Pull the budget and suffer the consequences: the NHS ransomware attack [Link: Information Age]

I was asked to help source an article about WannaCry on the NHS. Here is the article that was published on the Information Age website: http://www.information-age.com/pull-budget-suffer-consequences-nhs-ransomware-attack-123466474/

=========================================

Why wasn’t more done to protect NHS organisations from the WannaCry ransomware attack?

Ransomware infects computers around the world every day. In the last 18 months, instances of it have surged so prolifically that today it is the most common type of malware. However, the WannaCry strain hit the headlines because it brought large parts of the NHS to a crunching halt.

This is the problem with malware, it can have devastating effects. We don’t know what the real-world physical implications of WannaCry have been, for instance, patient treatments. Perhaps we will never know.

At a first glance, it appears almost criminal to be running operating systems that are no longer supported, in the case of the NHS, Windows XP. This was in no way helped by the government pulling the plug on an XP support contract to save money.

The ransomware infection was so serious that the government chaired a Cobra meeting, code for official panic. While patching an operating system is a fundamental security step, there can be a number of issues that complicate the process.

For instance, an organisation with a desktop fleet consisting of thousands of PCs might simply have not set up its configurations correctly, leaving holes in its patching process through which malware can insinuate itself.

Risk register

Some organisations might be reluctant to automatically apply operating system patches because they could cause conflicts with business critical applications. In short, they might be unable to patch for fear of slowing down, or even halting other parts of the business.

In both these cases there should be at least an awareness of the potential risks. It could be that an IT team is stretched thinly and is juggling other issues such as networking or storage, and consequently security slides down the list of priorities. This isn’t uncommon.

In these cases IT should be creating a Risk Register which is essentially a list of system vulnerabilities of why they exist, how they can be remediated and why they haven’t been addressed. This could be because of budget limitations or some other reasons.

The C-level executive team should sign off on the ‘risk register’ to show that they are aware of the issues and have accepted responsibility. This protects IT from any fallout should a serious breach occur, and also illustrates that they are doing their job.

Finger pointing

The WannaCry breach led to a lot of finger pointing and within hours had also become a political hot potato. Many people in the industry were quoted saying that defences are only as strong as the weakest link.

This is a self-evident truth, but in this case a very large condemning finger was pointed at end users. The implication was that a naïve employee or cluster of employees had clicked on an email link which unwittingly unleashed the worm-like WannaCry ransomware.

Phishing emails are increasingly sophisticated and even the most alert and astute end user can be fooled if the mail is targeted and well-crafted. The only problem with blaming end users is that it smacks of scapegoating and is essentially an abnegation of responsibility. However, there has been no evidence to suggest that WannaCry was initiated by an email or spread by user interaction.

First lines of defence

End user education and training is important and should certainly be more than an annual box ticking exercise. As well as patching operating systems, it should be a last line of defence and certainly not the first line.

Any organisation that is serious about IT security will have a range of defences in place to safeguard against these types of attacks. For instance, an email security gateway with sandboxing will filter out ransomware even if a user clicks on a malicious link. A web security filter with sandboxing will protect against drive by downloads, in which someone has to just visit a website to inadvertently download malware.

Web filtering tools in conjunction with a good firewall can detect dubious websites, as well as flag traffic that is leaving an organisation for a questionable destination. Of course there is also heuristic and signature detection, so if malware does penetrate the network it is immediately detected and stopped.

Added to this are a raft of endpoint tools that can protect devices, and we’re not just talking about patching operating systems but also patching browsers, plug-ins and third party software for vulnerabilities. On top of this, admin rights should be removed from endpoints so software doesn’t automatically run by default.

Lack of willingness

In short, the tools are available to protect organisations from ransomware and other types of malware, and they don’t have to be the latest and the greatest either.  The real question is whether the willingness to take security seriously is there? Given the large number of attacks that happen regularly you’d have to say it’s not. For instance, if there’s commitment then budget is always made available to help over stretched IT teams.

Clearly in the case of the NHS the funding was missing, and if the government doesn’t yet fully understand the importance of comprehensive cyber security then who will? Will it take loss of life before someone sits up and takes security seriously?

The Anatomy of Ransomware - and How to Prevent from Impacting You

After the global cyber attack with ransomware, there is much advice out there suggesting the problem would have been prevented with point products, training or procedures.  I'm going to outline a generic ransomware attack below, so that the defences can be understood.  I'm going to outline what you can do as a home user, corporate user, or corporate IT team.

Delivery of Ransomware

Depending on the research you read, you can see that 93-98% of ransomware is delivered by email.  The remaining delivery methods can be via websites, whether a drive by download, malvertising or malicious website; or via removable media.

As a home user, a good quality endpoint protection solution would be recommended.  Try not to click on email attachments, dubious weblinks or using removable media you are unsure about.  Look to only have standard user profiles and not administrator rights on your everyday profile, and enter the admin credentials when needed.

As a corporate user, the advice is similar to a home user, try not to click on email attachments, dubious weblinks or using removable media you are unsure about.

As a corporate IT team, email and web gateway solutions should be protecting the email and web traffic.  The endpoint should have good quality multi layered protection.  Ensure that users do not have local administrator rights.  Sandboxing solutions on the network would analysis the unknown traffic coming into the network and ensure the email, web and endpoint vectors are covered.  Consider device control solutions if removable media is a big entry point into the network.  User education can help, but it needs to short and regular, and not many hours once a year.

Exploit the Endpoint

The ransomware's next task is to find a vulnerability on the endpoint, in order to exploit it and install the ransomware.  This is when the advice is to patch your operating system, or check and install the updates to your machine.  It's lesser known that the other software on your machine also has vulnerabilities, such as the third party software, like Java, Adobe Reader, etc, as well as the internet browsers and add-ons.

As a home user, change the settings on the operating system and software to automatically check and install the updates. Consider removing applications that are rarely used, as some may not check for updates until they are used.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.  If you are able to run the updates, check regularly.  If you are able to install applications, consider what you are installing and switching on auto updating.

As a corporate IT team, ensure there is a robust patching regime.  Ensure patches are deployed to Microsoft operating systems as close to "Patch Tuesday" as possible, to prevent there being a "Hack Wednesday".  Ensure the patching regime goes beyond operating systems, covering off the third party applications, browsers and add-ons.  Consider Application Control solutions to limit the applications on the endpoints.  With the server environment, consider using IDS/IPS or "Virtual Patching" solutions in order to protect the servers until patch remediation can be carried out in a scheduled maintenance windows, allowing for testing of patches prior to deployment.

Installation of Ransomware

The installation of the ransomware will typically be disguised as a system process, so can go undetected by traditional or single layers of defence.

As a home user with the administrator rights removed as mentioned before, the software may not be able to install.  Again a good quality anti-malware solution may help prevent the ransomware from being installed.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.

As a corporate IT team, look to Application Whitelisting, so unknown applications can't be installed.  Also giving the known good software will check fingerprints of applications, so even if the ransomware is masquerading as a system process, it will not be allowed to execute.  Again good multi layered anti-malware protection and limited local admin rights will help.  Sandboxing solutions should detect this traffic, and consider tools that can monitor file integrity, analyses the memory or offers memory injection protection.

Command and Control

Once installed, the ransomware will typically talk back to the "Command and Control" servers, communicate with the ransomware and customise what the machine will do, such as detect language settings of the computer and then get the correct interface installed in the matching language.  A Chinese demand for a ransom would not be very effective to a machine using Russian language.  There can be communication of the unique encryption key as well.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT team, the use of Next Generation Firewalls and/or web gateway solutions should be able to see this traffic travelling to and from the network, and prevent the communication.  Logging or SIEM solutions should be able to take the feeds from various point throughout the network to detect this activity.

Data Encryption

The ransomware will now start to encrypt a portion of each of the files, allowing it to work quickly through all the files.  It will check for connected devices, so it will be able to encrypt network file shares and removable media connected to the machine.  It also knows to leave the operating system files, so the machine is still able to run and demand the ransom.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point, aside from ensuring that there are system backups.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT Team, the anti-malware solution may be able to detect this and stop it from running, or the use of application control could have prevent the application from executing as mentioned before.  Beyond that the the dependence will be on having system backups.

Ransom Demand

At this point, whoever you are, all is lost with out system/data backups.

The advice is not to pay as research currently shows that the payment of the ransom will to the decryption of the data around two thirds of the time, and increases your possibility of being targets again.

The Advice

As a home user, don't click on links without validating if they are legitimate, get a good quality endpoint protection solution and patch your computer regularly.  Remember to backup your data, whether to the cloud, portable hard drives or USB devices, and try not to physical devices connected when not in use.  Make your account a standard user, so the administrator password is required for tasks that are altering the configuration of your computer.

As a corporate user, don't click on links without validating if they are legitimate, but work with IT, if you think you have.

As a corporate IT Team, ensure the endpoints have good quality malware protection that can be centrally managed and centrally logs information.  Ensure there web and email gateways installed and configured.  If you don't have a NGFW, consider getting one and using the features available.  Patch the operating systems, applications and browsers on endpoints and servers.  Consider investing in Device and Application Control solutions, if you don't already have them.  Sandboxing solutions will help deal with the unknown and new threats, so are well worth the investment.  Review the rights the users have on their devices, as they typically don't need to be local administrations.  SIEM solutions with security features will help detect this early on.  End user training is important, but keep it short and regular for it to be effective.

Conclusion

Ransomware attacks will continue to happen, but stopping the chain of events as soon and as quickly as possible will minimise the damage.

I hope this guide has been useful in helping understand how ransomware works, and the measures that can be taken to prevent if from impacting you.  If you have any questions, please feel free to email me: blog@andytang.com

Biggest security fails of 2015 and a look ahead to emerging threats in 2016

This year has seen IT security at the forefront of the news agenda for all the wrong reasons. Various breaches and hackings such as those on TalkTalk, Carphone Warehouse and Ashley Madison have heightened discussion around IT security and the protection required to counter virtual incursions.

However, many of the attacks over the course of the year were avoidable. Had the companies in question been more diligent over their testing and security protocols, some of the breaches would not have been as successful.  

Security fails of 2015

The biggest security failing of 2015 is arguably the vulnerability of companies to simple web application attacks. Organisations with large volumes of online customer interactions were targets for web application attacks, where cyber-criminals gain access to sensitive customer data. Techniques such as SQL injection and brute force techniques were used to access valuable data for fraud or resale to third parties.

The other security failing this year has been phishing attacks, a method that can result in malware entering a network, leading to data theft. Phishing attacks can come in the form of a legitimate email from a company that redirects the user to a fake external site. Personal information will then be requested and captured for future brute force attacks.

Prevention is simple

Following simple guidelines like OWASP is the first step to prevention. Regular testing of web facing applications before publishing them can also help avoid attacks such as TalkTalk.

Education within the company and targeted solutions aimed at monitoring data exfiltration should be a priority. A company’s security cannot be reliant on only using their security solutions as a shield – their workforce can and often will be a weak spot in their armor. Employee education on data governance, access and removal of data should be at the top of a company’s IT security resolutions for 2016.

Emerging security threats in 2016

As Ransomware threats are so effective, they are predicted to continue to increase in use in 2016, in conjunction with the level sophistication behind attacks.  This is especially the case, as corrective measures to protect from attacks are rarely in place.

In addition, DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as shown by the high profile TalkTalk and Carphone Warehouse breaches.

There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks, unless they receive a sum of money.

What is interesting is that these two techniques do not demand high levels of technical ability, but the rewards can be great. Many companies cannot afford lengthy downtimes on their servers and will pay the sum demanded, even without any guarantee that the same attackers will not return.

Who will they affect the most?

Ransomware can affect a majority of computer users.  Assuming you will not be a victim of a cyber-attack is a major mistake and the risk of such an attack should be taken seriously.

Blackmail attacks/DDoS attacks on the other hand, will be targeting medium to large sized companies, who have the budget to pay the ransom money.

Invaluable security solutions for businesses in 2016

As Ransomware is predominately distributed via email and internet, a sandboxing solution is essential. The relevant solution has to be able to scan emails and internet traffic delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or mobile connections. 

An attacker using Ransomware infiltration techniques will execute with the user-credentials of the user who opens it, so there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops. 

Cyber-Security Predictions for 2016 [Link - Information Security Buzz]

I was asked to write a piece about Cyber Security predictions for 2016, which was published on Information Security Buzz.

http://www.informationsecuritybuzz.com/articles/cyber-security-predictions-for-2016/

================

Cyber-security Predictions for 2016

What will be the emerging IT security threats in 2016 and do you expect as many or even more attacks as 2015?

Although Ransomware attacks have been talked about a lot in 2015, the number of attacks has risen significantly during Q4 2015. Ransomware attacks are so effective that the number of attacks will rise, as well as the level sophistication behind the attack. Especially as corrective measures to protect from the attack are rarely in place.

DDoS (distributed denial-of-service) attacks aimed at extracting data have been getting stronger and harder to defend against, as evidenced by the high profile TalkTalk and Carphone Warehouse breaches.

There have also been a growing number of blackmail attempts, threatening a company’s resources with DDoS attacks if they are paid a sum of money.

Ransomware and DDoS attacks will only increase in frequency in the next year. They do not demand high levels of technical ability and the rewards can be great. Many companies cannot afford lengthy downtimes on their servers therefore will pay the sum demanded, even without any guarantee that the same attackers will not return.

Who will they affect the most?

Ransomware can affect a majority of computer users. Assuming you will not be a victim of a cyber-attack is a major mistake, and the risk of such an attack should be taken seriously.

Blackmail attacks with a threat of DDoS attacks will affect medium to large sized companies who have the budget to pay the sum of money demanded. The transaction is usually in the form of crypto-currency, bitcoin.  The companies that have the same budget to invest in the right protection against these types of attacks are likely to be the ones under attacked.

What security solutions will become invaluable to businesses in 2016?

As Ransomware is typically distributed via email, an email sandboxing solution will be required. The relevant solution has to be able to scan emails whether they are being delivered to computers on the network, remote workers using a VPN or BYOD users, who use wireless or cellular connections. As Ransomware will execute with the user-credentials of the user who opens it, there is a need to look at controlling administrative credentials of all computers, whether they are servers, workstations or laptops.

How will the IT security cope with the lack of talent in the UK?

There is not a lack of talent in the IT Security sector, but rather qualified talent.  The challenges have been the roles that have been advertised where the skills required are beyond many technical people, or looking for specific certifications and accreditations.  I believe there are many good universities in the UK producing excellent candidates for IT Security, as well as many people with the right aptitude and attitude to learn. Although this may not give companies the “right” skillsets immediately, they can be learnt with the right program of education and mentorship.