We’ve discussed Phishing, Spear-Phishing, Ransomware, and other threats to small-to-medium sized organizations here, but there is another, perhaps more insidious threat to be vigilant about, called the Advanced Persistent Threat, or APT.

Advanced Persistent Threats (APT) go beyond the typical malware threats or other types of intrusion threats that could lead to data loss.  There is the old story about two people being chased by a bear.  One of them says that he doesn’t need to outrun the bear, he just needs to outrun the other guy.  This is often the approach that organizations take to protecting themselves against hackers and other threats.  They take the position that their defenses do not need to be the best, they just need to be better than other targets similar to them, in the hopes that an attacker will give up on them and move on to someone easier to attack.

Being better protected than the next guy or target does not work with APT’s.  With an APT, you are the target, and the attacker will spend extraordinary time and multiple methods to gain access to your systems.  Theyaren’t going away soon nor interested in your neighbor.  Symantec says that the attackers in an Advanced Persistent Threat use multiple means to “break into a network.”  The goal is to “harvest valuable information over the long term” (Symantec, n.d.).  The attackers in an APT, once inside an organization’s network, may stay inside for a long term or until detected, if ever.

Symantec explains that the APT attackers spend time performing reconnaissance on their chosen target, then during their attempts to gain access, they use social engineering to deploy malware to “vulnerable systems and people” (Symantec, n.d.).    Symantec says that once inside the target network, that the attackers stay “low and slow” to gather more information and avoid being detected.  FireEye says that the malware, once inside, communicates with Command & Control servers controlled by the attackers (FireEye, n.d.).  FireEye goes on to explain that the malware inside the target network continues to collect data that it sends to a “staging server” and exfiltrates data while under the “full control” of the attacker.

Sometimes Advanced Persistent Threat actors employ non-typical malware deployment methods.  In 2008, a foreign intelligence agency left USB flash drives in the parking lot outside a US base, in what is known as a “candy drop.”  Sure enough, a soldier decided to pick one up and take it inside and plug it into a computer on the US Central Command’s network, uploading a worm that became one of the worst breaches of US military computers in history, known as Operation Buckshot Yankee (Singer & Friedman, 2014).

References:

Advanced Persistent Threats: How They Work | Symantec. (n.d.). Retrieved September 08, 2016, fromhttps://www.symantec.com/theme.jsp?themeid=apt-infographic-1

FireEye. (n.d.). Anatomy of an APT (Advanced Persistent Threat) Attack | FireEye. Retrieved September 08, 2016, from https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html

Singer, P. W., & Friedman, A. (2014). Cybersecurity and cyberwar: What everyone needs to know. New York, NY: Oxford.

A new report found that nearly 40 percent of businesses had been victims of ransomware in the past year.  Security Magazine says that at least a third of these businesses lost revenue and that 20 percent were shut down completely as a result of ransomware.

Malwarebytes, a leading malware protection software vendor, sponsored the report and states that “Over the last four years, ransomware has evolved into one of the biggest cyber security threats in the wild, with instances of ransomware in exploit kits increasing 259 percent in the last five months alone.”

The report found that 46 percent of ransomware attacks came from email and they found that more than 40 percent of victims actually paid the ransom.  There is also significant time spent on remediation from a ransomware attack. When an infected computer has access to your business cloud drive or file server, that infected PC will encrypt and make inaccessible potentially every file your organization needs to stay in business.  It is reported that more than 60 percent of these attacks took more than 9 hours to resolve.

For ransomware prevention, Microsoft recommends that one should:

• You should:Install and use an up-to-date antivirus solution
• Make sure your software is up-to-date.
• Avoid clicking on links or opening attachments or emails from people you don’t know or companies you don’t do business with.
• Ensure you have smart screen (in Internet Explorer) turned on.
• Have a pop-up blocker running in your web browser.
• Regularly backup your important files.

I have found that user awareness and training is one of the most effective ways to avoid a ransomware infection.  Given that there will always be someone who will open that infected email that gets past an Intrusion Prevention Firewall’s gateway antivirus (if your business has the foresight to actually have invested in one) and the endpoint device’s antivirus software, I have found that the best way to recover from this is from a reliable backup.

If you have a file server, ensure that the server is continually being backed up.  Unless you have your own IT staff with server expertise, the best way to do this is to have your backup system provided and managed by a Managed Service Provider, such as Oxen Technology.  Companies like Oxen Technology have the tools and expertise to ensure that your entire server can be restored in a short amount of time, should a ransomware attack get past your defenses.  They provide IT expertise to organizations who don’t have the need or the budget for full-time IT departments.  Managed service providers like Oxen Technology can also provide your organization with a managed firewall, which goes beyond a typical firewall as an Intrusion Prevention Appliance.  Often, the Gateway Antivirus protection that Oxen’s WorryFree managed firewalls provide will actually catch and block the incoming infected email that one of your employees might just click on.

If one uses a cloud service for file storage and sharing, often that service can restore the organization’s files from the service’s backup.  Microsoft’s OneDrive for Business has this capability, for example.  The infected user’s local files on the computer will be lost, but the ransomware can be safely cleaned from the user’s computer by an experienced engineer sparing the Operating System, applications, and settings from having to be reinstalled and reconfigured.

What to do when you have been infected?  Immediately power off and disconnect the infected computer from your network, then call an IT solutions expert such as Oxen Technology to help you get back to normal.  Powering off the computer disconnects it from the network, but disconnecting the network cable adds another layer of defense for your network connected systems in case someone accidentally turns the computer back on.

Stay safe!

John W. Rokes

References:

Last week we talked about the alarming percentage of data breaches that are occurring in health care organizations.  The latest Poneman report found that “89 percent of surveyed health care providers experienced a data breach in the last 24 months, with 79 percent admitting to suffering a minimum of two breaches.”

TrendMicro reports that the top reasons cited for data loss were “SMB employees’ tendency to open attachments to or click links embedded in spam, to leave their systems unattended, to not frequently change their passwords, and to visit restricted sites. This negligence puts critical business data at risk from data stealing cyber criminals and malicious insiders.”

In this report SMB’s state that they are no longer just at risk of losing data due to external threats such as hacker attacks and other external compromises, but  they are, in fact, in “even graver danger due to employee negligence or maliciousness. Even worse, 64% agree that their organizations need to rearchitect their security infrastructure against hackers or malicious insiders attempting to steal data.”

They say that the effort to mitigate this risk “may require focusing on data-centric security for confidential information, which entails relying on not only traditional outside-in protection but also on protection from the inside-out.”

This report brings forward the risks from employees using mobile devices such as smartphones, tablets, and laptops, and says that the era of BYOD (Bring Your Own Device) is “here to stay.”

Another alarming issue brought up is that SMB’s “routinely fail to back up data.”  This issue is a fairly simple one to correct and doesn’t require in-depth analysis to understand its risk potential, but either through ignorance or a lack of understanding of the importance of an organization’s data, the SMB market still doesn’t understand that they need to budget to back up their data.

The Trend report states that “less than 50% of SMBs routinely back up
data. This, along with risky employee behaviors, the BYOD trend, lack of
adequate security protection, and various other threats to data, is putting them at great risk.”  They also say that “about a third of U.S. companies also had no backup and
disaster recovery strategies in place, citing lack of budget and resources
as primary reasons.”

Any small business needs to ask themselves if their business would survive the complete loss of their accounting systems, their payroll records, their customer data, any intellectual property that they may have on computer, and any other data that they may use daily to operate their businesses.

Reference:

SC Magazine reported that for the 2nd consecutive year, the Ponemon Institute’s “annual study on the state of security and privacy in health care found that cybercrime was the leading cause of data breaches among hospitals and other medical providers.”

Here’s an alarming statistic discovered:  45 percent of the health care organizations surveyed, “admitted to having more than five breaches over the past two years.”

SC Magazine also said that “Ponemon found that 89 percent of surveyed health care providers experienced a data breach in the last 24 months, with 79 percent admitting to suffering a minimum of two breaches.”

The top security threats that were cited in the report was Employee Negligence, at 69%, and Cyber Attacks, cited in 45% of the data breaches.

The report stated that 61% of health care organizations are “paying more attention” to how their third-party partners handle their data.  HIPAA has a Business Associate requirement now that has broad applicability to “partners” who provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services when those services have access to the organization’s PHI (Protected Health Information).

The HIPAA Privacy Rule mandates that providers have written contracts with  these partners, known as Business Associate Agreements.  The HIPAA Privacy Rule deems it non-compliance to not have these agreements in place with these partners who are subject to the rule.

The US Department of Health and Human Services defines a “business associate” as a “person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”

Since most small-to-medium health care organizations contract some or all of their IT and many other services, these organizations and their IT service providers need to be familiar with the requirements of the Privacy Rule and the use of Business Associate Agreements.

References:

Many organizations held on tight to their old Windows XP computers.  Some are still using it despite the risks and warnings.  Windows Server 2003 falls into this risk category as well.  Microsoft ended support for Windows XP on April 8th, 2014. Microsoft Windows Server 2003 extended support ended on July 14th, 2015.

What that means to most people is that Microsoft no longer provides security updates after that date.

On its face value, that might not seem like an important event, since Windows XP or Server 2003 installed on a computer will still function as it had before.  The issue is that security vulnerabilities are continually being discovered throughout the lifecycle of an OS and beyond.

Microsoft stated that “without critical Windows XP security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information. Anti-virus software will also not be able to fully protect you once Windows XP itself is unsupported.”

The issue for an organization is not just the vulnerability risk, but also a compliance risk.  Microsoft stated that businesses that are “governed by regulatory obligations such as HIPAA may find that they are no longer able to satisfy compliance requirements.”  Organizations with HIPAA compliance requirements who are still using Windows XP or Server 2003 may find that in case of a violation or data breach on those systems, that they are no longer just a victim, but that they are now considered willfully negligent.

Once a vulnerability issue becomes known, the manufacturer then addresses the issue with a security “fix” or “patch.”  Once support has ended, any new vulnerabilities discovered will remain vulnerable to attack, with no action by a manufacturer to correct them.  Microsoft’s recommendation was to “terminate” use of Windows XP by upgrading to a newer, supported OS, which most organizations did.

There is also usability of the Operating System or the applications that run on top of it.  People using older web browsers that aren’t capable of newer SSL/TLS standards will find that they aren’t capable of visiting or using many of the ecommerce websites or other websites that require an SSL/TLS encryption.  This is pretty much any website that begins with https: on your web browser as opposed to the unencrypted http.

Google announced in April, 2016 that their new version 50 Chrome browser will not be supported on a wide range of operating systems . Windows XP, Windows Vista, Apple Mac OS X 10.6, OS X 10.7, and OS X 10.8 are no longer supported.

Cyber protocols are subject to change over time and the once secure SSL protocol is no longer considered secure.  Most modern encrypted connections to web sites and other servers are now using TLS version 1.2.

References

Support for Windows XP ended April 8th, 2014. (n.d.). Retrieved May 12, 2016, from https://www.microsoft.com/en-us/WindowsForBusiness/end-of-xp-support

Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security (4th ed.)(ch. 8). Stamford, CT: Cengage Learning.

It seems that many infosec criminals have gone fishing these days.  Spear Phishing to be precise.  I’ve personally worked with clients who have been targeted by this relatively new threat vector.

What is “spear phishing” or “spearphishing”?  Well, you are all aware of what “phishing” is.  You know the emails pretending to be your bank or pretending to be UPS that have the suspicious looking attachment when you haven’t even shipped anything lately.  The attackers want you to click on that bank link, and enter your credentials, which will end up in the hand of a crime syndicate if you do, or click on that attachment, which will likely deploy some sort of virus onto your computer.  We talked recently about the proliferation of ransomware.  Phishing is one way that ransomware is deployed.  There is always someone in the organization who will click.

Symantec says that the “latest twist on phishing is spear phishing. No, it’s not a sport, it’s a scam and you’re the target. Spear phishing is an email that appears to be from an individual or business that you know. But it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your PC.”

Sometimes spearphishing appears to have been sent by a company executive within your company.  It might look very legitimate and urgent.  Often it is requesting that you pay certain invoices or transfer funds immediately.  This can be confusing if you are in Accounts Payable and you handle invoice payment requests daily.

Recommendations to not become a spearphishing victim are according to Symantec:

“If a “friend” emails and asks for a password or other information, call or email (in a separate email) that friend to verify that they were really who contacted you. The same goes for banks and businesses. First of all, legitimate businesses won’t email you asking for passwords or account numbers. If you think the email might be real, call the bank or business and ask. Or visit the official website. Most banks have an email address to which you can forward suspicious emails for verification.”

Just be careful on what you click on, no matter who it comes from.

Reference

The latest security failure, reported by Krebs on Security, says that “The American Dental Association (ADA) says it may have inadvertently mailed malware-laced USB thumb drives to thousands of dental offices nationwide.”

The USB thumb drives are used to send dental procedure code updates to dental offices nationwide. These days with Internet everywhere, why would the ADA use the US Mail to send USB drives to update these dental procedure codes? There are so many electronic options available for the dissemination of this information and the ADA is using postal mail to send electronic information.

It’s not just the expense and startlingly outdated method of data delivery, but then not using typical antivirus tools, and spreading malware to thousands of computers containing HIPAA regulated Protected Health Information is certainly alarming.

Image:  DSL Reports Security Forum. DSLR member “Mike” from Pittsburgh

As reported by KrebsOnSecurity, the ADA said it sent the following email to members who have shared their email address with the organization:

“We have received a handful of reports that malware has been detected on some flash drives included with the 2016 CDT manual,” the ADA said. “The ‘flash drive’ is the credit card sized USB storage device that contains an electronic copy of the CDT 2016 manual. It is located in a pocket on the inside back cover of the manual. Your anti-virus software should detect the malware if it is present. However, if you haven’t used your CDT 2016 flash drive, please throw it away.”

“To give you access to an electronic version of the 2016 CDT manual, we are offering you the ability to download the PDF version of the 2016 CDT manual that was included on the flash drive.”

The ADA said the USB “credit card” media was “manufactured in China by a subcontractor of an ADA vendor, and that some 37,000 of the devices have been distributed. The not-for-profit ADA is the nation’s largest dental association, with more than 159,000 members.”

Why wouldn’t the ADA just stop at providing the PDF file version of the manual, in the first place?

Reference

Ransomware is getting a lot of press these days and the threat is growing. Ransomware is a type of malware. Once it gets into your computer system, it encrypts all of your documents, spreadsheets, and photos. There is a long list of the file types that Ransomware goes after. If you have a mapped drive to a server file share, the ransomware will attack those files as well potentially encrypting all of your internal company shared documents.

After ransomware encrypts your files, you can’t open them any longer, until you pay the ransom to get the unlock code.

Unlike much malware, which is often just meant to be destructive, ransomware is a criminal enterprise. It’s a business. Like any successful business, one typically has to provide some value for payment. Ransomware wouldn’t be such a growth industry if the criminals just took your payment, and didn’t actually deliver the unlock code, so they do. They know the only way they can keep making money on this is to give your files back to you after they have been paid.

Ransomware variants are growing rapidly. According to Bromium, Ransomware “doubled in 2015. The number of ransomware families has increased 600 percent from ~2 in 2013 to ~12 in 2015” (Bromium 2015 Threat Report).

Symantec calls ransomware “an extremely profitable type of attack,” and says that “ransomware will continue to ensnare PC users and expand to any network-connected device that can be held hostage for a profit. In 2015, ransomware found new targets in smart phones, Mac, and Linux systems. Symantec even demonstrated proof-of-concept attacks against smart watches and televisions in 2015.”

Why is ransomware so difficult to stop? Bromium says that “Typical security products are detectors. They require a constantly updated set of rules to try and block/detect infections. The problem: Angler is the crafty exploit kit of choice, and is currently managing to infect computers anyway. Angler is tending to drop ransomware, which is constantly re-encoded to bypass file analysis techniques. Thus, the only reliable way to stop ransomware is via security through isolation (what Bromium does). To read more about exploit kits, see: https://labs.bromium.com/2016/03/08/angler-ek-a-bromium-discussion/”

It is also difficult to stop because much ransomware relies on user vulnerabilities through phishing emails and malicious links that many people will click on.

References

Pay up! It’s Ransom Season… (2016). Retrieved April 24, 2016, from https://labs.bromium.com/2016/04/18/pay-up-its-ransom-season/

2016 Internet Security Threat Report. (n.d.). Retrieved April 24, 2016, from https://www.symantec.com/security-center/threat-report

Does your organization have an Information Security Policy?

To the extent that information security is important to organizations, information security policy is the cornerstone of the information security program.

The National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, states that “Information and IT systems are often critical assets that support the mission of an organization. Protecting them can be as important as protecting other organizational resources, such as money, physical assets, or employees.”

“A quality InfoSec program begins and ends with policy” (Whitman, 2014). Information security policy provides the instructions, standards and framework by which an InfoSec program is implemented and guided within the organization.

An information security policy should be “designed to create a productive and effective” workplace, while spelling out the organization’s vision for the authorized and appropriate use of the organization’s IT assets.

There are three major types of information security policies (Whitman, 2014, p. 128):

• Enterprise information security policy (EISP)
• Issue-specific security policies (ISSP)
• System-specific security policies (SysSP)

The EISP can be thought of as the overarching information security program policy that sets the direction of all security policies within the organization, while each subsequent policy type has a more specific scope. The ISSP pertains to specific issues that may address multiple systems under the EISP umbrella, while the SysSP addresses policy, and may prescribe details for specific systems or types of system. The SysSP can easily become the most technical and detailed of the three types of policies, and may prescribe technical configuration procedures for specific systems such as firewalls.

References

Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security (4th ed.). Stamford, CT: Cengage Learning.

National Institute of Standards and Technology (1996). Special Publication 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems. Gaithersburg, MD

All federal agencies are required by law to have detailed Incident Response Plans (IRP). The National Institute of Standards & Technology (NIST) has a thorough guide to Contingency planning and developing an IRP that even the home user or small organization could find some value in.

NIST has Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems, that provides these seven fundamental steps:

1. Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

2. Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes. A template for developing the BIA is provided to assist the user.

3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.

4. Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.

5. Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system’s security impact level and recovery requirements.

6. Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.

7. Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
This guide presents three sample formats for developing an information system contingency
Source: NIST SP 800-34, Rev. 1. 2010

I realize that most small organizations do not have an Incident Response Plan (IRP). What do these organizations do when they encounter the inevitable “incident”? Anyone who has worked in an IT support capacity servicing small organizations has seen the hard drive failures, virus infections, lack of good backups, and even accidental data corruption or deletion by users.

A simple, actionable plan doesn’t need to be complicated, and it is something every organization should consider.

Reference:

National Institute of Standards and Technology (2010). SP 800-34, Rev.1. Contingency Planning Guide for Federal Information Systems. Gaithersburg, MD