407-445-2414 info@wrmllc.com
Managing Risk In A Connected World

Managing Risk In A Connected World

Nov 28, 2018 | Cybersecurity

As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.

Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.

With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.

Connectivity Creates Opportunities and Challenges

Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.

Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”

IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates a greater weakness that is very, very hard to get back after the fact and correct.”

Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”

Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.

“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”

“It’s a very complicated world that we live in right now because the attacker and defense problem is highly asymmetrical,” Roesch adds.

The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.

The Danger of Giving in to Ransomware

Ransomware is like a thug with a gun: “Pay up, or your data gets it!”

Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.

Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”

James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.

Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.

Instead, organizations can take steps to defend themselves against ransomware. These steps include:

Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.

User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.

Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.

The Human Factor

While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.

It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.

Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”

Meet the Evil Entrepreneurs

In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.

Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.

Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.

Weighing Risk Against Benefits

Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”

Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”

In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.

Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”

Author: Forbes
Source: Forbes

Surviving a Ransomware Attack

Surviving a Ransomware Attack

Sep 12, 2018 | Cybersecurity

The FBI recently noted a decline in ransomware attacks reported to the agency in 2017, at 1,783 compared to 2,673 the previous year. But don’t necessarily read this as good news. The reality is ransomware, like many other cyber-attack types, goes largely under-reported. A Verizon report, based on its analysis of tens of thousands of real-world security incidents, found that ransomware incidents have doubled over the past year.

Ransomware is a class of malware that locks your system and encrypts vital files. Attackers usually demand a cryptocurrency payment to release the files, but there’s no guarantee they will actually do so after receiving payment.

Attackers have typically cast the net wide, but criminals are becoming more sophisticated about how they can maximize profit.

“We used to hear very often it was mostly consumers – but [for those attacks] you’re looking at $75 as a cyber-criminal,” says Theresa Payton, former Whitehouse CIO who’s now president and CEO of Fortalice Solutions. “Why do that when you can go from a mom and pop shop all the way up to the Fortune 50?

“And that’s what they’re doing. They’re hitting all businesses, targeting Any business connected to the internet – and what business isn’t?”

Significant Impact

In 2017 the WannaCry, NotPetya, and BadRabbit strains didn’t just disrupt business processes; they hobbled infrastructure and hurt international brands like FedEx. This took the ransomware threat vector to a “completely new level,” using worms to propagate through systems and impacting 300-400,000 devices worldwide, says Steven Wilson, head of Europol’s EC3 cyber-crime center.

And the rise of off-the-shelf kits that can be bought online for just dollars puts ransomware tools in the hands of anyone with the will to use them.

The organizational impact can be severe, ranging from downtime to reputational damage. One official British report suggested that the public response to WannaCry had even undermined trust in government.

“Just think: your entire customer records database is gone,” says Wilson. “You don’t know who owes you money, who you owe money to, or who you’re going to sell your product to. That’s the reality if ransomware strikes you. Everything is gone.”

Raising Awareness

If there is a positive outcome, it’s that WannaCry raised awareness that ransomware is here to stay: an unfortunate case of “if” and not “when”.Fortunately, there are basic cyber hygiene steps you can introduce to avert potential disaster.

Often it’s the unpredictable human element that’s the weakest link in cyber defense, so awareness training can go a long way.

On the technical side, it’s making sure your systems are up to date and fully patched so that the latest versions of your operating systems are running with trusted anti-malware solutions and the latest definitions.

And if the worst happens, maintain a recovery plan with a full set of backups.

According to Payton, organizations should also consider network segmentation and be introducing kill switches to prevent malware from moving laterally, as WannaCry did.

“Practice for the worst and hope for the best – making sure you’re thinking ahead, practicing that digital disaster, practicing your comms plan,” suggests Payton, adding that organizations should also perform test runs on full restores.

How can the technology community help?

Public and private bodies must work together with vulnerabilities out in the open, collaborating to prevent or mitigate future disasters. NoMoreRansom, for example, pools resources across organizations to provide decryptors for known threats.

Source: CIO