360 Degree Cyber Security, LLC

Tag Archive:Municipality

Ready or not?

Last week, the city of Allentown was hit with Emotet, malware that started as a banking trojan.  Reports indicate that the initial entry into their municipal business environment occurred via phishing.  Once the malware was downloaded and installed, it began to replicate itself across the city government’s network infecting devices and stealing login credentials.  This has resulted in the city’s financial system being offline, the city’s camera surveillance being taken offline, and the city’s police department being disconnected from the Pennsylvania law enforcement network.

 It is estimated that the cost to remediate this attack will be close to $1 million. This same malware has infected other government and public-school facilities.  In fact, this past January, the same malware cost the Rockingham, North Carolina school district $314,000 to recover from the infection.

 What is Emotet?  Emotet is malware that started out as a banking trojan three years ago.  It was originally designed to sniff network traffic for user login credentials.  Over the last three years, the malware has morphed to allow for custom modules to be added.  Last year, the malware started to use the EternalBlue exploit developed by the NSA and later leaked to the public.  This exploit allows the malware to spread across Windows networks on devices that have not been patched.  The malware is not easily blocked as it can be delivered via .js, .pdf, and .doc/.docx files.

 What can be done?  Ensure that you are auditing your patching to verify that patches are being applied as they should.  Not saying that this malware spread via the EternalBlue exploit, however as a method that it does spread by, are you ready to prevent it from spreading.

Why perform a patch audit?  Sometimes patches may be pushed in an automated fashion, but for whatever reason just don’t make it on to a system and may require a more hands on approach. 




Malware Outbreak – Bad Rabbit

A piece of malware called “Bad Rabbit” is reportedly making its rounds around Eastern Europe and Russia. However, the United States Computer Emergency Response Team (US-CERT) has reported they have “received multiple reports of Bad Rabbit ransomware infections in many countries around the world.”

The ransomware infection is being distributed via a pop-up in the user’s browser that says the version of Adobe Flash Player installed is out of date. Once the fake update is downloaded, it will move from computer to computer encrypting the files and stealing info in memory.

This malware preys on a weakness in Windows operating systems using a method discovered and used by the National Security Agency. This weakness (aka vulnerability) became public when it was stolen and then leaked to the world as “EternalBlue”.

The vulnerability utilizes a communication method that is used between Windows based computers called Server Message Block version 1. As this method of communication is the oldest version in use, there were a significant amount of computers that were easily attacked in April/May of 2017. This is evidenced by the WannaCry and the Petya/notPetya malware that took control of over 230,000 computers in 150 different countries. If it was not for an alert cyber security researcher that found a method of killing the malware, this number would have been much higher. Organizations that were affected include FedEx, British hospital system, and French auto manufacturer Renault, to name a few.

A fix for the vulnerability was sent out in March by Microsoft. The computers that did not apply the fix were left vulnerable. As of this date, there are still computers vulnerable as they have not received the fix.

What can you do? Ensure your computers are up to date on patches. This can be done by using Windows Update on your computers or by using a patch management system.

If there are any questions, please do not hesitate to reach out to me.

Be Proactive – Not Reactive

Cybersecurity is not ONLY about responding to a ransomware or hacker but being prepared to prevent it from happening. When you are prepared to prevent an attacker for entering your computers or network, you make it difficult for them to be successful. For an attacker that means they will have to spend more time trying to get what they want. If it is simply to hold your computer and information for ransom, then they will likely move on. If it is your information that they want, they will expend the extra time to get it. But who said you had to make it easy?

So, what can you do? Well, a lot. But don’t despair. It may not cost you a lot to implement. Let’s follow the National Institute for Standards & Technology (NIST) Cyber Security Framework. In the framework there are two areas that are easily addressed. Identify and Protect.


Asset Management – Get a list of EVERYTHING that processes information electronically. It could be a security camera connected to your network, your computers & servers, a printer, all you network devices, etc. Record what it is, what operating system (Windows, Linux, macOS, etc) and what software is installed on it (Office 2016, Adobe Reader, Adobe Flash, and the other programs you use). If it is a device like a printer or a security camera, record the brand and determine the firmware version.


Maintenance – Update your software and firmware when new version are available as they may address security flaws in the software. For Windows and other applications, updates are provided monthly. Others, not so often. Check with the developer and see if they have an email list you can join to be notified when there are updates.

The longer a security flaw remains in your software or firmware the easier you make it for an attacker to be successful in taking or ransoming your information. But by doing these two things, you have done a lot to protect your information and taken a proactive stance in preventing an attack from being successful.

If you need assistance, let us know.  We’ll be glad to help you become proactive!

Delaware’s Updated Privacy Law

BLUF: We highly recommend that you contact an information security professional regarding this legislation.  If not us, find someone who can help you determine if you are doing what needs to be done to stay within the guidelines of this legislation.

On 17 August, 2017, Governor Carney signed legislation that improved cybersecurity protections for the citizens of Delaware and goes into effect in April. It improved on the original cybersecurity legislation written nearly a decade ago. House Substitute 1 for House Bill 180 (http://legis.delaware.gov/BillDetail?legislationId=26009) provides for additional protection requirements where personal information may be compromised as the result of a breach. In the event of a breach of personal information, the legislation requires notifications and free credit monitoring services whose social security information was potentially disclosed via the breach.

The updated legislation now includes a definition that is used to determine if a breach of security has occurred. A breach has occurred when “a person who owns, licenses, or maintains computerized data has sufficient evidence to conclude that a breach of security of such computerized data has taken place.” Reporting of a breach is left to the holder of the data to have the integrity to come forward and announce that they have had a breach. The key word in the legislation is determination. It has to be determined that breach occurred before any reporting is required. Who determines? Who makes the call? At any rate, the organization has 60 days to make notifications (as long as it does not ruin a police investigation) from the date of determination.

The legislation also introduces encryption to the lexicon. It states that it is required but it don’t provide minimum-level of encryption. The only statement is that it is “rendered unusable, unreadable, indecipherable through a security technology or methodology generally accepted in the field of information security. This is a problem, depending on the source that you query for, the organization could end up with an encryption standard that is reversible. Some developers, roll their own crypto algorithms that are found to contain faults.

The legislation states that organizations must protect by encryption personal information, which is defined as a Delaware resident’s first name or first initial and last name in combination with any 1 or more of the following data elements that relate to that individual

  • Social Security Number
  • Driver’s license, state, or federal identification card
  • Account number, credit card number or debit card number in combination with any security code, access code or password that would permit access to a resident’s financial account
  • Passport number ***added***
  • Username or email address in combination with a password or security question and answer that would permit access to an online account ***added***
  • Medical history, medical treatment by a healthcare professional, diagnosis of mental or physical condition by a healthcare professional or deoxyribonnucleic acid (DNA) profile. ***added***
  • Health insurance policy number, subscriber information number, or any other unique identifier used by a health insurer to identify the person. ***added***
  • Unique biometric data generate from measurements or analysis of human body characteristics for authentication purposes. ***added***
  • An individual taxpayer identification ***added***

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.


Risk – How do you know?

It is a simple question that is asked when someone needs proof that some piece of knowledge needs to be validated in some way and typically leads to follow-on questions.

So, when it comes to information risk let me ask you… “How do you know?”

How do you know what is the risk to your technology infrastructure or the information that you use? Have you identified the risk to your business? Identifying risk will help your organization (micro, small, medium, to mega sized) begin to prepare to address the risks that can present themselves to your business. In some industries, there are mandatory requirements to address risk via a risk assessment (HIPAA, PCI, etc).

The process of assessing risk is straightforward. To begin, identify what you have that could be at risk (databases, intellectual property, web site, servers, computers, users, network, etc.) Of those items, if something were to happen to them, what would be the impact? The loss of a laptop might not be considered, but what if that laptop had confidential or health care related information on it? Then the impact would be high.

In order for risk to be realized against those devices, there needs to be a vulnerability. A vulnerability is a weakness that would allow a threat to be successful in disrupting the organization. Vulnerabilities come in different forms. They could be a vulnerability in the computer’s operating system or software. They could be in a physical form, for example having a customer service window that would allow access to information or devices nearby.

Once you have identified what could be at risk and the associated vulnerabilities, think about what might disrupt your business operation or affect the business’ brand if those items have vulnerabilities that are subject to various types of threats. Identifying the threats can be the fun part. For example an attack by Godzilla or aliens from Mars. Yes those are unrealistic and the risk from those particular threats are extremely low if not zero. So they are discounted. However realistic threats to your business may come in the form of examples listed below. Don’t forget that the threat can be accidental or intentional, include both types of threat when identifying risk. There can be many more than that, it is up to you how far to go in identifying the threats.

  • Environmental
    • Fire
    • Flood
    • Tornado
  • External
    • Hackers
    • Vendors
    • Customers
    • Criminals
  • Internal
    • Employees
    • Equipment failure.

This is just the first part in dealing with risk. Identifying the what, how, and why of risk to your business critical information is followed by addressing the risk and then making a determination on those items that can’t be addressed.

Proud Sponsor of Delaware Cyber Security Workshop for Second Year

cyberinDEFor the second year in the row, we are proud to sponsor Delaware’s Cyber Security Workshop.

The workshop will be held at the Dover Downs Casino in Dover, Delaware on 7 September.

The event is free, however does require advanced registration.

For more information on the event and to register please see…



Why be surprised?

Recently I was hired to perform network security monitoring of a large municipality in Delaware.

The town manager and IT director knew they were in for an eye opening. But not as wide as I showed them the persistent attack their network was under.

The municipality initially felt that they would be less of a target because they are in Delaware. Really who would attack a municipality in one of the smallest states in the United States? The feeling of security through obscurity and denial was enough to consider the risk as being negligible. There is nothing in the municipality that would benefit an attacker, there is nothing that could be a financial target. Really attack us in Delaware, yeah right.
But alas, after finally getting them to agree to giving network security monitoring a try a sensor was installed to watch what was really going on. Within a matter of hours, a pattern was starting to appear. But to be sure and to have a good understanding of what was really going on in and to their network, three days had passed to allow for a period of acclimation.
After several questions were answered in helping to identify friend from foe, it was clear that an unknown, probably foreign entity (based on the originating IP) was trying to brute force their way into the town’s networks. It is not the standard scan the ports which maybe a potential sign of things to come. It was a full on brute forcing of user names and passwords in a slow meticulous manner of just over 200 times an hour.


Sure nothing happened. And maybe given enough time the attackers would have found something that worked. But why leave it up to being surprised when something does happen. This municipality took the right step. An ounce of prevention and planning goes a long ways in maintaining the security of your network and information.

BYOD Pt 2. The threat vector

As I mentioned in my last post, bringing your own device (BYOD) provides a benefit to businesses that need work done, but don’t have the money to purchase the equipment.  But there was a caveat, that benefit must be weighed against the risk the business assumes by allowing BYOD.

Second to the businesses employees, the most valuable asset a company has is their information and the information they process.  This information is what is at risk if there happens to be vulnerability that is exploited (intentionally or unintentionally) by an employee or other person that gets there hands on the device.

Some threats that pose dangers to your data is

1. Malware/Viruses/Spyware.  Introduction of malware, viruses, and spyware into the company IT infrastructure could have a crippling effect on your business.  The latest malware also known as ransomware encrypts the data on the users device and there by prevents the user from gaining access to the files needed.  If a BYOD user gets hit with ransomware while connected to the business’ files, the business may be out of luck.

2. Lost/Stolen device. Perhaps the largest threat.  The Veteran’s Administration is no stranger to lost portable electronic devices.  In 2006 they lost a single laptop that contained a significant amount of information about U.S. veterans.  It has not only happened to the Veteran’s Administration but also to car manufacturers, HR recruiting companies, etc.  Once the device is lost, the data is potentially forever lost and possibly compromised.

3. Rooted devices.  Device manufacturers go to great lengths to ensure some level of security on the devices they sell.  But there are people that want more access to the inner workings of the device.  The super power users inadvertently open their device to being an easier target for malware and misbehaving applications.

4. Outdated software. Numerous times each week, updates and patches to software applications are released to fix flaws within the application that not only affect how the application works, but also affect the security of the device and data.

5. Open WiFi.  In this day and age, most are desiring the ability to be able to connect anywhere at anytime.  Look at all the places that offer free or pay WiFi… airport, coffee shops, stores, restaurants, just about anywhere you go.  When connecting to these WiFi sources, the connections are typically unprotected.  Another person at the same coffee shop could snoop on the mobile device’s traffic and get all sorts of information.  Maybe even get into the computer.

6. Unlocked devices.  Locking the device provides a minimal measure of security.  This prevents people from picking up the device and scrolling through documents, emails, or other files related to your business.  It is a simple mechanism, but is often not implemented.

This just a summary of some of the larger threats associated with BYOD.  In my next blog entry, we will look at what can be done to protect a business while still implementing BYOD.

Until then… Think twice and perform a cyber 360.

Security Flaw in Internet Explorer versions 6-11

Microsoft has announced a new zero-day flaw that exists in Microsoft Internet Explorer versions 6-11.  This flaw can be exploited to run programs on the computers of unsuspecting users.  These programs are likely to be hidden malware that can take over your machine or steal your personal data.

Microsoft is working to resolve this flaw, however no timeline has been given on when this might occur.

So what do you do? Do yourself a favor and protect your data.  Don’t use Internet Explorer.  Use an alternative like Google Chrome, Mozilla Firefox, or even Apple Safari.


Hackers go phishing not fishing

Each holiday, no matter what it is, brings greetings from friends and families celebrating the holiday.  A lot of time, the greetings come in the form of a simple email, other times, it is a link to an electronic card.

Hackers take the holidays for a chance to do some phishing.  No not fishing, but phishing.  Phishing is the quest for getting a chance to find things out about you.  Last night I watched “Now You See Me.”  In one of the scenes, the character Arthur Tressler, played by Michael Caine, challenges J. Daniel Atlas, played by Jesse Eisenberg, that he cannot be read.  J. Daniel starts making statements about Arthur’s dog to which Arthur sets him straight saying I didn’t have a dog.  I had a cat and it’s name was…  The scenario went one more time where J. Daniel attempted to read the type of childhood Arthur had.  Again, Arthur said he was wrong and gave up some information about his family.  Later in the movie, the information provided was used against him to crack a bank account that Arthur owned.

What J. Daniel did was phishing.  Hackers do the same thing by sending you emails that look to be legitimate and the real thing.  However, the motive behind it is to gain access to your information, your account, or your computer.  You may not be the ultimate target, but merely a stepping stone to get to the final destination.

The U.S. Computer Emergency Readiness Team (USCERT) each holiday issues a reminder to everyone to be careful about the emails and ecards you open.  Their Easter Alert (follow the link) provides some tips on what to avoid when it comes to these types of communication.

don’t follow link or open emails from people you don’t know.
it someone you do know, but seems like it is an email they would not normally send then don’t open it.

Think twice and take a cyber 360.