PC PORTAL

Experienced. Trusted. Solutions.

Digital forensics

By

Nine lessons for strong incident response and recovery in a data breach

Data breaches are rarely out of the headlines, but the recent proposed fines against BA and Marriott will have pushed this risk back to the forefront for many businesses. Like many security threats, breaches are nothing new; we’ve covered this subject on our blog many times in the past.

A data breach can take many forms; it can involve an employee losing a laptop or mobile device that contains data about an organisation’s employees or customers. It might involve a criminal infiltrating IT systems to steal payment card numbers or bank account details. When the data involved is personally identifiable information, the General Data Protection Regulation comes into play. Under GDPR, organisations must report a breach to the data protection supervisory authority within 72 hours. A look through our archives netted us a valuable haul of nine lessons from past breaches that can help to guide you in forming an incident response plan.

Lesson 1: pay attention to security alerts

Let’s start back in March 2014. News of the now-infamous breach at the US retailer Target was still fresh, having happened the previous November. The security breach resulted in the loss of 40 million payment card details, as well as 70 million other personal records. The kicker? Not long before, Target had installed a network monitoring tool costing a cool $1.6 million. However, operators dismissed its early alerts that could have averted or at least mitigated the subsequent breach. Side note: back in those heady days, data breaches were still things that happened to other people. Our blog quoted the security expert Neira Jones, who confidently predicted that a retailer in the UK or Europe would suffer a data breach before long.

Lesson 2: scammers read the news, too

Fast forward to summer 2015 and the high-profile breach at Ashley Madison. The website’s interesting business model – encouraging extra-marital affairs – meant the loss of more than 30 million personal records had an extra sting. Apart from launching a thousand double entendres (we may have been guilty of a few ourselves), Ashley Madison catapulted the issue of data breaches firmly into the public consciousness. As it turned out, that proved to be a double-edged sword. As our blog writer Lee Munson noted, scammers often take advantage of the publicity surrounding a large breach. He warned companies to watch out for “spam email, identity theft, carefully crafted phishing emails and even potential blackmail attempts”.

Lesson 3: check password re-use

Later that year, four security breaches came to light in one single week. The victims were Experian, Patreon, and Australian retailers Kmart and David Jones. In our blog, we advised being aware of how information can be used against victims. For example, if someone’s password was compromised in one of those breaches, it’s worth checking whether they use the same passwords on other websites.

Lesson 4: check for vulnerability to SQL injection attacks

Soon after, the Chinese toy company Vtech revealed that an unauthorised party had accessed more than six million accounts. That was enough to make it the fourth largest ever breach to that point – however minor by today’s standards. Possibly the least surprising detail in the story was that the attacker used SQL injection to access the data. Lee Munson noted that even in 2015, this was an ancient and well known attack vector.

Lesson 5: employee negligence can lead to breaches too

Not all breaches are the work of external miscreants. ESET estimated that 138,000 smartphones and laptops are left behind in UK bars every year. Let’s leave aside some questionable maths in arriving at such an arresting stat. There’s no denying the risk from leaving devices just lying around when they could well hold personal information. That could include passwords, location history, personal photos and financial information. The survey found that two thirds of lost devices had no security protection. As anyone familiar with data protection and privacy issues will know, encrypting sensitive data is now a must.

Lesson 6: a data security breach can seriously harm your ability to do business

Whatever the source, the steady drip of breaches was starting to have an effect. By early 2016, data breaches ranked second on a listing of the biggest threats to business continuity. TalkTalk, victim of a serious breach the previous year, was a case in point. In the wake of the incident, and the company’s ham-fisted attempts at handling the fallout, a quarter of a million customers took their business elsewhere. Not long after, we covered a separate report that found the cost of online crime had tripled over the previous five years. Lee Munson wrote: “a data breach is not a one-time cost but rather an event that can cause extreme reputational damage (think TalkTalk) or additional loss of revenue when the damage is widespread”.

Lesson 7: mind your language

All too often, companies that have suffered a data breach are quick to throw about phrases like “sophisticated cyberattack”. But it’s often premature and just downright wrong, when any investigation is still ongoing, and the facts are unclear. “It’s hard to escape the suspicion that victim organisations reach for these terms as a shield to deflect blame. By definition, they imply the incident was beyond their means to prevent,” we wrote. Our post carried the headline “Time to remove ‘cyberattack’ from the infosecurity incident response manual?” Our inspiration was the Associated Press Stylebook’s decision to stop using the word cyberattack unless it specifically referred to widespread destruction. As AP lead editor Paula Froke said: “the word is greatly overused for things like hacking”.

That said, positive communication is a key part of any incident response plan. After detailing what word not to use, our post included advice for companies preparing post-incident statements.

  • Deal only in verified facts
  • Avoid speculation
  • Explain the incident in business terms
  • Include details of users or services affected by the breach.

Lesson 8: prepare a security incident response team

By mid-2017, the prospect of GDPR started coming into view, and the need to handle breaches appropriately started becoming clear. Senior management must lead the response efforts. “This is a business issue, not an IT problem,” said Brian Honan, who was speaking at an awareness-raising event. Brian recommended that organisations should assemble an incident response team from across all business functions. Ideally, the team should include people from:

  • IT operations (because they know how data storage systems work)
  • HR (because a data breach could involve staff data, or because a member of staff may have caused the breach inadvertently or deliberately)
  • Legal (because GDPR obliges organisations to notify the regulator)
  • PR or communications (because the company will need to deliver accurate messages to external stakeholders, the media, or internal staff as appropriate)
  • Facilities management (because the organisation may need to recover breach evidence from CCTV or swipe card systems).

Lesson 9: test the security incident response plan

The most critical lesson is to develop and test their incident response processes in advance. Speaking at the same GDPR event, Brian stressed that companies shouldn’t wait for a breach to happen before testing how its policies work. “Find out in advance how well your team works when an incident occurs. Carry out table-top exercises and scenario planning. It is important to have processes and infrastructure in place to respond to a security breach. Developing your incident response plan while responding to a security breach is not the best time to do it,” he said.

Our trawling expedition proves it’s worth planning for something even when you don’t intend for it to happen. The steps we’ve outlined here should help you to recover from a data breach or security incident faster.

If you would like to evaluate your breach response, see our risk assessment services page for more information. Or, if you need guidance in developing a structured incident response plan, contact us.

The post Nine lessons for strong incident response and recovery in a data breach appeared first on BH Consulting.

By

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.

By

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.

By

It’s oh so quiet: get ready for stealthy malware in 2019

It’s unlikely we’ll ever look back fondly to a time when ransomware would announce itself noisily. But at least victims knew they were under attack. Now, the signs are that malware’s adopting sneaky tactics to avoid detection.

Fileless malware looks set to be a significant security threat in 2019, and that could be bad news for anyone using traditional antivirus tools. In the past, most infections involved installing malicious software on a target’s hard disk. But in doing so, it left a signature that alerted security software to its presence. Fileless malware, on the other hand, exists only in memory. It leaves none of the traces that traditional infections do, making it much harder to identify, stop, and remove.

That’s leading to a potential gap in security defences that attackers seem to be exploiting in growing numbers. SentinelOne tracked a 94 per cent rise in fileless attacks during the first half of last year. Research from the Ponemon Institute and Barkly found fileless attacks accounted for 35 per cent of all attacks during 2018.

Under the radar

Now, most leading security software companies like Symantec, Trend Micro and McAfee Labs recognise this type of undetected malware. It was also the subject of a recent webinar by Malwarebytes. Its senior product marketing manager Helge Husemann namechecked SamSam, Sorebrect, Emotet and TrickBot as some of the biggest fileless malware types from 2018.

Emotet is the biggest example of this type of “under the radar” malware. It’s been around since 2014 and it acts as a downloader for other malware. It uses leaked NSA exploits and it comes with a built-in spam module that allows it to spread to other systems. The attack often starts as an email that pretends to come from a government service, like the tax office.

Husemann said Emotet’s primary focus has been English-speaking, Western countries. Many of its targets were in the US, while the UK had more Emotet infections than any other European country in 2018. Last October, Emotet was used to spread ransomware to the North Carolina Water Authority.

Malwarebytes categorises the SamSam ransomware as semi-fileless. Husemann said attackers usually install it manually through patch scripts once they have already broken into a victim’s network. The city of Atlanta, which suffered a major outbreak of SamSam in March 2018, has spent around $2.6 million on recovery.

A common attack vector for fileless malware is via PowerShell, which is a legitimate Windows scripting tool but is also popular with cybercriminals. “It provides an opportunity for the attacker to hide the malware and make system modifications if they need to. We will definitely see the usage of PowerShell happening much more,” Husemann said.  

Watching for weak points

Another way to get an infection is by visiting a compromised website. The site’s code then exploits a vulnerability like an unpatched browser or an unsecured Flash plugin on the user’s computer.

Rebooting a system will usually get rid of a fileless infection – but you would need to know you’re infected in the first place. What’s more, rebooting creates challenges for digital forensics investigations because of how fileless malware operates in-memory. Once the infected system is turned off, it leaves no evidence behind.

With thousands of new malware variants coming out every day, it won’t be enough to rely only on signature-based security tools to spot threats. “Malware may be hiding in the one place you’re not checking, which is process memory. After years of loud and obvious ransomware we are entering the stage of quiet information stealers,” Husemann said.  

An effective endpoint solution should consist of three components, Husemann said. First is the ability to prevent a cyberattack through multiple protection layers including web protection, application hardening and behaviour, exploit mitigation, and payload analysis. The second component is the ability to detect threats, using advanced techniques. The third element concerns response: being able to remediate an incident in the fastest possible time, to minimise disruption to business and reduce the impact on end users.

BH Consulting is independent so we don’t have ties to any one product vendor. No matter which security tool you use, it’s clear that the software we used to call “antivirus” still has an important role in protecting organisations’ valuable data.

The post It’s oh so quiet: get ready for stealthy malware in 2019 appeared first on BH Consulting.

By

Security newsround: January 2019

We round up interesting research and reporting about security and privacy from around the web. This month: the security year in review, resilience on rails, incidents in depth, phishing hooks millennials, Internet of Threats, and CISOs climbing the corporate ladder.

A look back at cybercrime in 2018

It wouldn’t be a new year’s email without a retrospective on major security incidents over the previous 12 months. Credit to CSO Online for assembling a useful overview of some of last year’s most common risks and threats. To beef up this resource, it sourced external research and stats, while adding plenty of links for further reading. Some of the highlights include the massive rise in cryptocurrency mining. “Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless,” it warned.

The article also advises against posting mobile numbers on the internet, because criminals are finding ways to harvest them for various scams. CSO also advises organisations about knowing the value of their data in order to protect it accordingly. Threatpost has a handy at-a-glance guide to some of the big security incidents from the past year. Meanwhile, kudos to Vice Motherboard for its excellent ‘jealousy list’ which rounds up great hacking and security stories from 2018 that first appeared in other media outlets.

Luas security derails tram website

The new year got off to a bad start for Dublin’s tram operator Luas, after an unknown attacker defaced its website in a security incident. On January 2nd, the Luas site had this message: “You are hacked… some time ago i wrote that you have serious security holes… you didn’t reply… the next time someone talks to you, press the reply button… you must pay 1 bitcoin in 5 days… otherwise I will publish all data and send emails to your users.”

The incident exposed 3,226 user records, and Luas said they belonged to customers who had subscribed to its newsletter. News of the incident spread widely, possibly due to Luas’ high profile as a victim, or because of the cryptocurrency angle.

The tram service itself was not affected, nor was the company’s online payments system. While the website was down, Luas used its Twitter feed to communicate travel updates to the public, and warned people not to visit the site. Interviewed by the Irish Times, Brian Honan said the incident showed that many organisations tend to forget website security after launch. As we’ve previously blogged, it’s worth carrying out periodic vulnerability assessments to spot gaps that an attacker could exploit. With the Luas site not fully back six days later, Brian noted on Twitter that it’s important to integrate incident response with business continuity management.

One hacked laptop and two hundred solemn faces

When an employee of a global apparel company clicked on a link in a phishing email while connected to a coffee shop wifi, they unwittingly let a cybercrime gang onto their corporate network. Once in, the attackers installed Framework POS malware on the company’s retail server to steal credit card details. It’s one real-life example from CrowdStrike’s Cyber Intrusion Casebook. The report details various incident response cases from 2018. It also gives recommendations for organisations on steps to take to protect their critical data better. In addition to coverage in online news reports, the document is available as a free PDF on CrowdStrike’s site.

Examples like these show the need for resilience, which we’ve blogged about before. No security is 100 per cent perfect. But it shouldn’t follow that one gap in the defences brings the entire wall crumbling down.

Digitally savvy, yes. Security savvy, not so much

Speaking of phishing, a new survey has found that digital natives are twice as likely to have fallen victim to a phishing scam than their older – sorry, we mean more experienced –  colleagues. Some 17 per cent in the 23-41 age group clicked on a phishing link, compared to 42-53 years old (6 per cent) or 54+ (7 per cent). The findings suggest a gap between perception and reality.

Out of all the age groups, digital natives were the most confident in their ability to spot a scam compared to their senior peers. Yet the 14 per cent of digital natives who weren’t as sure of their ability to spot a phish was strikingly close to the percentage in the same age bracket who had fallen for a phishing email. The survey by Censuswide for Datapac found that 14 per cent of Irish office workers – around 185,000 people – have been successfully phished at some stage.

OWASP’s IoT hit list

Is your organisation planning an Internet of Things project in 2019? Then you might want to send them in OWASP’s direction first. The group’s IoT project aims to improve understanding of the security issues around embedding sensors in, well, anything. To that end, the group has updated its top 10 list for IoT. The risks include old reliables like weak, guessable passwords, outdated components, insecure data transfer or storage, and lack of physical hardening. The full list is here.

The number’s up for CISO promotions

Why do relatively few security professionals ascend to the highest levels of business? That’s the provocative question from Raj Samani, chief scientist with McAfee. In an op-ed for Infosecurity Magazine, Samani argues that security hasn’t yet communicated its value to the business in an identifiable way. Proof of this is the fatigue or indifference over ever-mounting numbers of data breaches. Unlike a physical incident like a car accident where the impact is instantly visible, security incidents don’t have the same obvious cause and effect.

“The inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked,” Samani writes. “We can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way.”

The post Security newsround: January 2019 appeared first on BH Consulting.