Last week, the city of Allentown was hit with Emotet, malware that started as a banking trojan. Reports indicate that the initial entry into their municipal business environment occurred via phishing. Once the malware was downloaded and installed, it began to replicate itself across the city government’s network infecting devices and stealing login credentials. This has resulted in the city’s financial system being offline, the city’s camera surveillance being taken offline, and the city’s police department being disconnected from the Pennsylvania law enforcement network.
It is estimated that the cost to remediate this attack will be close to $1 million. This same malware has infected other government and public-school facilities. In fact, this past January, the same malware cost the Rockingham, North Carolina school district $314,000 to recover from the infection.
What is Emotet? Emotet is malware that started out as a banking trojan three years ago. It was originally designed to sniff network traffic for user login credentials. Over the last three years, the malware has morphed to allow for custom modules to be added. Last year, the malware started to use the EternalBlue exploit developed by the NSA and later leaked to the public. This exploit allows the malware to spread across Windows networks on devices that have not been patched. The malware is not easily blocked as it can be delivered via .js, .pdf, and .doc/.docx files.
What can be done? Ensure that you are auditing your patching to verify that patches are being applied as they should. Not saying that this malware spread via the EternalBlue exploit, however as a method that it does spread by, are you ready to prevent it from spreading.
Why perform a patch audit? Sometimes patches may be pushed in an automated fashion, but for whatever reason just don’t make it on to a system and may require a more hands on approach.
Brian Krebs, a known and respected journalist that covers cyber, reported that Dell Inc. had lost control of a the web address that is used by the Dell Backup & Recovery service installed on just about every Dell computer produced. There are indications that during a few weeks this past summer, a malicious group took control of the address and may have pushed malware via the service. The suspected time frame was between June and July 2017.
During the period of loss of control, the website address was being directed to a leased server on Amazon that was and currently continues to be known as hosting malicious content.
The software that performs the service comes pre-installed on Windows systems according to the Dell support forums.
If you are using a Dell computer that has the Dell Backup & Recovery service running on it, ensure your malware/anti-virus software is up-to-date, and be wary of any calls or pop-ups on your computer claiming to be Dell tech support, even if they provide you with the correct service tag. If you receive a call or pop-up, call Dell directly.
For Krebs’ full report see https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/
It is a simple question that is asked when someone needs proof that some piece of knowledge needs to be validated in some way and typically leads to follow-on questions.
So, when it comes to information risk let me ask you… “How do you know?”
How do you know what is the risk to your technology infrastructure or the information that you use? Have you identified the risk to your business? Identifying risk will help your organization (micro, small, medium, to mega sized) begin to prepare to address the risks that can present themselves to your business. In some industries, there are mandatory requirements to address risk via a risk assessment (HIPAA, PCI, etc).
The process of assessing risk is straightforward. To begin, identify what you have that could be at risk (databases, intellectual property, web site, servers, computers, users, network, etc.) Of those items, if something were to happen to them, what would be the impact? The loss of a laptop might not be considered, but what if that laptop had confidential or health care related information on it? Then the impact would be high.
In order for risk to be realized against those devices, there needs to be a vulnerability. A vulnerability is a weakness that would allow a threat to be successful in disrupting the organization. Vulnerabilities come in different forms. They could be a vulnerability in the computer’s operating system or software. They could be in a physical form, for example having a customer service window that would allow access to information or devices nearby.
Once you have identified what could be at risk and the associated vulnerabilities, think about what might disrupt your business operation or affect the business’ brand if those items have vulnerabilities that are subject to various types of threats. Identifying the threats can be the fun part. For example an attack by Godzilla or aliens from Mars. Yes those are unrealistic and the risk from those particular threats are extremely low if not zero. So they are discounted. However realistic threats to your business may come in the form of examples listed below. Don’t forget that the threat can be accidental or intentional, include both types of threat when identifying risk. There can be many more than that, it is up to you how far to go in identifying the threats.
This is just the first part in dealing with risk. Identifying the what, how, and why of risk to your business critical information is followed by addressing the risk and then making a determination on those items that can’t be addressed.
To help businesses understand what is at stake in their business when it comes to information technology, it helps to show them the value of what they have as assets and then apply a level of risk to that asset
Rarely do you find a business any more that does not use a computer of any sort. Gone are the days of credit card carbon slips, paper ledgers, and hand drawn engineering diagrams. We are striving to do more with less to increase profit. In this effort, we reduce what is at stake in one way and see increases in others. For example, in my recent travels to Michigan, I stopped for gas at a gas station that did not have any card readers on their pumps. While I do not know why, it provides a good example of what is at stake by not adopting technology. For example, the reduced threat of credit card theft, but at the expense of having people drive off as it provides a different experience than at other gas stations.
To that end, to remain competitive, businesses of all sizes that are adapting to new technology, may not understand what is at stake by not addressing the risk of implementing it. Does your small business understand what is at risk by providing free and open Internet access to your customers? How about the risk of placing card readers on the gas pumps? Do the benefits out weight the risks? What information does your business have or use? What happens if that information could be used to embarrass your business? What can be done to reduce the effect on your business?
The effect can be reduced by identifying risk and that starts with identifying what you have at stake. Don’t think of what is at stake just physically, because what you have is more than the physical devices that you may have purchased. For example, the laptop that you bought may have only cost $300. The value of the laptop itself may decrease (likely), but what about what you have been doing on that laptop for your business. How much information do you have stored on it (think contracts, projections, plans, contacts, etc?) What is the value of that information? Do you now see that the laptop is worth a lot more than just the value of the physical device. Identifying what you have is designating what you have as assets.
Weaknesses in the laptop represent vulnerabilities. These weaknesses can come in the form of how susceptible it is to damage (physical or logical). For example the laptop is a portable device that contains various pieces of software installed on the computer and the information that is important to your business. Each of these items are vulnerabilities that has different weaknesses. But these weaknesses don’t necessarily mean your information will be lost.
Look at the weaknesses. What or who might take advantage of or exploit those weaknesses? The threat could come in the form of the user having an accident. For example, accidentally spilling Starbucks into the keyboard, loosing it at the airport or mall, and dropping it on the ground? Or the threat could be external: Your house or place of business catches on fire; a meteor smashes a hole through the computer; or someone steals it. How about cyber criminals infecting the laptop with malware when you visit innocently visit of interest? Threat can come in many different forms and it is necessary to identify threats, even the hypothetical and far-fetched ones.
Given the look at the weaknesses and threats, the question that begs to be answered is “What is the likelihood?” The chance that a meteor might smash a hole through the laptop is pretty slim. That someone would steal your laptop is higher. By identifying what risks exist, a small business can address the threats in a way that would reduce the risk.
For example with the laptop, what can be done to keep from loosing the information on it if it is stolen? For example, maybe you could encrypt the hard drive. Use cable locks to secure the laptop. Keep it with you and don’t leave it in a car. What about that meteor leaving a hole in it? Back up the information off of the device. These actions are called mitigating actions, in that the mitigate the risk by reducing the likelihood that the weaknesses we identified would be exploited.
Identifying what is at stake and determining what the risk is based on the weaknesses and the identified threats will help small businesses make informed decisions on the actions necessary to protect their information and ultimately their business, brand, and good name. If you need help identifying what is at risk for you, do not hesitate to reach out to us firstname.lastname@example.org.
No question about it. There are a lot of risks in running a business. Cash flow, employees, suppliers, insurance, compliance, fire, flood, payroll, maintaining clients, gaining clients, and on and on and on. But what about Information Risk? I find that most businesses lump Information Risk into, “if it works why bother” or “I have IT handle it.” However few realize the importance of addressing information risk, and that by addressing it, you maybe helping address other areas of risk and potentially reducing the risk.
There are seven common areas associated with information risk that when evaluated will help provide you focus when addressing risk management.
Physical Damage – The container that contains your vital information is damaged. The container could be your server, desktop computer, filing cabinet, desk drawer, or the box of receipts in the closet.
Humans – Humans are notorious for making mistakes, some make more mistakes than others. 🙂 Joking aside, humans (aka employees or the boss) account for a good portion of data loss. The loss could be unintentional or as we have seen in the news very intentional.
Equipment Malfunction – Ever have that cringing feeling as you hear your computer make some very weird noises and beeps? Especially after you have been working on something major? What do you do? How do you recover that data?
Internal or External Attacks – We have seen the news about Target, Home Depot, Sony, Anthem, etc. They all represent external attacks. What about that disgruntled employee that can hack your server’s admin account?
Misuse of Data – Now that the employee has hacked your server or maybe it is someone that already has access to the data, they run down the street to your competitor after copying any proprietary data that belongs to your business after hacking you from inside. A good example of theft and how the data is being misused.
Loss of Data – This is where the crypto-locker ransom-malware comes into play. An employee unintentionally adds malware that encrypts the data preventing you from getting to it. Unless of course, you pay a ransom.
Application Error – This one almost got me a few years back. I had a tax-preparer do what they do. When they were done, they said I owed the state nearly $5000. There is no way that is correct I told them. They said that is how their system calculated it. Ok. Fine. I didn’t pay it. I sat down and reviewed the forms. It appears the application forgot to check mark a certain box and as a result I got $3000 back!
With the identified categories, we need to identify, bin, and evaluate the risks. Once complete, you can address the risks and apply controls to reduce, eliminate, transfer, or mitigate them by applying various controls. Once the risks have been identified, it may help you in addressing some of the risks of running a business. If not take a bit of the stress off.
We, ItsEmc², an help you identify, bin and evaluate your information risk. Contact us at email@example.com
Each holiday, no matter what it is, brings greetings from friends and families celebrating the holiday. A lot of time, the greetings come in the form of a simple email, other times, it is a link to an electronic card.
Hackers take the holidays for a chance to do some phishing. No not fishing, but phishing. Phishing is the quest for getting a chance to find things out about you. Last night I watched “Now You See Me.” In one of the scenes, the character Arthur Tressler, played by Michael Caine, challenges J. Daniel Atlas, played by Jesse Eisenberg, that he cannot be read. J. Daniel starts making statements about Arthur’s dog to which Arthur sets him straight saying I didn’t have a dog. I had a cat and it’s name was… The scenario went one more time where J. Daniel attempted to read the type of childhood Arthur had. Again, Arthur said he was wrong and gave up some information about his family. Later in the movie, the information provided was used against him to crack a bank account that Arthur owned.
What J. Daniel did was phishing. Hackers do the same thing by sending you emails that look to be legitimate and the real thing. However, the motive behind it is to gain access to your information, your account, or your computer. You may not be the ultimate target, but merely a stepping stone to get to the final destination.
The U.S. Computer Emergency Readiness Team (USCERT) each holiday issues a reminder to everyone to be careful about the emails and ecards you open. Their Easter Alert (follow the link) provides some tips on what to avoid when it comes to these types of communication.
don’t follow link or open emails from people you don’t know.
it someone you do know, but seems like it is an email they would not normally send then don’t open it.
Think twice and take a cyber 360.