PC PORTAL

Experienced. Trusted. Solutions.

Uncategorized

By

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.

By

We are hiring – Senior Cybersecurity Consultant

Due to the continued expansion of our DPO as a Service, and CSO as a Service offerings, BH Consulting is now seeking to recruit a Senior Cybersecurity Consultant to join its growing team.

BH Consulting is a dynamic and fast-paced cybersecurity and data protection consulting firm. We provide a market leading range of information security services focused on GDPR, cybersecurity, cyber risk, digital forensics, ISO 27001, and awareness training.

We have a vast range of clients from private and public sector organisations, to large global multinational organisations. We operate both domestically in Ireland and Internationally with our head office located in Dublin.

The trust relationship with our customers underpins the fibre of our organisation. We nurture this trust relationship by investing time and resource to understand our customer’s business needs and we provide advise that aligns with those needs.

Our team is passionate about successfully addressing the cybersecurity and data protection issues our customers have. We continue our journey to grow and expand and have established a new senior role within our organisation to support this growth.

Who are we looking for?

A senior cyber-security consultant who will work closely with the Chief Operations Office, and the CEO, Brian Honan. You  will help BH maintain its customer relationships by delivering to existing clients and you will also help to win new business. You will be an ambassador for BH’s trusted brand and your calibre will reflect this.

Who are you?

You are a Senior Cyber-security Consultant, with a wealth of experience at both a technical level and at senior management level. You have a reputation as both a thought leader in cyber-security and data protection, and a strong technical background combined with senior leadership skills.. You a dynamic individual who likes to be challenged and you have an in-depth knowledge of cyber risk management, cybersecurity, cyber strategy, data protection and business strategy. You will be able to understand the needs of both the C suite and on-the-ground teams and you will be able to talk to both audiences. You are target driven, and passionate about helping customers solve their cybersecurity and data protection risks. 

Details of the role

  • Develop stakeholder relationships with executive management in our clients, and proactively develop ongoing service and product recommendations for these clients based on their business needs
  • Define and provide pragmatic security guidance and architectures that balance business benefit and risk
  • Assess and advise on cyber-governance models, data governance models, risk management programs, and data protection compliance frameworks
  • Deliver cybersecurity risk assessments, running assessment workshops with clients
  • Audit and review client cyber projects
  • Examine clients cyber-security controls and make appropriate and practical recommendations that achieve robust security or compliance outcomes
  • Consult on security considerations based on system delivery models including internally, hosted, cloud hosted, cloud managed, mobile, etc.
  • Provide pre-sales advice and support, working alongside account managers
  • Research emerging threats, vulnerabilities and security practices/standards to maintain professional relevance
  • Provide complex technical advice, recommendations and consultancy regarding networks, infrastructure, products and services
  • Provide guidance around IaaS, SaaS, and PaaS security best practices
  • Enable clients to achieve certification to the ISO 27001:2013 Information Security Standard.

Your responsibilities

  • Ensure that all BH Consulting clients receive a professional service in line with our company ethos and values
  • Ensuring a first-class service to clients is delivered on time and within budget
  • Planning and leading projects while effectively managing resources.
  • Leading and mentoring junior team members ensuring a high standard is maintained in line with KPIs
  • Demonstrating confidence of a strong technical skillset to clients in relation to cyber-defence and incident response
  • Delivering independent trusted advisory services to our clients to enable them to manage their risk profile
  • Enable clients achieve certification to the ISO 27001:2013 Information Security Standard
  • Work with clients to ensure adherence to regulatory, legal, and relevant governance frameworks
  • Manage client relationships and accounts
  • Meet and exceed all KPIs and revenue targets
  • Plan and attend relevant events and conferences to promote the BH Consulting brand.

Core competencies

  • Excellent technical knowledge of cyber-security, information technology, and business risk
  • Strong business understanding and acumen
  • Excellent written and verbal communications skills, able to use a variety of communications styles, language, and media, to effectively build relationships with key stakeholders
  • Have strong attention to detail and ability to present that detail in a dynamic manner based on its audience
  • Excellent planning skills together with project management and prioritisation skills
  • Delivery focused – ensuring projects are delivered on time and within budget
  • Strong analytical problem-solving capabilities
  • Ability to work on own initiative, yet also strong team player
  • Comprehensive understanding of risk management principles and effective risk response strategies
  • Passion and drive – willingness to go that extra mile to achieve a target/objective
  • Be willing to travel both within Ireland and internationally to our widely diverse client base
  • Resilience – ability to meet challenges and pressures head-on and to manage and address set-backs as encountered
  • Collaborative – ability to cooperate and to communicate well, and to resolve differences of opinion quickly and mutually
  • Flexible and adaptable – ability to improvise and adapt to a dynamic business environment.

If this role interests you and you want to join an exciting and growing company, please send your CV to [email protected]

The post We are hiring – Senior Cybersecurity Consultant appeared first on BH Consulting.

By

AWS Cloud: Proactive Security and Forensic Readiness – part 5

Part 5: Incident Response in AWS

In the event your organisation suffers a data breach or a security incident, it’s crucial to be prepared and conduct timely investigations. Preparation involves having a plan or playbook at hand, along with pre-provisioned tools to effectively respond to and mitigate the potential impact of security incidents. These response measures are more effective when regularly tested, such as by running incident response simulation exercises.

This post relates to incident response in the AWS Cloud. It’s the last in a five-part series that provides a checklist for proactive security and forensic readiness in the AWS Cloud environment.

Incident Response

NIST defines a security incident as “an occurrence that actually or potentially jeopardises the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies”. The figure below outlines the typical phases of an incident response lifecycle.

Figure 1: Incident response life cycle. [Source: Computer Security Incident Handling Guide]

Incident Response in AWS Cloud

Incident response in the cloud is not very different from in the traditional on-premise environment. In fact, there are several tools in the AWS cloud environment you can use to help the incident response process, such as AWS CloudTrail, Amazon CloudWatch, AWS Config, AWS CloudFormation, AWS Step Functions, etc. These tools enable you to track, monitor, analyse, and audit events.

Audit logs are treasure troves and are indispensable during investigations. AWS provides detailed audit logs that record important events such as file access and modification. Events can be automatically processed and trigger tools that automate responses through the use of AWS APIs. You can pre-provision tooling and a “clean room” which allows you to carry out forensics in a safe, isolated environment.

Figure 2: EC2 Auto Clean Room Forensics using Lambda, Step Functions, Cloud Formation and SNS Topic.  [Source: Automating Incident Response and Forensics in AWS – AWS Summit Sydney 2018]

The following list provides guidance on having an appropriate incident response strategy in place, estimating the impact of incidents in the AWS environment, AWS tools to prepare in advance for incident handling, responding to AWS abuse warnings, containing compromised EC2 instance and wiping information post investigation.

The checklist provides best practice for the following:

  1. How will you ensure that you have an appropriate incident response strategy in place?
  2. What AWS tools should you use to prepare in advance for incident handling?
  3. How will you respond to AWS abuse warnings?
  4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?
  5. How will you ensure sensitive information is wiped post investigation?

Best-practice checklist

Question

Best-practice checklist

1. How will you ensure you have an appropriate incident response strategy in place?

  • Make sure the security team has the right tools pre-deployed into AWS so that the incident can be responded to in a timely manner.

  • Pre-provision a ‘clean room’ for automated incident handling.

  • Have a list of relevant contacts that may need to be notified. Decide on the medium of communication. If the compromised account contains personal data, you may be required to contact the Data Protection Commission (DPC) within 72 hours to comply with GDPR.

  • Conduct incident response simulations regularly in the non-production and the production environments as well. Incorporate lessons learned into the architecture and operations

    •  

    Go back to questions list >>

    2. What AWS tools should you use to prepare in advance for incident handling?

  • Tags in AWS allow you to proactively label resources with a data classification or a criticality attribute so you can quickly estimate the impact when the incident occurs.

  • AWS Organisations allows you to create separate accounts along business lines or mission areas which also limits the “blast radius” should a breach occur; for governance, you can apply policies to each of those sub accounts from the AWS master account

  • IAM grants appropriate authorisation to incident response teams in advance

  • Security Groups enables isolation of Amazon EC2 instances

  • AWS CloudFormation automates the creation of trusted environments for conducting deeper investigations

  • AWS CloudTrail provides a history of AWS API calls that can assist in response and trigger automated detection and response systems

  • VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC

  • AWS Key Management Service (KMS) encrypts sensitive data at rest including logs aggregated and stored centrally

  • Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorised behaviour

  • Amazon CloudWatch Events triggers different automated actions from changes in AWS resources including CloudTrail

  • Amazon S3 stores snapshots and related incident artefacts

  • AWS Step Functions coordinates a sequence of steps to automate an incident response process

  • APIs automate many of the routine tasks that need to be performed during incident handling.

    •  

    Go back to questions list >>

    3. How will you respond to AWS abuse warnings?

  • Set up a dedicated security communication email address

  • Do not ignore abuse warnings. Take action to stop the malicious activities, and prevent future re-occurrence

  • Open a case number with AWS Support for cross-validation.

    •  

    Go back to questions list >>

    4. How will you isolate and restrict user access to a compromised Amazon EC2 instance?

  • When containing the instance manually, use IAM to restrict access permissions to compromised Amazon EC2 instance

  • Isolate the instance using restrictive ingress and egress security group rules or remove it from a load balancer

  • Tag the instance as appropriate to indicate isolation

  • Create snapshots of EBS volumes.

  • Notify relevant contacts

  • Use CloudFormation to quickly create a new, trusted environment in which to conduct deeper investigation

  • You can automate the above steps using Lambda, Step Functions, Cloud Formation and SNS Topic to prepare an EC2 auto clean room for containing the instance

  • You could also use aws-security-automation code on GitHub, which is a collection of scripts and resources for DevSecOps, Security Automation and Automated Incident Response Remediation.

    •  

    Go back to questions list >>

    5. How will you ensure sensitive information is wiped post investigation?

  • Secure wipe-files and delete any KMS data keys, if used.

    •  

    Go back to questions list >>

    For more details, refer to the following AWS resources:

    Go back to the introduction AWS Cloud: Proactive Security & Forensic Readiness five-part best practice
    Read Part 1 – Identity and Access management in AWS: best-practice checklist
    Read Part 2 – Infrastructure level protection in AWS: best-practice checklist
    Read Part 3 – Data protection in AWS: best-practice checklist
    Read Part 4 – Detective Controls in AWS: best-practice checklist

    Let us know in the comments below if we have missed anything in our checklist!

    DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only. For more information, or to request an in-depth security review of your cloud environment, please contact us.

    Neha Thethi is a senior information security analyst at BH Consulting. She is an AWS Certified Solutions Architect – Associate and holder of the SANS GIAC Certified Incident Handler (GCIH). Neha has published papers, spoken at conferences, written blogs and delivered webinars about challenges of conducting forensics in the cloud environment. She has helped clients develop incident response plans and conducted several digital forensic investigations for cloud environments including AWS and Microsoft Azure.

    Editor: Gordon Smith

    The post AWS Cloud: Proactive Security and Forensic Readiness – part 5 appeared first on BH Consulting.

    By

    Security for startups: why early-stage businesses can’t neglect this risk

    In the early days of a startup, it’s easy to get caught up in the buzz of building a new business. Keeping so many plates spinning – from
    fundraising and hiring to shipping product – can mean security sometimes falls off the priority list. But in the face of ever-rising volumes of data breaches and security incidents, it’s a subject that early-stage companies can’t afford to ignore.

    That was one of the key themes from a wide-ranging discussion at Dogpatch Labs, the tech incubator in Dublin’s docklands. The speaker was Todd Fitzgerald, an information security expert and Dogpatch member. His ‘fireside chat’, as the event organisers dubbed it, looked at why no company is too small to develop a cybersecurity strategy.

    Pragmatic approach

    Todd shared insights into a pragmatic approach to cybersecurity strategy and the implications of recent security and privacy breaches. “Any company that doesn’t have cybersecurity as one of their top five risks is really not addressing cybersecurity,” he said.

    Recent ransomware outbreaks have shown cybercrime’s huge impact, no matter the size of the victim. FedEx and Maersk each suffered $300 million in damages from the NotPetya ransomware. Data breaches are a growing risk. In 2005, there were an estimated 55 million reported breaches in the US. Now, that figure is somewhere close to 1.4 billion. As Todd pointed out, those are only the ones we know about because victims have reported them.

    Startups, in tech especially, often rely heavily on data but that brings added responsibility. “If you don’t know where your data is and you don’t know the privacy laws around it, how can you give any kind of assurance [to customers] that you’re protecting that?” asked Todd.

    Strategy vs execution

    The moderator asked the obvious question: why should startups care about cybersecurity when they’re concerned about getting product out the door? Financial loss due to ransomware is one reason, and there are many other common security issues a startup needs to think about. Protecting valuable intellectual property is critical. If a startup’s bright idea falls into the wrong hands, a competitor could reverse engineer the code and bring out a copycat product in another market. “It’s the same issues, just the scale is different,” Todd said.

    Startup teams can change quickly while the business is still evolving, so another risk to watch is staff turnover. Without proper authentication, ex-employees could still have access to confidential files after they leave the company. Simple carelessness is another potential threat: someone might accidentally delete important code from a server. Startups need to put incident response processes in place in case the worst happens. “There is business benefit to having good security,” Todd said.

    For founders with no infosecurity experience, Todd also offered advice on protecting an early-stage company on a shoestring budget. He recommended speaking to an independent consultant who can advise on a cybersecurity strategic plan that reflects the business priorities.

    Starting on security

    Startup founders can start to familiarise themselves with the subject by reading cybersecurity frameworks like ISO 27001. The information security standard costs around €150 to buy, is easy to read and is suitable for companies of any size. “Walk through it and ask yourself: ‘would I be protected against these cybersecurity threats?’ That will probably prompt you to do a vulnerability assessment against your environment,” he said.

    Todd Fitzgerald has more than 20 years’ experience in building, leading and advising information security programmes for several Fortune 500 companies. He has contributed to security standards and regularly presents at major industry conferences. A published author, he wrote parts of his fourth and most recent book, CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers, in Dublin.

    The post Security for startups: why early-stage businesses can’t neglect this risk appeared first on BH Consulting.

    By

    Health research and the thorny issue of consent

    By 30 April of this year, any organisation conducting health research in Ireland must either get consent to GDPR standard or else obtain a consent waiver. But in order to do the former, they need to know what explicit informed consent is (also known as GDPR-level consent). The problem is, a lot of people don’t know what’s involved. In this blog post, I’m going to try to clear up some of the misconceptions and outline the process involved in arriving at a conclusion.

    This is a follow-up to the post I published in December about the changes that GDPR has brought to data protection impact assessments. The Health Research Consent Declaration Committee was established as part of the Health Research Regulations made under GDPR. In December, it launched its website at www.hrcdc.ie.

    As yet, the committee itself has not been appointed but there is now a clear application process available to researchers who wish to apply for a consent waiver. So researchers need to ask themselves three questions:

    1. When did my research start (this date should be the date the research was approved by the medical ethics board)?
    2. Is my existing consent to the standard required by GDPR?
    3. Is my research in the public interest?

    As the first question is relatively easy, let’s look at how you determine if your consent is good enough or if you will be required to reconsent your participants. The General Data Protection Regulation Article 4(11) defines consent as: “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

    Guidelines for GDPR consent

    All existing health research projects must have this level of consent in place by April 30th or else have applied to the HRCDC for a waiver. For your consent to be considered explicit informed consent, you must be able to answer yes to all of the following 11 statements:

    • The request for consent is prominent and separate from any other terms and conditions
    • Individual are asked to positively opt in by ticking a box for each processing activity and signing the consent form
    • There are no pre-ticked boxes on the consent form
    • The language used in the consent form is clear, plain and easy to read
    • The form specifies why the data is being collected, what you will do with it and who it will be shared with
    • The form has had separate distinct (‘granular’) options to consent to each purpose and type of processing? Including a consent to anonymise if required
    • Individuals are informed they can withdraw their consent; this process is easy and they are not penalised in any way for such withdrawal
    • Where and when consent was given is recorded as well as the data and time associated with consent withdrawal
    • Consents will be reviewed regularly to ensure the purpose and processing has not changed
    • When we rely on parental consent for minors, we have a process in place to update that consent when the individual turns 18
    • We have a process in place to refresh consents when necessary.

    Alternatives to consent

    In the event you can’t answer affirmatively to all these questions and you are not in a position to reconsent your research participants, you will need to apply using one of the three available forms from the HRCDC website before the April 30 deadline. 

    1. An application form in relation to new research (that is research that commenced on or after 8 August 2018).

    2. An application form in relation to re-consenting of current research (that is research that began before 8 August 2018). A consent declaration in this case applies, if made, only to personal data that the data controller currently holds. 

    3. An application form in relation to current research (that is research that began before 8 August 2018) and for which no consent was obtained. A consent declaration in this case applies, if made, only to personal data that the data controller currently holds.

    Each application requires you to carry out a Data Privacy Impact Assessment and provide a summary of the finding of that process.

    Most organisations carrying out health research have a data protection officer (DPO). If they were already getting consent for their research projects by following the old data protection guidelines, they should be able to clear this new bar relatively easily. But there may be some cases where organisations were doing research using historical data without consent. In these cases, it’s worth going through the process rigorously of checking whether they can apply for a consent declaration.

    Tracy Elliott is a senior data protection consultant with BH Consulting.

    The post Health research and the thorny issue of consent appeared first on BH Consulting.