multi-pronged approach as there are multiple risks to address. The first risk is if the environment has a shared local administrator password across multiple devices. This is still a very common practice in many environments due to a number of factors.

A solution that can assist with this is implementing the Microsoft Local Administrator Password Solution (LAPS). This provides a better method to manage local accounts. The second risk is an attacker compromising one of the privileged accounts in the environment. If multi-factor authentication is required on these accounts, this should be unlikely, but these accounts must still be monitored for mis-use. Additionally these privileged groups should be monitored for modification (adding/deleting or users, or change to the group roles). These are also events that should trigger alerts that are evaluated by the monitoring team.

Lateral Movement

Lateral movement occurs next. To detect and thwart this, we need to reduce the ability for a user account to move freely within the environment without being validated or having authorization.

This can be started by reducing the internal network access from the standard user segments and VPN devices. Network segmentation can be complex to implement across the entire environment, but it is often achievable to make some small restrictions using virtual LANs (VLANs) to reduce which networks can access critical segments. Privileged activity or Administrator activity should always originate from an approved “jump box” that is hardened and monitored, and has specific access restrictions for only users that require this access. Role-based access should also be enforced, not everyone should have access to production, not everyone should have access to the code base, or sensitive data. Access (successful and failed) should be logged and correlated. Reducing the number and type of ports and protocols within the environment may also help to reduce the spread of malware or lateral movement that is expecting specific capabilities, such as the Server Message Block (SMB) protocol, for example.

Encryption of Data

The ultimate risk of a ransomware attack is in the final phase. This is when the attacker is able to encrypt critical business systems or services, causing a business outage. The impact of this outage varies based on the function of your business, your tolerance (or your customers’ tolerance) for downtime, and many other factors.

For environments that have critical services that impact life and safety of people, we strongly recommend partnering with the disaster recovery and business continuity teams to test existing plans and update them accordingly with steps that cover full data center loss via ransomware. Other questions that should be considered: Are your backups offline and secure from the possible ransomware? Does your online backup system use the same credentials as your Active Directory environment? Has your organization practiced what a data restore would look like and how long it would take? Is the necessary hardware (or virtual space) available to be able to restore your environment? Is there an understanding of dependencies and other tactical considerations?

Take Action Today

These recommendations will help you improve your ability to detect attacks in the earlier (pre-ransomware) stages and will reduce the overall impact of a ransomware incident. You must take key preventative steps, while also readying your team to act when it strikes. Educate yourself with more information on Cisco Ransomware Defense solutions. If you feel you need hands-on, expert assistance, consider contacting our team – our incident responders can help you prepare your own team with proactive services and we can work alongside your team during active incidents.

The post Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today appeared first on Cisco Blog.

Spying on personal alarms and GPS trackers is as simple as sending an SMS

Security experts found that the devices – manufactured in China, and rebadged by multiple companies around the world – are vulnerable to a simple hack that could allow a hacker to track their location, and even secretly listen in via the microphone.

Read more in my article on the Bitdefender BOX blog.

FBI Investigating Baltimore Ransomware Attack

Mayor Bernard C. “Jack” Young had assured the residents of Baltimore that the city’s emergency system will start functioning normally, even as they fight ransomware attacks on their computer networks.

FBI agents are investigating the cyber breach, which was first discovered Tuesday morning, and the city’s IT department is working to fix the problem with “some outside help,” Young said. Director of the IT department, Frank Johnson, confirmed that the city’s computers were infected with a “very aggressive” form of ransomware called “RobinHood,” which locks up or holds city files for ransom until the money is paid to the hackers responsible for the malware.

FBI agents are investigating the cybersecurity violations that was first discovered on Tuesday morning, and the city’s IT department is working to resolve the issue with “outside assistance,” Young said. IT Director Frank Johnson confirmed that the city’s computers were infected with a “very aggressive” form of ransomware called “RobinHood,” which locked city files for ransom until they paid money to the hackers who were responsible for this crisis.

Lester Davis, Young’s spokesman, confirmed that there were no personal data of the city residents stolen from the city’s computer system.

Technicians are currently working to find the cause of the problem and determine what is really involved. He and Young refused to comment on the scope of the attack. They said it is under investigation and could not give a time limit when the problem could be resolved.

Young said he would not pay a ransom to the hackers or anybody.

The residents who wanted to pay for water bills, parking tickets, and other expenses need to “return to the manual,” Young said, pay them in person. Late fees for these payments are also temporarily suspended.

“We can say with confidence that public safety systems are up and operational,” Johnson said. “For now, if anybody needs to contact the city the best way to do it is to pick up the plain old telephone and give us a call.”

All city employees work today, even though they are not able to access their emails or files, said Young. If the attack keeps the employees from doing their jobs, the mayor said he would ask them if they would “go out and help us cleanse the city.” Cybersecurity is the second threat to the city in more than a year.

In March 2018, the city delivery system 911 was violated and the call service had to be temporarily put into manual mode, which meant that information about incoming callers could not be forwarded electronically. The system has fully recovered within 24 hours.

Immediately after the 2018 attack, Johnson said the attack was a case of ransomware. An investigation revealed that systems were left vulnerable because of some internal change made to the system’s firewall by a technician who was troubleshooting an unrelated communication issue within the computer-aided dispatch system, Johnson noted.

Johnson said Wednesday that the city has “very, very good capability” for stopping cyber-attacks, and includes cybersecurity awareness in its training for city employees. He added that the city’s IT infrastructure has been assessed several times since he took control of the department in late 2017 and has gotten “multiple clean bills of health.”

He refused to say how often the computer and the city system were updated.

Similar ransomware attacks have occurred in recent years in airports, hospitals, private companies, and other cities, and city officials point out that hacking is not just in Baltimore.

“This could happen anywhere,” Young said. “I don’t care what kind of system you put in place, they always find a way to infect the system.”

Source: https://baltimore.cbslocal.com/2019/05/10/fbi-investigating-baltimore-city-ransomware-attack/

Related Resources:

Baltimore Shuts Down Its Servers As the City Is Hit By Ransomware

How to Remove Pewcrypt Ransomware

Beware of 10 Past Ransomware Attacks

Community Efforts Against Ransomware

The post FBI Investigating Baltimore Ransomware Attack appeared first on .