February 27, 2018 – Last week, the city of Allentown was hit with Emotet, malware that started as a banking trojan. Reports indicate that the initial entry into their municipal business environment occurred via phishing. Once the malware was downloaded and installed, it began to replicate itself across the city government’s network infecting devices and stealing login credentials. This has resulted in the city’s financial system being offline, the city’s camera surveillance being taken offline, and the city’s police department being disconnected from the Pennsylvania law enforcement network.
It is estimated that the cost to remediate this attack will be close to $1 million. This same malware has infected other government and public-school facilities. In fact, this past January, the same malware cost the Rockingham, North Carolina school district $314,000 to recover from the infection.
What is Emotet? Emotet is malware that started out as a banking trojan three years ago. It was originally designed to sniff network traffic for user login credentials. Over the last three years, the malware has morphed to allow for custom modules to be added. Last year, the malware started to use the EternalBlue exploit developed by the NSA and later leaked to the public. This exploit allows the malware to spread across Windows networks on devices that have not been patched. The malware is not easily blocked as it can be delivered via .js, .pdf, and .doc/.docx files.
What can be done? Ensure that you are auditing your patching to verify that patches are being applied as they should. Not saying that this malware spread via the EternalBlue exploit, however as a method that it does spread by, are you ready to prevent it from spreading.
Why perform a patch audit? Sometimes patches may be pushed in an automated fashion, but for whatever reason just don’t make it on to a system and may require a more hands on approach.
October 24, 2017 – A piece of malware called “Bad Rabbit” is reportedly making its rounds around Eastern Europe and Russia. However, the United States Computer Emergency Response Team (US-CERT) has reported they have “received multiple reports of Bad Rabbit ransomware infections in many countries around the world.”
The ransomware infection is being distributed via a pop-up in the user’s browser that says the version of Adobe Flash Player installed is out of date. Once the fake update is downloaded, it will move from computer to computer encrypting the files and stealing info in memory.
This malware preys on a weakness in Windows operating systems using a method discovered and used by the National Security Agency. This weakness (aka vulnerability) became public when it was stolen and then leaked to the world as “EternalBlue”.
The vulnerability utilizes a communication method that is used between Windows based computers called Server Message Block version 1. As this method of communication is the oldest version in use, there were a significant amount of computers that were easily attacked in April/May of 2017. This is evidenced by the WannaCry and the Petya/notPetya malware that took control of over 230,000 computers in 150 different countries. If it was not for an alert cyber security researcher that found a method of killing the malware, this number would have been much higher. Organizations that were affected include FedEx, British hospital system, and French auto manufacturer Renault, to name a few.
A fix for the vulnerability was sent out in March by Microsoft. The computers that did not apply the fix were left vulnerable. As of this date, there are still computers vulnerable as they have not received the fix.
What can you do? Ensure your computers are up to date on patches. This can be done by using Windows Update on your computers or by using a patch management system.
If there are any questions, please do not hesitate to reach out to me.
October 15, 2017 – Cybersecurity is not ONLY about responding to a ransomware or hacker but being prepared to prevent it from happening. When you are prepared to prevent an attacker for entering your computers or network, you make it difficult for them to be successful. For an attacker that means they will have to spend more time trying to get what they want. If it is simply to hold your computer and information for ransom, then they will likely move on. If it is your information that they want, they will expend the extra time to get it. But who said you had to make it easy?
So, what can you do? Well, a lot. But don’t despair. It may not cost you a lot to implement. Let’s follow the National Institute for Standards & Technology (NIST) Cyber Security Framework. In the framework there are two areas that are easily addressed. Identify and Protect.
Asset Management – Get a list of EVERYTHING that processes information electronically. It could be a security camera connected to your network, your computers & servers, a printer, all you network devices, etc. Record what it is, what operating system (Windows, Linux, macOS, etc) and what software is installed on it (Office 2016, Adobe Reader, Adobe Flash, and the other programs you use). If it is a device like a printer or a security camera, record the brand and determine the firmware version.
Maintenance – Update your software and firmware when new version are available as they may address security flaws in the software. For Windows and other applications, updates are provided monthly. Others, not so often. Check with the developer and see if they have an email list you can join to be notified when there are updates.
The longer a security flaw remains in your software or firmware the easier you make it for an attacker to be successful in taking or ransoming your information. But by doing these two things, you have done a lot to protect your information and taken a proactive stance in preventing an attack from being successful.
If you need assistance, let us know. We’ll be glad to help you become proactive!
August 23, 2017 – BLUF: We highly recommend that you contact an information security professional regarding this legislation. If not us, find someone who can help you determine if you are doing what needs to be done to stay within the guidelines of this legislation.
On 17 August, 2017, Governor Carney signed legislation that improved cybersecurity protections for the citizens of Delaware and goes into effect in April. It improved on the original cybersecurity legislation written nearly a decade ago. House Substitute 1 for House Bill 180 (http://legis.delaware.gov/BillDetail?legislationId=26009) provides for additional protection requirements where personal information may be compromised as the result of a breach. In the event of a breach of personal information, the legislation requires notifications and free credit monitoring services whose social security information was potentially disclosed via the breach.
The updated legislation now includes a definition that is used to determine if a breach of security has occurred. A breach has occurred when “a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.” Reporting of a breach is left to the holder of the data to have the integrity to come forward and announce that they have had a breach. The key word in the legislation is determination. It has to be determined that breach occurred before any reporting is required. Who determines? Who makes the call? At any rate, the organization has 60 days to make notifications (as long as it does not ruin a police investigation) from the date of determination.
The legislation also introduces encryption to the lexicon. It states that it is required but it don’t provide minimum-level of encryption. The only statement is that it is “rendered unusable, unreadable, indecipherable through a security technology or methodology generally accepted in the field of information security. This is a problem, depending on the source that you query for, the organization could end up with an encryption standard that is reversible. Some developers, roll their own crypto algorithms that are found to contain faults.
The legislation states that organizations must protect by encryption personal information, which is defined as a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual
“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
To help businesses understand what is at stake in their business when it comes to information technology, it helps to show them the value of what they have as assets and then apply a level of risk to that asset
Rarely do you find a business any more that does not use a computer of any sort. Gone are the days of credit card carbon slips, paper ledgers, and hand drawn engineering diagrams. We are striving to do more with less to increase profit. In this effort, we reduce what is at stake in one way and see increases in others. For example, in my recent travels to Michigan, I stopped for gas at a gas station that did not have any card readers on their pumps. While I do not know why, it provides a good example of what is at stake by not adopting technology. For example, the reduced threat of credit card theft, but at the expense of having people drive off as it provides a different experience than at other gas stations.
To that end, to remain competitive, businesses of all sizes that are adapting to new technology, may not understand what is at stake by not addressing the risk of implementing it. Does your small business understand what is at risk by providing free and open Internet access to your customers? How about the risk of placing card readers on the gas pumps? Do the benefits out weight the risks? What information does your business have or use? What happens if that information could be used to embarrass your business? What can be done to reduce the effect on your business?
The effect can be reduced by identifying risk and that starts with identifying what you have at stake. Don’t think of what is at stake just physically, because what you have is more than the physical devices that you may have purchased. For example, the laptop that you bought may have only cost $300. The value of the laptop itself may decrease (likely), but what about what you have been doing on that laptop for your business. How much information do you have stored on it (think contracts, projections, plans, contacts, etc?) What is the value of that information? Do you now see that the laptop is worth a lot more than just the value of the physical device. Identifying what you have is designating what you have as assets.
Weaknesses in the laptop represent vulnerabilities. These weaknesses can come in the form of how susceptible it is to damage (physical or logical). For example the laptop is a portable device that contains various pieces of software installed on the computer and the information that is important to your business. Each of these items are vulnerabilities that has different weaknesses. But these weaknesses don’t necessarily mean your information will be lost.
Look at the weaknesses. What or who might take advantage of or exploit those weaknesses? The threat could come in the form of the user having an accident. For example, accidentally spilling Starbucks into the keyboard, loosing it at the airport or mall, and dropping it on the ground? Or the threat could be external: Your house or place of business catches on fire; a meteor smashes a hole through the computer; or someone steals it. How about cyber criminals infecting the laptop with malware when you visit innocently visit of interest? Threat can come in many different forms and it is necessary to identify threats, even the hypothetical and far-fetched ones.
Given the look at the weaknesses and threats, the question that begs to be answered is “What is the likelihood?” The chance that a meteor might smash a hole through the laptop is pretty slim. That someone would steal your laptop is higher. By identifying what risks exist, a small business can address the threats in a way that would reduce the risk.
For example with the laptop, what can be done to keep from loosing the information on it if it is stolen? For example, maybe you could encrypt the hard drive. Use cable locks to secure the laptop. Keep it with you and don’t leave it in a car. What about that meteor leaving a hole in it? Back up the information off of the device. These actions are called mitigating actions, in that the mitigate the risk by reducing the likelihood that the weaknesses we identified would be exploited.
Identifying what is at stake and determining what the risk is based on the weaknesses and the identified threats will help small businesses make informed decisions on the actions necessary to protect their information and ultimately their business, brand, and good name. If you need help identifying what is at risk for you, do not hesitate to reach out to us email@example.com.
For the second year in the row, we are proud to sponsor Delaware’s Cyber Security Workshop.
The workshop will be held at the Dover Downs Casino in Dover, Delaware on 7 September.
The event is free, however does require advanced registration.
For more information on the event and to register please see…
The town manager and IT director knew they were in for an eye opening. But not as wide as I showed them the persistent attack their network was under.
Here are some simple methods that won’t deplete your profits and apply to businesses of all sizes (1 person to 100,000 employees).
1. Encrypt your mobile devices. Laptops, tablets and cell phones are treasure chests full of goodies. We store everything on them. The days of the rolodex and the personal organizer/binder have given way to the electronic organizer. It used to be that if we misplaced or day planner we would feel lost and maybe even anxious as a lot of information was stored in that book.
All that information has migrated into the digital age and is now present on all sorts of mobile devices. Newer phones have enough processing power in them to encrypt the contents of the phone until the device’s owner enters a password to decrypt them. The encryption is part of Android and Apple IOS. It is also possible to encrypt the hard drive of your laptop in a similar manner. If you use Microsoft Windows, spend a little extra money and purchase the professional edition. It includes BitLocker, Microsoft’s utility for encrypting hard drives.
If you lose the mobile device, you are not likely to lose the encrypted information to unwanted eyes.
2. Use complex unique passwords for every account. I know, I know! I hear it all the time. I have this large number of accounts that I need to remember, how do I do it? There are number of articles out there for crafting complex passwords that are easily memorized. However, I offer that you only need to remember one or two. Use technology to help you create and remember the rest.
Use password managers such as Sticky Password, LastPass, KeePass, etc. Each offers certain capabilities that should fit with your business model. Check out http://lifehacker.com/5529133/five-best-password-managers for a review of some popular ones.
For the one or two passwords you need to remember, create passwords that really have nothing to do with you. One of the first things an attacker will do is profile their target. Anything on the Internet about you can be used against you to build a list of words. So when you choose a password, don’t use your favorite team, vacation place, family member names, etc. For example choose three or four letter character unique nouns that are some related, but not directly. Maybe you have three foods you don’t like, lasagna, buffalo wings, and prunes. These three items make an excellent password as it is something you are not likely to write to the world about. So let’s make a password out of it….
or plainly buffalo prune lasagna. (sounds nasty!) But it is a set of words that when in plane text don’t make sense and if you apply some character substitution to them it becomes a long (in this case 19 character) complex password. Come up with a consistent method in changing the letters. In this example I:
Choose a similar way to develop your own password and apply your own password style and use that password to control access to your password manager. Then let the password manager create complex random passwords for everything else.
These are just two quick examples of KISS that improve information security and don’t require a lot of cash. I will write more examples in later posts.
by Peter Lipa, Regional Director for the Americas for Sticky Password
Talking with small business owners, all too often I find that they have an authoritarianmentality in regards to their customers, as in: “the more customer data I have, the greater control I have over them!” This is particularly true of online businesses, where customers (and their money) are hidden behind the virtual invisibility of the Internet. (I intentionally do not use the word anonymous, because the Internet is anything but anonymous!) The thinking being that more data/information will hopefully translate to more opportunities to monetize all those contacts.
If you really do need passwords to restrict access to your website, then make sure you require customers to follow best practices in creating their passwords.
Implement an automated password system that: