Sunday, 18 April 2021

A ransomware attack – how it works and how to defend against it


For many organizations, and individuals, the first sign of a ransomware attack is when a message appears on their computer screen telling them that their data has been encrypted and it will only be unencrypted if a payment, usually in bitcoins, is made to the hackers.

The organization is usually unaware of what else the hackers have been doing on their system including taking a copy of the data before they encrypt it and leave their message.

For many organizations, there is little choice about what to do. They can lose their data or they can pay up. But that last option always comes with issues because the hackers are criminals – so, even if they do take the money, what are the chances that they’ll actually bother unencrypting the data? And the data they’ve stolen? Won’t they still sell that information on the dark web?

There was a time when organizations could simply go to their extensive backups, and restore their data from those. They may lose some of their most recent data – updates that were made between the time the backup was taken and the attack to took place – but it’s probably worth it. Hackers were quick to spot that loophole in their plan and now corrupt backups before encrypting the data and informing the organization.

Many people used to believe that hackers were opportunists insofar as they would gain access to a corporate network and encrypt the data in a matter of hours. Nowadays, sophisticated hackers – often criminal gangs rather than individuals – will spend time maximizing the amount of information they can get their hands on and the damage they can do.

The steps in a cyberattack

So, let’s take a look at the stages in a modern cyberattack. And then we’ll look at some signs that such a ransomware attack is underway.

Step one is to get someone in an organization to download your software. An innocent-looking email arrives explaining that the recipient has a tax refund due to them. For security reasons, they simply need to click on the link to find the details. Or they are asked to help with the Black Lives Matter campaign – just click on the link to find out more. Or any number of other subjects get unaware employees to click on the link. Sometimes, the malicious code is buried in an innocent-looking attachment. It still has the same result.

Step two is the infection stage. The malware is downloaded and it executes.

Step three is for the malware to dial home to ensure it can talk to the hackers who set it up. It also starts to make changes to the network and increases its security level to those of an admin.

Step four is to scan for data – whether that’s on a local computer, server, or the cloud. This can take some time to complete.

Step five is to corrupt backups. Step six is to upload data to the hackers. This would usually be personally identifiable information such as names and addresses, passwords, social security numbers, credit card numbers, etc. These two steps may occur at the same time.

Step seven is to encrypt your data. And step eight is to send a message saying that a ransomware attack has taken place and you need to pay the ransom.

Prevention

The first way to prevent ransomware attacks is to ensure that all staff are trained to recognize phishing emails and not click on dubious links or attachments. And then run your own phishing attack on random employees to see how well the message is getting across as a way of raising the awareness of everyone.

Most sites prevent employees from plugging in memory sticks, which might contain malware on them.

Software that prevents staff accessing websites that are known to contain malware can help. Also helpful is software that filters spam emails or other suspicious emails. It’s also possible to stop files that are attached to emails with certain extensions reaching users. If the email isn’t in a user’s inbox, they can’t click on links or attachments and download the malware. Unfortunately, these approaches are never 100 percent efficient.

Keep all your software up to date so that it is not vulnerable to any known security issues. The same applies to hardware. The firmware in laptops can be the target for attacks, so it is important to install any security updates across the PC fleet as quickly as possible.

The good news is that ransomware attacks do leave footprints that can be identified. Although they aren’t conclusive that a ransomware attack is taking place, they are a sign that it might be. One sign might be that there’s a lot of unusual activity on some files. For example, there may be lots of failed file renames resulting from attempts by the malware to access those particular files. There may be unusual activity at unusual times of the day, which is caused by the ransomware encrypting files. Another sign of a hack, that might not be obvious at first, is to see that an admin has been logging on to servers during the night at much the same time for a few nights in a row. While logged in, they’ve been moving between servers using a remote desktop protocol (RDP). Or, you may find that people are reporting their inability to access certain files, which, again, may be caused by the ransomware encrypting or moving the file. And there may be unusual network activity as the malware communicates with the hackers – perhaps sending data to them.

Identify attacks taking place

So, what can be done to identify these signs of an attack? The answer is to continually monitor your system. Try to set up a baseline for what happens on your system so that it becomes easier to identify abnormal activity. Scan for unusual file activity – looking for changes. Log all incoming and outgoing traffic – to see whether the ransomware is dialling home. And always investigate anything out of the ordinary.

There is also the problem that software tools used by the IT security team can be used by hackers. Once a hacker has admin rights, they can use legitimate tools on your system, such as PC Hunter or Process Hacker to disable security software. And if you’re not expecting these kinds of tool to be where you find them, then it can be a sign of a hack in progress.

The presence of network scanning software (eg AngryIP) can also be a sign of an attack taking place. Once the hackers have access to one computer, they will try to gain a full view of the corporate network in order to access all the valuable data (or as much as possible). If no-one in IT knows anything about the scanner software, then it is a clear sign an attack is underway.

Use an intrusion detection system (IDS). This is designed to continually monitor a network for policy violations or any activity that might be considered malicious, and report what it has found. Some can respond to any intrusions. These are usually called intrusion prevention systems (IPS). Whatever you use, keep it up to date. And make sure that it can detect the common exploit kits (EK) used to get ransomware onto a network.

Some sites create a honey trap, an area that appears to be full of rich data pickings to entice the would-be hackers to investigate it further. By monitoring for any activity on that disk, it’s possible to quickly identify that an attack is in progress. Because hackers usually work through the drives in alphabetical order, it makes sense to give it the letter E: or G:.

What else?

Lastly, consider buying cyber insurance to help pay for recovering your system after a successful attack. I’m not sure whether the insurance covers the damage to your reputation!

Often employees use the same password that’s stored in Active Directory to access the mainframe. So, watch out for hackers getting into that as well.

Find out more about iTech-Ed here.

 

Sunday, 11 April 2021

I’m in a meeting!!

 It was bad enough when we were all in the office (or the machine room). There were too many meetings to go to. But now we have Zoom and Teams and any number of other ways of meeting, it seems the amount of time people spend in meetings is just increasing. Last week, for the first time, I found myself in two important meetings at the same time – one using Zoom and one using Teams. This is total madness!

What types of meeting are you spending so much time in? There are lots of ways of classifying meetings. Let’s divide them into six types:

  • Status update meetings – these are the most common, and happen frequently. They are used for project updates, team alignment, and general catch-ups.
  • Information sharing meetings – these may involve presentations as information is passed to a team. It allows questions to be asked by staff. It may involve a training session.
  • Decision making meetings – this is where goals can be set and solutions to problems can be worked out and evaluated. Information needs to be shared, strategies can be discussed, and actions can be decided on.
  • Problem solving meetings – these need to be solution focused and deal with internal or external challenges.
  • Innovation meetings – these allow new ideas to be suggested and the meetings help drive innovation. They may involve brainstorming sessions.
  • Team building meetings – in pre-Covid days, these may have involved away days and team building exercises.

Working from home or working from anywhere was meant to make people more productive because they didn’t need to commute, and they were less likely to be disturbed by work colleagues stopping by their desk for a chat. However, statistics show that in 2020 the number of meetings attended by a worker on average rose by 13.5 percent. Frighteningly, 11 million meetings are held each day, which works out at 55 million meetings per week or 220 million meetings per year! Currently, 15 percent of an organization’s time is spent in meetings, and that figure has increased every year since 2008. Apparently, employees spend 4 hours per week, preparing for status update meetings. And the consequence is that 67 percent of employees complain that spending too much time in meetings hinders them from being productive at work.

It gets worse, most employees attend 62 meetings per month, and feel that half of those meetings were a complete waste of time. And 92 percent of employees say they multitask during meetings – which may help them be more productive, but also may contribute to the failure of the meeting.

Managers and professionals lose 30 percent of their time in meetings that they could have invested in other productive tasks. Ineffective meetings make professionals lose 31 hours every month, or 4 working days. 95 percent of meeting attendees say they lose focus and miss parts of the meeting, while 39 percent confess to dozing off during meetings!

A survey of 6,500 people from the USA, UK, and Germany found that among the 19 million meetings that were observed, the ineffective meetings cost up to $399 billion in the USA and $58 billion in the UK.

These statistics are from the Atlassian, Attentiv, Cleverism, Condeco, Doodle, Harvard Business Review, HR Digest, KornFerry, National Bureau of Economic Research, ReadyTalk. The Muse, and Timely.

There I was, monitoring a Zoom meeting and a Teams meeting, and the question that came to mind was could I have done it for two Teams meetings or two Zoom meetings? The answer for Teams would be to join one Teams meeting using the Teams Desktop Application and join the second meeting using the Microsoft Teams Web Application.

With Zoom you can also join multiple meetings at the same time using the Zoom desktop client. You can’t, however, host multiple meetings. You do need to have a Business, Enterprise, or Education Zoom account. And you have to contact Zoom Support to have this feature enabled, which could take a few days. And, once the setting is enabled, you can join multiple meetings by using the join URL or going to https://zoom.us/join and typing in the meeting ID. The Join button in the Zoom client only works for the first meeting you want to join.

If you really want to do this, here are the instructions…

  1. Sign in to the Zoom web portal.
  2. In the navigation panel, click Settings.
  3.  Click the Meeting tab.
  4. Under the In Meeting (Basic) section, verify that Join different meetings simultaneously on desktop is enabled. 
  5. If the setting is disabled, click the Status toggle to enable it. If a verification dialog displays, choose Turn On to verify the change.

On the day that you want to join multiple meetings, you can join the first meeting by:

  • Clicking the Join button in the Zoom desktop client;
  • Clicking the join URL; or
  • Navigating to https://zoom.us/join and enter the meeting ID.

For meetings two and three (or more), you have to use the join URL in your browser or manually enter the meeting/webinar ID on https://zoom.us/join, and the Zoom client will automatically launch the additional meeting.

And there you are, unproductive in two or three meetings at the same time!

One reason that so many meetings go on for so long is that everyone is comfortable. They have a tea or a coffee. They may have some biscuits or a doughnut to nibble on. And they are sitting in a comfortable chair. There’s no need for them to rush. And that’s why meetings held with people standing up can be so much quicker and can focus people’s attention. Scrums, as people using the agile framework call them. Although they were originally used for developing software, they are now used by many organizations. A small group of people stand in a room – or on a Zoom call – for a limited period of time. This is often 10 or 15 minutes. What’s been achieved can be reviewed, and what needs to be done can be focused on. And these brief meeting are held frequently, often at the start of the day. And this seems to work well.

I’m inclined to not call a meeting if there isn’t a real purpose for having. You know, it’s always scheduled for the second Tuesday of the month kind of meeting. I think it’s important for the chair to keep the meeting focused. The worse kind of meeting is the one where the chair has to talk at length about everything! And I like the idea of standing up at meetings to encourage everyone to be brief and concise, and focused. And I really don’t want to be in two (or more) meetings at the same time again – even if I know how to do it!

 

Sunday, 28 March 2021

How secure is working from anywhere?

 
As the pandemic passes the year mark, and people have been working from home or wherever they can, the big question is: how are organizations dealing with the many new security issues brought about by supporting a remote workforce? What are the priorities for protecting the network and data? What are the best strategies for protecting this expanded attack surface and the loss of the traditional network perimeter? To find out, Nucleus Cyber/archTIS commissioned Cybersecurity Insiders to conduct a survey of security professionals. The report entitled “The 2021 State of Remote Work Security”, tells us what they found.

Perhaps, not surprisingly, the majority of those surveyed (86%) said they intended to continue supporting their remote workforce even after the pandemic is officially declared over. However, despite this large proportion, three-quarters of respondents noted that they still had serious concerns regarding the security risks of their remote workforce.

In addition, they found that the applications that organizations are most concerned with securing include, file sharing (68%), the web (47%), video conferencing (45%), and messaging (35%). More than half of organizations see remote work environments having an impact on their compliance posture (70%). GDPR tops the list of compliance mandates (51%). Organizations prioritize human-centric visibility into remote employee activity (34%), followed by next-generation antivirus and endpoint detection and response (23%), improved network analysis and next-gen firewalls (22%), and Zero Trust Network Access (19%).

Let’s have a look at their findings in more detail.

Network access (69%) tops the list of security concerns when it comes to securing remote employees. Bring Your Own Devices (BYOD) and personal devices (60%), applications (56%), and managed devices (51%) are also a concern for a majority of organizations.

The applications that organizations are most concerned with securing include file sharing (68%), the web (47%), video conferencing (45%), and messaging (35%). This is not surprising because these are fundamental business applications that all organizations rely on for a productive workforce.

Security breaches at the endpoints are a source of concern for many organizations as they look to secure their corporate assets. Therefore, it is no surprise that organizations are most concerned with exposure to malware or phishing risks (39%) followed by protection of data, especially when accessed by unmanaged endpoints (36%).

The biggest security concerns due to the shift in the numbers of remote workers include data leaking through endpoints (68%), users connecting with unmanaged devices (59%), and access from outside the perimeter (56%). This is followed by maintaining compliance with regulatory requirements (45%), remote access to core business apps (42%), and loss of visibility of user activity (42%).

Key security challenges cited include user awareness and training (57%), home/public WiFi network security (52%), and sensitive data leaving the perimeter (46%).

The main reasons that make remote work less secure are: users start to mix personal use and corporate use on their work laptops, increasing the risk of drive-by-downloads (61%); users are more susceptible to phishing attacks at home (50%); the organization no longer has visibility since most remote workers operate outside the corporate network (38%); and users that are furloughed pose an increased risk of data theft (25%).

Just about three-quarter of organizations see remote work environments having an impact on their compliance posture (70%). GDPR tops the list of compliance mandates (51%).

When organizations were asked about security controls, most are using a variety of security controls to protect remote work scenarios. A majority of respondents (80%) use antivirus/anti-malware. Other results for use were: firewalls (72%), virtual private networks (70%), multi-factor authentication (61%), endpoint detection and response (56%), and anti-phishing (54%), among others.

Respondents were asked to rank the importance of different cyber technologies to protect their organization from these threat vectors? The survey found that organizations prioritize human-centric visibility into remote employee activity (34%), followed by next-generation anti-virus and endpoint detection and response (23%), improved network analysis and next-gen firewalls (22%), and zero trust network access (19%).

This report is based on the results of a comprehensive online survey of 287 IT and cybersecurity professionals in the US, conducted in January 2021, to identify the latest enterprise adoption trends, challenges, gaps, and solution preferences for remote work security. The respondents range from technical executives to IT security practitioners, representing a balanced cross-section of organizations of varying sizes across multiple industries.

It's a really interesting report. I did find myself wondering what else organizations should be worrying about with their employees working from home. There’s always the problem of employees using risky apps that they might have downloaded and software that they may have unwillingly downloaded after visiting high-risk web sites. There’s also the issue of cloud-based attacks, with malware being delivered over cloud applications such as OneDrive for Business, SharePoint, and Google Drive.

Then there are issues with patches to applications and even to the firmware in remote (edge) computers. Centralized IT will be informed when there’s a security update to a piece of software. It then has to find a way to get that update to all the edge computers in its PC fleet – even when those laptops may not be switched on. In addition, these days, malware attacks can be against the firmware in a computer. So, again that will need to be able to be patched remotely.

Having said that, it’s still interesting to see what people are concerned with. You can download a copy from here.