PC PORTAL

Experienced. Trusted. Solutions.

Cyber Crime

By

Security roundup: June 2019

Every month, we dig through cybersecurity trends and advice for our readers. This edition: GDPR+1, the cost of cybercrime revealed, and a ransomware racket.

If you notice this notice…

If year one of GDPR has taught us anything, it’s that we can expect more data breach reports, which means more notifications. Most national supervisory authorities saw an increase in queries and complaints compared to 2017, the European Data Protection Board found.

But are companies following through with breach notifications that are effective, and easy to understand? Possibly not. Researchers from the University of Michigan analysed 161 sample notifications using readability guidelines, and found confusing language that doesn’t clarify whether consumers’ private data is at risk.

The researchers had previously found that people often don’t take action after being informed of a data breach. Their new findings suggest a possible connection with poorly worded notifications. That’s why the report recommends three steps for creating more usable and informative breach notifications.

  • Pay more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
  • Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
  • Avoid hedge terms and wording claims like “there is no evidence of misuse”, because consumers could misinterpret this as as evidence of absence of risk).

AT&T inadvertently gave an insight into its own communications process after mistakenly publishing a data breach notice recently. Vice Motherboard picked up the story, and pointed out that its actions would have alarmed some users. But it also reckoned AT&T deserves praise for having a placeholder page ready in case of a real breach. Hear, hear. At BH Consulting, we’re big advocates of advance planning for potential incidents.

The cost of cybercrime, updated

Around half of all property crime is now online, when measured by volume and value. That’s the key takeaway from a new academic paper on the cost of cybercrime. A team of nine researchers from Europe and the USA originally published work on this field in 2012 and wanted to evaluate what’s changed. Since then, consumers have moved en masse to smartphones over PCs, but the pattern of cybercrime is much the same.

The body of the report looks at what’s known about the various types of crime and what’s changed since 2012. It covers online card frauds, ransomware and cryptocrime, fake antivirus and tech support scams, business email compromise, telecoms fraud along with other related crimes. Some of these crimes have become more prominent, and there’s also been fallout from cyberweapons like the NotPetya worm. It’s not all bad news: crimes that infringe intellectual property are down since 2012.

Ross Anderson, professor of security engineering at Cambridge University and a contributor to the research, has written a short summary. The full 32-page study is free to download as a PDF here.

Meanwhile, one expert has estimated fraud and cybercrime costs Irish businesses and the State a staggering €3.5bn per year. Dermot Shea, chief of detectives with the NYPD, said the law is often behind criminals. His sentiments match those of the researchers above. They concluded: “The core problem is that many cybercriminals operate with near-complete impunity… we should certainly spend an awful lot more on catching and punishing the perpetrators.” Speaking of which, Europol released an infographic showing how the GozNym criminal network operated, following the arrest of 10 people connected with the gang.

Ransom-go-round

Any ransomware victim will know that their options are limited: restore inaccessible data from backups (assuming they exist), or grudgingly pay the criminals because they need that data badly. The perpetrators often impose time limits to amp up the psychological squeeze, making marks feel like they have no other choice.

Enter third-party companies that claim to recover data on victims’ behalf. Could be a pricey but risk-free option? It turns out, maybe not. If it sounds too good to be true, it probably is. And that’s just what some top-quality sleuthing by ProPublica unearthed. It found two companies that just paid the ransom and pocketed the profit, without telling law enforcement or their customers.

This is important because ransomware is showing no signs of stopping. Fortinet’s latest Q1 2019 global threat report said these types of attacks are becoming targeted. Criminals are customising some variants to go after high-value targets and to gain privileged access to the network. Figures from Microsoft suggest ransomware infection levels in Ireland dropped by 60 per cent. Our own Brian Honan cautioned that last year’s figures might look good just because 2017 was a blockbuster year that featured WannaCry and NotPetya.

Links we liked

Finally, here are some cybersecurity stories, articles, think pieces and research we enjoyed reading over the past month.

If you confuse them, you lose them: a post about clear security communication. MORE

This detailed Wired report suggests Bluetooth’s complexity is making it hard to secure. MORE

Got an idea for a cybersecurity company? ENISA has published expert help for startups. MORE

A cybersecurity apprenticeship aims to provide a talent pipeline for employers. MORE

Remember the Mirai botnet malware for DDoS attacks? There’s a new variant in town. MORE

The hacker and pentester Tinker shares his experience in a revealing interview. MORE

So it turns out most hackers for hire are just scammers. MORE

The cybersecurity landscape and the role of the military. MORE

What are you doing this afternoon? Just deleting my private information from the web. MORE

The post Security roundup: June 2019 appeared first on BH Consulting.

By

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.

By

Games people play: testing cybersecurity plans with table-top exercises

If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.

These exercises are designed to be immersive. They might start with a scenario like a board meeting, or a company orientation day. All participants will get a role to play; for the purpose of the session, they might be designated as a head of HR, finance, legal, or IT. As the scenario starts to unfold, a message arrives. The press has been enquiring about a major data breach or a ransomware attack on the company.

Muscles tighten, a wave of nausea passes over the stomach. The fight-or-flight instinct starts to take hold. Your role might say manager, but you don’t feel like you’re in control.

What happens next?

That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.

The exercise should prompt plenty of questions for the participants. What exactly is going on? How do we find out what’s happened? How is this affecting operations? Who’s taking charge? What do we tell staff, or the public, or the media?

A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).

Other organisations may already have a series of steps for what to do in the event of an incident or breach. In these cases, the table-top exercise is about testing the viability of those plans. You can be prepared, but do the steps on paper work in practice? Or as Mike Tyson memorably put it, “everybody has a plan until they get punched in the mouth”.

The exercise can show the value of having a playbook that documents all procedures to carry out: “if X happens, then do Y”. This will also shed light on missing steps, such as contact numbers for key company executives, an external security consultant, regulators, law enforcement, or media.

Fail to prepare, prepare to fail

When it comes to developing or refining an incident response plan, the devil is in the detail, says David Prendergast, senior cybersecurity consultant at BH Consulting. Here are some useful questions to ask:

  • If your policy says: ‘contact the regulator’, ask which one(s)
  • Who is the specific point of contact at the regulators office?
  • Does the organisation have the email address or phone numbers for that person?
  • Who in your company or agency is authorised to talk to the regulator?
  • What information are they likely to need to have that conversation?
  • Do you have pre-prepared scripts or statements for when things might go wrong (for customers, stakeholders, staff, and media (including social media channels)?

It might also force the company into making certain decisions about resources. Are there enough internal staff to carry out an investigation? Is that the most appropriate use for those employees, or is it better to focus their efforts on recovering IT systems?

That’s the value in table-top exercises: they afford the time to practice when it’s calm and you can absorb the lessons. There are plenty of examples of companies that handled similar situations spectacularly badly in full public view. (We won’t name names, but the list includes anyone who uttered the words “sophisticated attack” before an investigation even started.)

By the (play)book

It’s more helpful to learn from positive examples of companies that showed leadership in the face of a serious incident. That can be as simple as a statement of business priorities while an organisation copes with the fallout. In 2017, as Maersk reeled from a ransomware infection, CEO Soren Skou gave frontline staff in 130 countries clear instructions. As the Financial Times reported, the message was unequivocal even as the company was forced into shutting down IT systems. “Do what you think is right to serve the customer – don’t wait for the HQ, we’ll accept the cost.”

Some larger companies will run an exercise just for themselves, but some organisations run joint war-gaming scenarios with industry peers. Earlier this month, financial institutions and trade associations from around Europe carried out a simulated ransomware attack.

According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.

Whether it’s a war-gaming exercise or a table-top event, the goal is the same: to be ready for the worst ahead of time, and knowing what steps are available to you when bad things happen for real.

The post Games people play: testing cybersecurity plans with table-top exercises appeared first on BH Consulting.

By

Security for startups: why early-stage businesses can’t neglect this risk

In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

Pragmatic approach

Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

Strategy vs execution

The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

Starting on security

Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

By

It’s oh so quiet: get ready for stealthy malware in 2019

It’s unlikely we’ll ever look back fondly to a time when ransomware would announce itself noisily. But at least victims knew they were under attack. Now, the signs are that malware’s adopting sneaky tactics to avoid detection.

Fileless malware looks set to be a significant security threat in 2019, and that could be bad news for anyone using traditional antivirus tools. In the past, most infections involved installing malicious software on a target’s hard disk. But in doing so, it left a signature that alerted security software to its presence. Fileless malware, on the other hand, exists only in memory. It leaves none of the traces that traditional infections do, making it much harder to identify, stop, and remove.

That’s leading to a potential gap in security defences that attackers seem to be exploiting in growing numbers. SentinelOne tracked a 94 per cent rise in fileless attacks during the first half of last year. Research from the Ponemon Institute and Barkly found fileless attacks accounted for 35 per cent of all attacks during 2018.

Under the radar

Now, most leading security software companies like Symantec, Trend Micro and McAfee Labs recognise this type of undetected malware. It was also the subject of a recent webinar by Malwarebytes. Its senior product marketing manager Helge Husemann namechecked SamSam, Sorebrect, Emotet and TrickBot as some of the biggest fileless malware types from 2018.

Emotet is the biggest example of this type of “under the radar” malware. It’s been around since 2014 and it acts as a downloader for other malware. It uses leaked NSA exploits and it comes with a built-in spam module that allows it to spread to other systems. The attack often starts as an email that pretends to come from a government service, like the tax office.

Husemann said Emotet’s primary focus has been English-speaking, Western countries. Many of its targets were in the US, while the UK had more Emotet infections than any other European country in 2018. Last October, Emotet was used to spread ransomware to the North Carolina Water Authority.

Malwarebytes categorises the SamSam ransomware as semi-fileless. Husemann said attackers usually install it manually through patch scripts once they have already broken into a victim’s network. The city of Atlanta, which suffered a major outbreak of SamSam in March 2018, has spent around $2.6 million on recovery.

A common attack vector for fileless malware is via PowerShell, which is a legitimate Windows scripting tool but is also popular with cybercriminals. “It provides an opportunity for the attacker to hide the malware and make system modifications if they need to. We will definitely see the usage of PowerShell happening much more,” Husemann said.  

Watching for weak points

Another way to get an infection is by visiting a compromised website. The site’s code then exploits a vulnerability like an unpatched browser or an unsecured Flash plugin on the user’s computer.

Rebooting a system will usually get rid of a fileless infection – but you would need to know you’re infected in the first place. What’s more, rebooting creates challenges for digital forensics investigations because of how fileless malware operates in-memory. Once the infected system is turned off, it leaves no evidence behind.

With thousands of new malware variants coming out every day, it won’t be enough to rely only on signature-based security tools to spot threats. “Malware may be hiding in the one place you’re not checking, which is process memory. After years of loud and obvious ransomware we are entering the stage of quiet information stealers,” Husemann said.  

An effective endpoint solution should consist of three components, Husemann said. First is the ability to prevent a cyberattack through multiple protection layers including web protection, application hardening and behaviour, exploit mitigation, and payload analysis. The second component is the ability to detect threats, using advanced techniques. The third element concerns response: being able to remediate an incident in the fastest possible time, to minimise disruption to business and reduce the impact on end users.

BH Consulting is independent so we don’t have ties to any one product vendor. No matter which security tool you use, it’s clear that the software we used to call “antivirus” still has an important role in protecting organisations’ valuable data.

The post It’s oh so quiet: get ready for stealthy malware in 2019 appeared first on BH Consulting.