Tuesday, February 11, 2020

Be Ransom-aware

Ransomware is a hot topic, and so it should be. It seems that every day there are news articles such as this recent piece from the New York Times that show the devastation that can be caused by a ransomware attack. A ransomware attack used to be little more than an annoyance. If you got hit, you would just restore your important files from back-ups, and carry on with your day. (You did make back-ups, didn't you?) Then, likely as a result of the increased threat of ransomware, we started backing up everything, all the time. Then the hackers started also encrypting our back-ups since they were on the network. Now, the hackers are being much more selective in their targets and going after large enough enterprises to make for a great pay-day. But those large enterprises wouldn't always pay. Now, smaller businesses would get hurt by the downtime experienced by the larger players in the supply chain. So the hackers started sharing sensitive files to prove that they had them, and to add blackmail to the ransom. (Hey, in for a penny, in for a pound. Right?) The internet is crying out for a solution, but few are provided. Unfortunately, there is no magic bullet.

What the problem calls for is some good old-fashioned risk analysis and mitigation. The reason ransomware works is because your data is valuable... even if to nobody else but you. If the hackers can't get at your data, you're golden. Unfortunately, most networks are completely open once the firewall is breached. (You did set up a firewall, didn't you?) Now before you start envisioning hackers wheeling up some medieval war machine to the edge of a moat, consider that the majority of security breaches are initiated from the inside. Social Engineering is responsible for more security violations than any other penetration method. So before you spend any money hardening your network, harden your staff. This involves more than just circulating a memo telling everyone to be careful. The reason there are companies dedicated to security awareness training is because it's hard work. However, purely from a bang-for-the-buck perspective, instilling a security mindset in your employees is the best investment.

Next on the risk-awareness parade is locking your doors. It is a security best practice to only grant access to those who have reason to access. Many, if not most, organizations mount network drives by default. While that makes getting data and transferring data quicker, it also makes it easy for hackers to travel from one computer to the entire network. As a result, the hacker often only needs to fool one person to get at everyone. Restricting access to other network devices to only the time that they are actually needed will stop an attacker from being able to browse with ease. Should all documents be available to everybody? Probably not, at least not all the time. Should database backups be available to the whole team? I doubt it. A hardened network may be inconvenient for your employees, but it is probably less inconvenient than looking for a new job because the company was shuttered after an attack.

Now that we have locked our doors, let's put things away. As mentioned earlier, the current trend among ransomware hackers is to look for files or data that may be sensitive and steal that to be used as blackmail if the ransom is not paid. This is where protecting data at rest comes into play. If all hard drives, devices, and databases are encrypted, The hackers won't have any way of knowing what is sensitive, and won't be able to use that as leverage.

This brings me to the backups themselves. Your risk analysis is going to have to take into account managing your backups. Backing up your databases and documents is only a small part of the equation... important, yes, but small. What good are the backups if you cannot access them? The ability to retrieve the data on backups is the real goal. Doing it quickly enough is almost as important. When considering the risk of a ransomware attack, one must consider how long the network can be shut down before losses become critical. For some companies, an hour may feel like an eternity. For others a week could go by and they could still recover. For the latter, it may be sufficient to do daily backups and rotate them with off site storage once a week. For the former, a near real-time duplicate network and database may be the only option.

Obviously, this brief discussion is sadly superficial. Each business/organization is different, and each requires a different set of components in its security strategy. The security measures themselves must also be applied within reason. Too strict, and the employees will find ways around them. Too lose, and they serve no purpose. The real message here is don't just wring your hands in fear. Take a strategic look at the threats you face and align it with your risk tolerance like you would any investment.

Sunday, February 2, 2020

Inoculate Your Mind

With the spread of the 2019 Novel Coronavirus, hackers have started phishing campaigns geared to capitalise on the mounting fear of this virus. Koddos (a secure hosting provider) has published a story indicating that this fear is being used to spread the Emotet Trojan in Japan. The panic that surrounds crises such as global health threats, the Australian wild fires, or other major environmental events; are often used by hackers to distribute computer viruses and trojans. This kind of social engineering takes advantage of heightened anxiety with the knowledge that people will click on things they would normally avoid. The same kind of thing happens during championship sporting events such as the Super Bowl, the FIFA World Cup, or the Olympics.

So, what can you do? Well, the simple answer is slow down. Most social engineering tries to create a sense of urgency. One is lead to believe that time is of the essence, and a speedy action is required. One is also often advised to keep the information secret, that s/he is special and the information is just for him/her. Therefore, slow down, contemplate if it is reasonable for the organisation that is purported as having sent it would normally communicate in this fashion. In our current situation, is it reasonable to expect that the Centers for Disease Control in the US, or Heath Canada, would send a private message to the citizens of that country? How is the spelling and grammar in the message? Phishing campaigns are famously poorly written. Writing is quickly becoming a lost art, so a poorly written email is not an absolute indication of phishing, but it is a partial red flag. Ask a friend. Sometimes just the act of telling someone about the message will help you realise how "off" it sounds. When in doubt, go directly to the source. Do a Google search for the organisation in question, and see if any such information is on their website. If it supposedly came from a contact of yours, call the contact. Did s/he send it? Finally, simply ignore it. If things get bad enough, you'll hear about it from multiple sources.

As a parting note, a good source for social engineering inoculation is the Hacking Humans podcast. Each week, the hosts share stories of attempted social engineering and conduct an interview with an industry expert to help make you aware of the various forms of social engineering. It's a lighthearted show that is not too technical for the average person.