Sunday 25 April 2021

A mainframe ransomware attack – how to defend against it

 

Last week, we were discussing ransomware attacks on distributed systems and what could be done about them, and we ended with the sentences: “Often employees use the same password that’s stored in Active Directory to access the mainframe. So, watch out for hackers getting into that as well.” So, what can be done to protect your mainframe?

The scenario last time was that someone had got to your data and had read your list of Windows userids and passwords from Active Directory. If just one of those were the same as the login for the mainframe, then mainframe security was compromised – assuming you used userids and passwords to access the mainframe. But that’s not the only way to hack a mainframe.

Getting in

If you use CICS at your site, there are now automated tools that can be used to identify potential misconfigurations and bypass authentication. CICSpwn is one such tool that can retrieve the security settings running on the underlying z/OS operating system, read available files, enumerate system naming conventions, and even remotely execute code. And it’s available on GitHub for pen-testing. Alternatively, hackers, using the customer front end, can perform a brute force attack.

Another mainframe attack method is to use a TN3270 emulation software. They can then try password spraying, in which a single password is tried against every user on the system. This works better than trying a million passwords against one userid because repeated attempts will lead to that userid being locked out.

FTP attacks are used because FTP can submit commands from JCL. A systems programmer might be caught in a phishing attack and a keylogger put on their machine to capture their login and password. The hacker can then access the mainframe, issue commands, and anything else they want.

With NJE, one trusted mainframe can send a job to another mainframe its connected to. It’s possible to use NJE to spoof a mainframe or submit a job and gain access to that mainframe.

Clearly, the attack surface for a mainframe is quite big. One way of seeing whether a site is actually vulnerable is to use pen-testers. These are ‘good’ guys who try to penetrate your mainframe – and then tell you what they found. They will probably suggest ways to protect the mainframe as well.

The other, obvious, issue that mainframes are now running software that is commonly found on distributed systems, eg Java. It’s not unthinkable that any of the known vulnerabilities with the software will also exist on the mainframe – allowing hackers to gain access that way.

Unfortunately, it’s not just outsiders who can be attacking your mainframe – there can also be a problem with insiders too. Now, the majority of insiders won’t have any evil intention towards the data on the mainframe, and so the assumption is made that no-one has any bad intentions. This, quite often, isn’t the case. It may be that a trainee systems programmer can’t quite read his writing and makes an unfortunate change somewhere on the system, which may corrupt data or may lower the level of security that was being applied. The result was bad, but the intention was good.

But what about another employee who has run up serious gambling debts or has run out of money to pay for his drug habit. How hard would it be for criminals to target this person and ask them, just once, to make some change on the mainframe in exchange for all his current debts to be forgotten. Of course, he’s going to do it. He needs to get out from under his debts, and the chances of anyone spotting what he did, he thinks, is very unlikely.

Once they’re in

Once the hackers are inside the mainframe, their aims are the same as for a distributed system. They will try to increase their security level. They will look to see where data is stored. And the software on the mainframe will be dialling home for instructions. Once they have accomplished their goals, they will start exfiltrating (copying) the data, so that they can sell it on the dark web. They will corrupt the backups to stop the data being restored once it has been encrypted. They will encrypt the data. And they will leave a ransomware demand.

If you’re any kind of financial institution or large company, then losing your mainframe means that people will immediately notice that your service is no longer available. And, added to the cost of recovery or the ransom, will be the cost to your company’s reputation. Something that the company might never recover from.

What can be done?

The solution is simple – some piece of software that can identify changes being made and alert the security team as soon as they spot it. Some mainframers will heave a sigh of relief at this stage because everything on a mainframe is recorded in SMF records. But, have you ever tried to readd through yesterday’s SMF records to find what and when something happened?

File Integrity Monitoring (FIM) software, which is quite common on distributed systems and is available for mainframes, can take a snapshot of an application or configuration file and later (weekly, hourly, or whatever time interval is required) compares that snapshot with the current state of the application or configuration file. If they are different, an alert can be sent to appropriate staff. The first snapshot has to be carried out when the files are assumed to have been unhacked – perhaps straight after QA testing. The snapshot uses a hashing algorithm, and the results are stored in a virtual vault – so that hackers can’t modify those as well as the files under attack.

FIM tools allow regular scans to be carried out. This, as mentioned above, might be weekly, daily, or even hourly for some very sensitive files. In addition, scans can be carried out on an ad hoc basis. This will detect any changes that have been made to files, particularly where required for PCI compliance.

Using a FIM tool means that the breach can be detected and reported the next time a scan on the affected file is run. The alert, highlighting what’s been changed, can be sent as an email to a responsible person or to a SIEM (Security Information and Event Management) console, or both. The organization affected can then take the appropriate steps to deal with the breach – and this will be so much sooner than without having the FIM software installed.

In addition, some FIM products can gather the required forensic information, including file accesses, userids, event times, and scope of attack. They can then promptly initiate policy-managed actions such as quarantine or userid suspension. Because FIM tools know when each component was last correct, it can then initiate the appropriate actions to restore and verify that all systems are in their approved state.

What about those backups? Some FIM tools can regularly check those and notify appropriate staff as soon as any changes are detected.

Bottom line

Protecting the attack surface and regular pen-testing is vitally important to keep out bad actors, but something else is required to defend the mainframe against any that get through and any acts carried out by trusted members of staff. That something else is the use of FIM software, which can alert security staff as soon as changes are detected, and before the ransomware attack gets fully underway.

Sunday 18 April 2021

A ransomware attack – how it works and how to defend against it


For many organizations, and individuals, the first sign of a ransomware attack is when a message appears on their computer screen telling them that their data has been encrypted and it will only be unencrypted if a payment, usually in bitcoins, is made to the hackers.

The organization is usually unaware of what else the hackers have been doing on their system including taking a copy of the data before they encrypt it and leave their message.

For many organizations, there is little choice about what to do. They can lose their data or they can pay up. But that last option always comes with issues because the hackers are criminals – so, even if they do take the money, what are the chances that they’ll actually bother unencrypting the data? And the data they’ve stolen? Won’t they still sell that information on the dark web?

There was a time when organizations could simply go to their extensive backups, and restore their data from those. They may lose some of their most recent data – updates that were made between the time the backup was taken and the attack to took place – but it’s probably worth it. Hackers were quick to spot that loophole in their plan and now corrupt backups before encrypting the data and informing the organization.

Many people used to believe that hackers were opportunists insofar as they would gain access to a corporate network and encrypt the data in a matter of hours. Nowadays, sophisticated hackers – often criminal gangs rather than individuals – will spend time maximizing the amount of information they can get their hands on and the damage they can do.

The steps in a cyberattack

So, let’s take a look at the stages in a modern cyberattack. And then we’ll look at some signs that such a ransomware attack is underway.

Step one is to get someone in an organization to download your software. An innocent-looking email arrives explaining that the recipient has a tax refund due to them. For security reasons, they simply need to click on the link to find the details. Or they are asked to help with the Black Lives Matter campaign – just click on the link to find out more. Or any number of other subjects get unaware employees to click on the link. Sometimes, the malicious code is buried in an innocent-looking attachment. It still has the same result.

Step two is the infection stage. The malware is downloaded and it executes.

Step three is for the malware to dial home to ensure it can talk to the hackers who set it up. It also starts to make changes to the network and increases its security level to those of an admin.

Step four is to scan for data – whether that’s on a local computer, server, or the cloud. This can take some time to complete.

Step five is to corrupt backups. Step six is to upload data to the hackers. This would usually be personally identifiable information such as names and addresses, passwords, social security numbers, credit card numbers, etc. These two steps may occur at the same time.

Step seven is to encrypt your data. And step eight is to send a message saying that a ransomware attack has taken place and you need to pay the ransom.

Prevention

The first way to prevent ransomware attacks is to ensure that all staff are trained to recognize phishing emails and not click on dubious links or attachments. And then run your own phishing attack on random employees to see how well the message is getting across as a way of raising the awareness of everyone.

Most sites prevent employees from plugging in memory sticks, which might contain malware on them.

Software that prevents staff accessing websites that are known to contain malware can help. Also helpful is software that filters spam emails or other suspicious emails. It’s also possible to stop files that are attached to emails with certain extensions reaching users. If the email isn’t in a user’s inbox, they can’t click on links or attachments and download the malware. Unfortunately, these approaches are never 100 percent efficient.

Keep all your software up to date so that it is not vulnerable to any known security issues. The same applies to hardware. The firmware in laptops can be the target for attacks, so it is important to install any security updates across the PC fleet as quickly as possible.

The good news is that ransomware attacks do leave footprints that can be identified. Although they aren’t conclusive that a ransomware attack is taking place, they are a sign that it might be. One sign might be that there’s a lot of unusual activity on some files. For example, there may be lots of failed file renames resulting from attempts by the malware to access those particular files. There may be unusual activity at unusual times of the day, which is caused by the ransomware encrypting files. Another sign of a hack, that might not be obvious at first, is to see that an admin has been logging on to servers during the night at much the same time for a few nights in a row. While logged in, they’ve been moving between servers using a remote desktop protocol (RDP). Or, you may find that people are reporting their inability to access certain files, which, again, may be caused by the ransomware encrypting or moving the file. And there may be unusual network activity as the malware communicates with the hackers – perhaps sending data to them.

Identify attacks taking place

So, what can be done to identify these signs of an attack? The answer is to continually monitor your system. Try to set up a baseline for what happens on your system so that it becomes easier to identify abnormal activity. Scan for unusual file activity – looking for changes. Log all incoming and outgoing traffic – to see whether the ransomware is dialling home. And always investigate anything out of the ordinary.

There is also the problem that software tools used by the IT security team can be used by hackers. Once a hacker has admin rights, they can use legitimate tools on your system, such as PC Hunter or Process Hacker to disable security software. And if you’re not expecting these kinds of tool to be where you find them, then it can be a sign of a hack in progress.

The presence of network scanning software (eg AngryIP) can also be a sign of an attack taking place. Once the hackers have access to one computer, they will try to gain a full view of the corporate network in order to access all the valuable data (or as much as possible). If no-one in IT knows anything about the scanner software, then it is a clear sign an attack is underway.

Use an intrusion detection system (IDS). This is designed to continually monitor a network for policy violations or any activity that might be considered malicious, and report what it has found. Some can respond to any intrusions. These are usually called intrusion prevention systems (IPS). Whatever you use, keep it up to date. And make sure that it can detect the common exploit kits (EK) used to get ransomware onto a network.

Some sites create a honey trap, an area that appears to be full of rich data pickings to entice the would-be hackers to investigate it further. By monitoring for any activity on that disk, it’s possible to quickly identify that an attack is in progress. Because hackers usually work through the drives in alphabetical order, it makes sense to give it the letter E: or G:.

What else?

Lastly, consider buying cyber insurance to help pay for recovering your system after a successful attack. I’m not sure whether the insurance covers the damage to your reputation!

Often employees use the same password that’s stored in Active Directory to access the mainframe. So, watch out for hackers getting into that as well.

Find out more about iTech-Ed here.

 

Sunday 11 April 2021

I’m in a meeting!!

 It was bad enough when we were all in the office (or the machine room). There were too many meetings to go to. But now we have Zoom and Teams and any number of other ways of meeting, it seems the amount of time people spend in meetings is just increasing. Last week, for the first time, I found myself in two important meetings at the same time – one using Zoom and one using Teams. This is total madness!

What types of meeting are you spending so much time in? There are lots of ways of classifying meetings. Let’s divide them into six types:

  • Status update meetings – these are the most common, and happen frequently. They are used for project updates, team alignment, and general catch-ups.
  • Information sharing meetings – these may involve presentations as information is passed to a team. It allows questions to be asked by staff. It may involve a training session.
  • Decision making meetings – this is where goals can be set and solutions to problems can be worked out and evaluated. Information needs to be shared, strategies can be discussed, and actions can be decided on.
  • Problem solving meetings – these need to be solution focused and deal with internal or external challenges.
  • Innovation meetings – these allow new ideas to be suggested and the meetings help drive innovation. They may involve brainstorming sessions.
  • Team building meetings – in pre-Covid days, these may have involved away days and team building exercises.

Working from home or working from anywhere was meant to make people more productive because they didn’t need to commute, and they were less likely to be disturbed by work colleagues stopping by their desk for a chat. However, statistics show that in 2020 the number of meetings attended by a worker on average rose by 13.5 percent. Frighteningly, 11 million meetings are held each day, which works out at 55 million meetings per week or 220 million meetings per year! Currently, 15 percent of an organization’s time is spent in meetings, and that figure has increased every year since 2008. Apparently, employees spend 4 hours per week, preparing for status update meetings. And the consequence is that 67 percent of employees complain that spending too much time in meetings hinders them from being productive at work.

It gets worse, most employees attend 62 meetings per month, and feel that half of those meetings were a complete waste of time. And 92 percent of employees say they multitask during meetings – which may help them be more productive, but also may contribute to the failure of the meeting.

Managers and professionals lose 30 percent of their time in meetings that they could have invested in other productive tasks. Ineffective meetings make professionals lose 31 hours every month, or 4 working days. 95 percent of meeting attendees say they lose focus and miss parts of the meeting, while 39 percent confess to dozing off during meetings!

A survey of 6,500 people from the USA, UK, and Germany found that among the 19 million meetings that were observed, the ineffective meetings cost up to $399 billion in the USA and $58 billion in the UK.

These statistics are from the Atlassian, Attentiv, Cleverism, Condeco, Doodle, Harvard Business Review, HR Digest, KornFerry, National Bureau of Economic Research, ReadyTalk. The Muse, and Timely.

There I was, monitoring a Zoom meeting and a Teams meeting, and the question that came to mind was could I have done it for two Teams meetings or two Zoom meetings? The answer for Teams would be to join one Teams meeting using the Teams Desktop Application and join the second meeting using the Microsoft Teams Web Application.

With Zoom you can also join multiple meetings at the same time using the Zoom desktop client. You can’t, however, host multiple meetings. You do need to have a Business, Enterprise, or Education Zoom account. And you have to contact Zoom Support to have this feature enabled, which could take a few days. And, once the setting is enabled, you can join multiple meetings by using the join URL or going to https://zoom.us/join and typing in the meeting ID. The Join button in the Zoom client only works for the first meeting you want to join.

If you really want to do this, here are the instructions…

  1. Sign in to the Zoom web portal.
  2. In the navigation panel, click Settings.
  3.  Click the Meeting tab.
  4. Under the In Meeting (Basic) section, verify that Join different meetings simultaneously on desktop is enabled. 
  5. If the setting is disabled, click the Status toggle to enable it. If a verification dialog displays, choose Turn On to verify the change.

On the day that you want to join multiple meetings, you can join the first meeting by:

  • Clicking the Join button in the Zoom desktop client;
  • Clicking the join URL; or
  • Navigating to https://zoom.us/join and enter the meeting ID.

For meetings two and three (or more), you have to use the join URL in your browser or manually enter the meeting/webinar ID on https://zoom.us/join, and the Zoom client will automatically launch the additional meeting.

And there you are, unproductive in two or three meetings at the same time!

One reason that so many meetings go on for so long is that everyone is comfortable. They have a tea or a coffee. They may have some biscuits or a doughnut to nibble on. And they are sitting in a comfortable chair. There’s no need for them to rush. And that’s why meetings held with people standing up can be so much quicker and can focus people’s attention. Scrums, as people using the agile framework call them. Although they were originally used for developing software, they are now used by many organizations. A small group of people stand in a room – or on a Zoom call – for a limited period of time. This is often 10 or 15 minutes. What’s been achieved can be reviewed, and what needs to be done can be focused on. And these brief meeting are held frequently, often at the start of the day. And this seems to work well.

I’m inclined to not call a meeting if there isn’t a real purpose for having. You know, it’s always scheduled for the second Tuesday of the month kind of meeting. I think it’s important for the chair to keep the meeting focused. The worse kind of meeting is the one where the chair has to talk at length about everything! And I like the idea of standing up at meetings to encourage everyone to be brief and concise, and focused. And I really don’t want to be in two (or more) meetings at the same time again – even if I know how to do it!