Tuesday 21 June 2016

The Extortion of Things #Ransomware #Cyber

Article by Stuart Peck, Cyber Security Strategist at ZeroDayLab Ltd. 

Extortion is a tried and tested model for extracting money by unscrupulous individuals over the centuries. The most popular being blackmail which originates from the 16th century term "black-maill". This was nothing to do with letters looking to coerce its recipient, but from a payment or "tax" paid by landowners to protect assets from looters, the irony being that the payment was made to the looters themselves, which could be likened to an early protection racket. 

There have been many examples over history of the use of blackmail and extortion by politically and financially motivated groups and individuals, targeting the upper echelons of society, prominent figures, heads of military and business leaders, not to mention the vast array of celebrities- it was a specialised skill requiring patience and perseverance.   

However, today extortion has gone mainstream through the use of technology, in the form of Ransomware, and the extortionists are cashing in, spreading their net far and wide.

The Rise of Ransomware

Ransomware is not a particularly new concept, with it's own origins in the form of the AIDS Trojan of 1989, which was spread by floppy disk- that displayed a message to the infected user proclaiming their software had expired- and that $189 was to be paid to "PC Cyborg Corporation".

The first use of encryption based Ransomware such as Gpcode and Krotten was first detected mid 2006, however the main rise of the Ransomware business model can be attributed to Cryptolocker in late 2013. Cyptolocker was the first to employ Bitcoin to collect ransom payments, making it difficult to trace the money, and attractive to seasoned cyber criminals and extortionists netting an estimated $27 million in a few months.

More impressive was the highly publicised CryptoWall which netted  the group behind the Ransomware in excess of $300 million.

Figure 1: Cryptolocker ransom message

Today there are many variants of Ransomware, with an estimated 120 families and growing, (CryptXXX, Locky, Petya, Ransom32, Jigsaw, Mischa, Keyranger etc), which are distributed through either Exploit kits such as Angler (well until it was taken offline possibly due to the Lurk arrest), Neutrino EK, and Phishing (and Spear Phishing) campaigns.

Although there may have been some minor innovations in the delivery or mechanisms in the Ransomware families, the premise still remains the same, encryption or removal of access to files, which will only be returned upon payment of a ransom.

Figure 2: Jigsaw Ransomware which deletes an increasing number of files every hour,  if the ransom is not paid.

The ease and profitability have made Ransomware the weapon of choice for seasoned cyber criminals but has also reduced the barrier to entry for less technical extortionists, through RaaS (Ransomware as a Service) on Darknet market places. 

A good example is the Petya and Mischa business opportunity provided by JanusSec, which promises high infection rates and an innovative approach, if the Petya Ransomware fails (Petya encrypts the master boot record), the Mischa will kick in employing the standard file encryption technique- which proves even cyber criminals have a business continuity plan!

Figure 3: JanusSec RaaS business model- which offers attractive returns for inexperienced cyber criminals.

The future of Ransomware: IOT?

As our workplaces and homes become more interconnected, and the lines blurred, it won't be long before the extortionists start to target IoT  (Internet of Things) devices. There have been examples already of Ransomware and Malware targeting Smart TV's and Smart Watches, Smart Fridges etc.

How long will it be before the we get DoS style Ransom messages threatening to disrupt our devices in our homes? And with the lack of security controls in these devices, will be an easy target for cyber criminals, the question is, will there be enough of a payoff to make it worthwhile?

Figure 4: Example of TV Ransomware through malicious app on Smart TV 

Ransomware; the greatest threat facing organisations today- or purely an avoidable nuisance?

Ransomware is a threat, one which most, if not all organisations will of had some first or second hand exposure to, and depending on the business infrastructure set up, and the entry point to the business, Ransomware can cause serious disruption.

However with the correct controls, policies, and user education Ransomware can be reduced to an easily avoidable nuisance, by employing the following:

  • Conduct regular back ups devices, systems and servers (everyone should be doing this).
  • Block macros in documents by default through Group Policy, and only allow for users that absolutely need them- this should reduce exposure to common weaponised documents sent via phishing emails.
  • Ensure that users have adblockers extensions for browsers and that operating system and third party applications such as Flash (especially Flash), are updated regularly to reduce exposure to drive by attacks and exploit kits.
  • Conduct regular security awareness training to ensure users don't expose the business to unnecessary risk.
  • Conduct regular incident scenarios, so key IT and Security team members know how to react in the event of a serious Ransomware attack.
  • Don't pay the ransom, there is no guarantee that you'll actually get access back to the data, and you may end up on a distribution list for victims that pay!

In Summary....

In summary extortion is not something new, but the level and mainstream nature of Ransomware has elevated this to new heights.

This is a threat that is not going to disappear anytime soon (as long as there is money to be made), and with warning signals of the near emergence of self replicating Ransomware, we could see this ratchet up a gear. 

But with good IT security controls, regular user education and planning for this type of incident, the exposure can be exponentially reduced.

Friday 3 June 2016

Human Error, a common theme in the ICO data breach findings #UK #ICO

The ICO recently carried out a study of the recent security incidents that have been reported or notified to the ICO. It's no shock that data breaches are on the rise with two-thirds of sectors studied reporting an increase in the first quarter compared with the same time a year ago, according to new ICO figures.
The data protection watchdog, ICO have shown findings for the period 1 January – 31 March 2016 and uncovered some worrying statistics. Below are the key data security issues for each sector: 

Data security incidents by type:

The main data security issues within the health sector were:
Data being posted or faxed to an incorrect recipient – 22% of incidents.
Loss or theft of paperwork – 20% of incidents.
The main issues for local government were:
Data being posted or faxed to an incorrect recipient – 23% of incidents.
Failure to redact data – 16% of incidents.
Loss of theft of paperwork – 14% of incidents.
The main issues for education were:
Loss or theft of unencrypted devices - 25% of incidents.
Insecure webpages (including hacking incidents) – 19% of incidents.
Data being sent by email to an incorrect recipient – 14% of incidents.
The main issues for general business were:
Insecure webpages (including hacking incidents) – 42% of incidents.
Data being sent by email to an incorrect recipient – 14% of incidents.
Loss or theft of paperwork – 11% of incidents.
The main issues for finance, insurance and credit were:
Data being posted or faxed to an incorrect recipient – 20% of incidents.
Insecure webpages (including hacking incidents) – 16% of incidents.
Data being sent by email to an incorrect recipient – 12% of incidents.
Loss of theft of paperwork – 12% of incidents.
The main issues for the legal sector were:
Loss or theft of paperwork – 28% of incidents.
Data being sent by email to an incorrect recipient – 16% of incidents. 

Full article from ICO Here
What can we draw from this? The key theme here is; Human error. You can have all the tools in the shop but if your users aren't continually educated about Security issues, the policies and procedures the company put in place then these incidents will happen.

The figures are particularly concerning for organizations given the coming EU GDPR, which will levy fines of up to 4% annual global turnover on firms which don’t comply with the new regulation, set to land in May 2018.

Thursday 2 June 2016

Top 10 Considerations for Truly Effective Security Awareness Training - Episode II

In this blog post we continue the Top 10 Considerations for Truly Effective Security Awareness Training.  We have already looked at Testing & Benchmarking, Elements of Testing, Timing, Training Methods and Who Really Holds the Keys to the Kingdom.  Today, we look a little closer at motivation factors and the human link. 

6. What's In It For Me? The Human Motivation Factor
"That's all very well," you think, "but what impact will a couple of hours training really have in changing behaviour in the company?" All too often, corporate training days are swiftly forgotten, so how do you make it stick - without using one?

Human error is a significant problem and to overcome it you need their behaviour to change.  To enable on-going behavioural change aligning your business needs with your employee needs and motivations is key.  Some motivators might be:
  • Protecting yourself and your family from identify theft and fraud
  • Financial incentives
  • Ambition and development (KPIs, development programme)
  • Personal engagement and responsibility (Security ambassadors)
  • Corporate engagement - doing it for the future of the company and its security.
Some companies have been linking staff security awareness to their appraisal system, some even to their bonus structure via a testing and scoring system.  If an individual (or sometimes team) falls below benchmark level, they lose their bonus and are sent on security awareness training.  This is an approach that has been welcomed by some management teas as it is quantifiable.  Clearly, there are pluses and minuses.  It is likely to engage the individual so they don't lose money, however the stick approach doesn't work for everyone and may affect loyalty and motivation.  There are however, no concrete statistics to suggest disincentivisation at this point.

7. Integration - The Human Link to Solutions, Policies & Procedures

ZeroDayLab's Four Quadrants of Security Awareness 

Let's face it, humans are everywhere.  People or their activities affect every single part of the business.  In terms of business solutions, weeding out the unofficial shadow applications and ensuring that teams keep all aplications in line with security protocols and the most effective implementation for your organisation.  Likewise, whilst the majority of staff are not involved in the management of policies and procedures; do all staff who need to be (such as customer-facing roles) have a full understanding or their responsibilities under PCI DSS or EU GDPR, for example?

8.  What Now? What to Do When a Threat is Discovered
Once you've trained your staff, have you told them what to do when they identify a threat? Empower them as a part of your security awareness programme. Make staff clear on when and how they report an email, or odd activities on their computer.  Just as importantly, in the event of a breach, ensure that communications are implemented effectively so that all staff, especially customer-facing operatives, know what to say and how to help the customer when they ring up concerned about their data security. Quite often, this link in the chain breaks and so does customer and stakeholder trust as a result.

9. Test, Educate, Review, Repeat
Testing isn't just about the phishing campaign.  Make sure you are breach ready with Red Teaming and runbook preparation and training - not forgetting a crisis communications strategy. Staff security awareness is an on-going project requiring regular communication and follow-up training.  In short; test, educate, review, repeat. 

10. Dust off the Bat Phone
Not every company has a big enough IT/Security team or HR & Training to implement Security Training on an on-going basis. It's not just the additional resources that a security consulting team will bring to your security awareness strategy, it is analysis and independence.  A security firm will not only be able to analyse the results from your phishing resilience testing, they can anonymously test social engineering and deliver physical security tests.  What's more, as an independent expert, they can add greater weight to your education programme through threat knowledge and the latest approaches for the board or the employee group as a whole. 

What are your top tips for security awareness?