Ransomware is getting a lot of press these days and the threat is growing. Ransomware is a type of malware. Once it gets into your computer system, it encrypts all of your documents, spreadsheets, and photos. There is a long list of the file types that Ransomware goes after. If you have a mapped drive to a server file share, the ransomware will attack those files as well potentially encrypting all of your internal company shared documents.

After ransomware encrypts your files, you can’t open them any longer, until you pay the ransom to get the unlock code.

Unlike much malware, which is often just meant to be destructive, ransomware is a criminal enterprise. It’s a business. Like any successful business, one typically has to provide some value for payment. Ransomware wouldn’t be such a growth industry if the criminals just took your payment, and didn’t actually deliver the unlock code, so they do. They know the only way they can keep making money on this is to give your files back to you after they have been paid.

Ransomware variants are growing rapidly. According to Bromium, Ransomware “doubled in 2015. The number of ransomware families has increased 600 percent from ~2 in 2013 to ~12 in 2015” (Bromium 2015 Threat Report).

Symantec calls ransomware “an extremely profitable type of attack,” and says that “ransomware will continue to ensnare PC users and expand to any network-connected device that can be held hostage for a profit. In 2015, ransomware found new targets in smart phones, Mac, and Linux systems. Symantec even demonstrated proof-of-concept attacks against smart watches and televisions in 2015.”

Why is ransomware so difficult to stop? Bromium says that “Typical security products are detectors. They require a constantly updated set of rules to try and block/detect infections. The problem: Angler is the crafty exploit kit of choice, and is currently managing to infect computers anyway. Angler is tending to drop ransomware, which is constantly re-encoded to bypass file analysis techniques. Thus, the only reliable way to stop ransomware is via security through isolation (what Bromium does). To read more about exploit kits, see: https://labs.bromium.com/2016/03/08/angler-ek-a-bromium-discussion/”

It is also difficult to stop because much ransomware relies on user vulnerabilities through phishing emails and malicious links that many people will click on.

References

Pay up! It’s Ransom Season… (2016). Retrieved April 24, 2016, from https://labs.bromium.com/2016/04/18/pay-up-its-ransom-season/

2016 Internet Security Threat Report. (n.d.). Retrieved April 24, 2016, from https://www.symantec.com/security-center/threat-report

Does your organization have an Information Security Policy?

To the extent that information security is important to organizations, information security policy is the cornerstone of the information security program.

The National Institute of Standards and Technology (NIST) Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, states that “Information and IT systems are often critical assets that support the mission of an organization. Protecting them can be as important as protecting other organizational resources, such as money, physical assets, or employees.”

“A quality InfoSec program begins and ends with policy” (Whitman, 2014). Information security policy provides the instructions, standards and framework by which an InfoSec program is implemented and guided within the organization.

An information security policy should be “designed to create a productive and effective” workplace, while spelling out the organization’s vision for the authorized and appropriate use of the organization’s IT assets.

There are three major types of information security policies (Whitman, 2014, p. 128):

• Enterprise information security policy (EISP)
• Issue-specific security policies (ISSP)
• System-specific security policies (SysSP)

The EISP can be thought of as the overarching information security program policy that sets the direction of all security policies within the organization, while each subsequent policy type has a more specific scope. The ISSP pertains to specific issues that may address multiple systems under the EISP umbrella, while the SysSP addresses policy, and may prescribe details for specific systems or types of system. The SysSP can easily become the most technical and detailed of the three types of policies, and may prescribe technical configuration procedures for specific systems such as firewalls.

References

Whitman, M. E., & Mattord, H. J. (2014). Management of Information Security (4th ed.). Stamford, CT: Cengage Learning.

National Institute of Standards and Technology (1996). Special Publication 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems. Gaithersburg, MD

All federal agencies are required by law to have detailed Incident Response Plans (IRP). The National Institute of Standards & Technology (NIST) has a thorough guide to Contingency planning and developing an IRP that even the home user or small organization could find some value in.

NIST has Special Publication 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems, that provides these seven fundamental steps:

1. Develop the contingency planning policy statement. A formal policy provides the authority and guidance necessary to develop an effective contingency plan.

2. Conduct the business impact analysis (BIA). The BIA helps identify and prioritize information systems and components critical to supporting the organization’s mission/business processes. A template for developing the BIA is provided to assist the user.

3. Identify preventive controls. Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs.

4. Create contingency strategies. Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.

5. Develop an information system contingency plan. The contingency plan should contain detailed guidance and procedures for restoring a damaged system unique to the system’s security impact level and recovery requirements.

6. Ensure plan testing, training, and exercises. Testing validates recovery capabilities, whereas training prepares recovery personnel for plan activation and exercising the plan identifies planning gaps; combined, the activities improve plan effectiveness and overall organization preparedness.

7. Ensure plan maintenance. The plan should be a living document that is updated regularly to remain current with system enhancements and organizational changes.
This guide presents three sample formats for developing an information system contingency
Source: NIST SP 800-34, Rev. 1. 2010

I realize that most small organizations do not have an Incident Response Plan (IRP). What do these organizations do when they encounter the inevitable “incident”? Anyone who has worked in an IT support capacity servicing small organizations has seen the hard drive failures, virus infections, lack of good backups, and even accidental data corruption or deletion by users.

A simple, actionable plan doesn’t need to be complicated, and it is something every organization should consider.

Reference:

National Institute of Standards and Technology (2010). SP 800-34, Rev.1. Contingency Planning Guide for Federal Information Systems. Gaithersburg, MD

Having used open source Truecrypt for years to encrypt a few files, some may remember when the developers abandoned the project in 2014, due to a potential security problem.  As reported by the Krebs on Security blog:  “The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform.”

On Extreme Tech, Joel Hruska reported that security researcher “James Forshaw found two critical bugs in the program that could compromise an end-user’s machine. While neither allowed an attacker backdoor access, the Register reports that both could have been used to install spyware to the host machine or record keystrokes. Either of these could’ve been sufficient to allow an attacker to capture the drive’s encryption key, depending on how good the end-users security practices were.”

Hruska continues that “We’ll never know why TrueCrypt’s authors left the project. Clearly these bugs, while significant, can still be fixed without compromising the system. Equally clearly, VeraCrypt was able to solve them in short order, once Forshaw drew attention to them.”

After reading about these concerns, I switched to Veracrypt, which has the same interface look and feel that Truecrypt had, and even allows one to access existing Truecrypt containers or volumes that you may have.  It is still freely available as open source software.  Veracrypt’s home page can be found at:

https://veracrypt.codeplex.com/

References