Monday

Tag: malware

5 Common Types of Cyber Attacks

Cybersecurity is a crucial aspect of any organization that relies on digital systems and networks. Cyberattacks can cause significant damage to the reputation, operations, and finances of a business, as well as compromise the privacy and security of its customers and employees. Therefore, it is important to understand the different types of cybersecurity attacks, how they are used, and how they can be prevented.

In this blog post, we will discuss 5 common types of cybersecurity attacks that every organization should be aware of and prepared to remediate.

Types of Attacks

1. Malware
Malware is a term that encompasses various types of malicious software, such as viruses, worms, trojans, ransomware, spyware, adware, and more. Malware can infect a computer or device through phishing emails, malicious links, downloads, or removable media. Malware can perform various harmful actions, such as deleting or encrypting data, stealing information, spying on user activity, displaying unwanted ads, or hijacking system resources.

To prevent malware attacks, organizations should use antivirus software and firewalls, update their systems and applications regularly, avoid opening suspicious attachments or links, and educate their employees on how to recognize and avoid phishing emails.

Continue reading “5 Common Types of Cyber Attacks”

Understanding the NIST Cybersecurity Framework

Summary

The Cybersecurity Framework Set was an optional standard created by the National Institute of Standards and Technology under the United States Commerce Department. This set of guidelines for private sector companies is intended to help them be  better prepared in identifying, detecting, and responding to cyber-attacks. It also includes some guidelines on how to prevent and recover from a cyberattack.

The NIST Cybersecurity Framework is intended to address the lack of standards when it comes to cybersecurity. As with almost everything else that deals with technology, there are currently major differences in the way companies are using technology to detect and remediate attacks from hackers, malicious users, and ransomware.

With the complexity and frequency of cyberattacks growing each day, the task of detecting and preventing cyberattacks has gotten too difficult and complex to be left to chance, and a lack of a strategy among most organizations only makes this effort more difficult.

Continue reading “Understanding the NIST Cybersecurity Framework”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Cybersecurity Tips for Your Family

You often see cybersecurity tips and techniques for corporate environments, but what about tips for your friends and family? What are the basic ways your family can stay safe while online? Share these tips with you friends and family, including your older family members.

The important thing to remember is the internet is a collection of people from all over the world, including criminals. They will prey on the weak and uninformed to steal everything from them, and a little awareness can prevent someone you care about from being a victim of crime.

  • Think Before Clicking – While using the internet on your personal computer, tablet, or cellphone always think before you click that link in an email or text message. Do you know where that link with take you, and does it contain potential malware? Links in mails and text messages that claim to be password recovery solutions or links to online bank statements are among the most popular methods used by hackers to trick you and gain your personal information. When in doubt, don’t click suspicious links.
  • Use Strong Passwords – People have a tendency to underestimate the importance of passwords and will often select weak passwords. Your password is much like the deadbolt used to secure your home. That security feature is something you need to use in order to keep criminals out of your house. Your password is the deadbolt to your online accounts. You should select a long and complex password for your online accounts, and each account should have a unique password. Don’t use weak passwords or the same password on two or more accounts. A strong password is one that is really hard for someone to guess and is at least 10 characters long, with lots of numbers, letters, and symbols.
  • Use a Password Manager – A password manager is a program that saves all your passwords in one place, and those passwords are secured with encryption. You can access them with one long password. This makes it easy to create very long complex passwords for every online account, and you don’t have to worry about remembering them or writing them down. For those people that are technology averse, you can get a password book at the local bookstore to jot down their passwords. While not as easy as one on your device, it may be a suitable alternative for some people.
  • Set up Multi-factor Authentication (MFA) – If I can guess someone’s password, there is nothing that keeps me from logging into your account as you, but just setting up MFA makes that type of attack really hard. When possible, enable MFA on all your online accounts. It is a simple way to prevent unauthorized access to your accounts. MFA is usually a message or code copied from your cellphone as a second method of authenticating you to a website. It sounds much harder to use than it really is, and it can save your private data from being stolen.
  • Apply Updates – When a vendor is notified that there is a security issue with their software, they will usually issue a patch within a few weeks to block those types of future attacks. You should frequently check for patches for your devices and apply them as soon as you can because this will help keep the bad guys out of your laptop, tablet, or cellphone.
  • Use Anti-Virus Software – You can do everything correctly and you still might get malware onto your laptop. A good anti-virus program can be your last line of defense to block the execution of the malware and save your data. While not 100% effective, it is a layer of defense that can save you at the very last second when you really need help.
  • Avoid Debit Cards for Online Payments – When paying online, avoid using a debit card. If the debit card number is stolen, a fraudulent charge can empty your checking account, causing other payments to fail. Yes, you can work with your bank to have the fraudulent charges reversed, but this can take several days. During this time, you may not have access to other sources of cash, leading to major headaches.
  • Social Media is Dangerous – Reading and posting on social media sites can be educational and informative. It can also be very dangerous. People often aren’t who they say they are, and they will attempt to commit fraud. They will lie to you to steal your money, identity, or personal data. Limit what you say on social media. Avoid sharing personal details, like your home or work address, birthdays, information about your children, sensitive photographs, or images of identifying documents like airline tickets or driver’s licenses. Even a picture of your house key can invite an unwanted visitor to your home.
  • Backup Your Data – If it is important to you, you should have a copy of the data somewhere safe. All those pictures on your cellphone could be deleted by malware in seconds. Tax documents could be encrypted and you might have to pay thousands to get them back. By making a copy of the data, usually by copying the data to the cloud, you can avoid those concerns and feel safer in the process.

Just having a brief conversation about these topics with someone you care about can help them avoid a major issue down the road. Wouldn’t you rather answer a few questions about how to avoid phishing emails than a few questions about how to get their deleted files back?

How to disable macros in Microsoft Office

Not everyone has the level of technical expertise to understand why macros are dangerous, or how to disable them. Macros are a really powerful feature in Microsoft Office, allowing you to do many difficult things with the click of a button. These complicated tasks might be formatting a spreadsheet, inserting a standard block of text in Word documents, etc. The problem is malicious code, like a macro virus, can automatically be executed as a standard macro when the user opens a document from an untrusted source.

The creators of these malicious code segments attempt to prevent users from catching on by disguising their malicious document (usually sent as an email attachment) as something seemingly routine. There are malware efforts that are actively infecting user computers right now, with examples like PowerSniff! or other examples that have been around in one form or another for many years.

There are three things will prevent about 90% of all infection attempts:

  • Disable macros in Microsoft Office. This is fairly easy for even non-technical users to accomplish.
  • Another great way to prevent infections is to never open an attachment from an untrusted source.
  • You should also be running anti-virus and anti-malware software on your computer.

These three simple things will prevent almost 90% of infection attempts, and they are easy and inexpensive solutions to a growing problem.

Disabling Macros in Microsoft Office

  1. Click File > Options.
  2. Click Trust Center, and then click Trust Center Settings.
  3. In the Trust Center, click Macro Settings, where you can now make the change you want, and save them by clicking OK.

Enterprise Efforts

As a technical person, there are several things you can do at your company to help prevent a successful malware attack. These steps will get you closer to stopping about 100% of attack efforts.

  • Security Training – Make sure you create a policy that outlines user responsibilities for cybersecurity. This includes be aware of potential cyber threats, not opening attachments from untrusted sources, selecting strong passwords, etc. This includes the potential risks of opening macro-enabled office documents.
  • Anti-Malware and Anti-Virus – While software will never be 100% effective in detecting and blocking infections, it can be more effective than nothing.
  • Anti-Spam – Build rules in your spam tool to automatically restrict email attachments with a .zip or other file extensions used for compressing files.
  • Default Microsoft Office Security – Use the default setting of “High” for Macro security on all Microsoft Office applications.
  • PowerShell – Publish a Group Policy Object that restricts the use of PowerShell for most users. Allow PowerShell for specific power users on a case-by-case basis.
  • Monitor Activity – Look for unexpected pings from internal computers and keep an eye on unusual network activity. Only by understanding normal network activity can you detect and stop unusual activity.

Windows 11 Alpha-Themed Malware Attacks

With the newest version of Windows, named Windows 11, just a few months away and criminals have started distributing malware with content targeting a user’s interest in the newest version of Microsoft’s desktop operating system.

Using the same tactics that work (asking users to perform tasks they should know is dangerous) these criminals are attempting to get users interested in Windows 11 information to willingly disable security features on their current computer to view what they assume is Windows 11 themed content.

Security researchers at Anomali, who observed a recent malware campaign from the group that used six different Word documents in an attempt to attack employees at a point-of-sale provider called Clearmind, say the cyber criminals attempted to get users to disable their workstation security so they could view content supposedly showing Windows 11 content.

The attack was attributed to FIN7, an Eastern European threat group, that primarily targets US-based companies that operate on a global scale. Anomali says the infection chain began with a Microsoft Word document (.doc) containing a decoy image claiming to have been made with Windows 11 Alpha. The image asks the user to Enable Editing and Enable Content to begin the next stage of malicious activity.

It’s interesting how the VBA code is stored to make analysis difficult, but it attempts to drop a JavaScript backdoor that appears to have similar functionality with other backdoors reportedly used by FIN7. It is interesting that if the script finds eastern-European specific languages in use (Russian, Ukrainian, etc.) or a virtual machine is currently running, it doesn’t drop its payload and immediately stops executing.

While it might be mildly interesting that they used Windows 11 as a hook to grab the user’s attention, it is still the same basic methods that are used every day to convince users to do something (disable security or violate procedures) to allow the attacker into the user’s workstation. Users have to be educated on what not to do, and the basic security controls have to be in place, to help block this type of attack from being successful.

 

Responding to Ransomware Attacks

In the event that your personal computer or even the computers on your corporate network fall victim to a successful ransomware attack, an effective response plan determine the difference between disaster and successful recovery. If you are impacted by a company-wide malware infection that takes down multiple endpoints, it could mean a permanent business closure if you are unable to recover critical data.

We will discuss  how you might respond in the beginning of an attack to help remediate any issues before you make some wrong decisions.

How to respond to a ransomware attack

If preventative measures fail, like hardening your systems from Mimikatz attacks (links here and here), making users more cybersecurity aware with Security Awareness Training tips, and all the Windows 10 hardening tips didn’t work, then your organization should take the following actions immediately after identifying a successful ransomware infection.

If you have an Incident Recovery Plan, execute the notification process and get all the teams required started communicating and remediating the systems impacted by the attack.

1. Quarantine Infected Systems

The majority of ransomware attacks will include a function to scan the target network, identifying other systems on the same network that can also be targeted for attack, and then encrypting all the files stored on network shares or other computers as the attackers movers laterally across the network. To help contain any  infection and to prevent the ransomware from spreading to all infected systems the infected systems must be removed from the network as soon as possible. This will significantly slow the spread and buy you time for analysis and troubleshooting before everything is rendered useless.

Note: This includes blocking them from wired and wireless network access.

This will also help prevent infected system from access resources like internal email, backup systems, employee record systems, critical databases, etc.

2. Block Internet Access

Every system on the network may already have the malware copied to the system and it just might not have started the encryption process yet because it hasn’t been able to access the command and control server on the internet. Disconnect all systems from the internet. Those that are still working will not start encrypting the drives, and those already encrypting have been removed from their ability to communicate to the safe systems by the step listed above.

Note: This includes blocking internet access from wired and wireless networks.

Now you have known bad systems (they are actively encrypting the user files or have already encrypted all the user files) isolated from the network (can’t see other systems on your network) and are blocked from the internet (can’t see other systems on the internet). You also have suspected good systems that are blocked from accessing the internet and are disconnected from the bad systems. You can now verify those clean looking systems are definitely clean and return them to normal as you are sure they are not infected. More about that in Step  5 below.

3. Identify Ransomware

Identify the “brand” of ransomware that has infected your systems. While this might seem strange, there are many types of ransomware from many different malware groups. Knowing which one has infected your systems could help you better identify the methods used in the attack, how to stop the spread, and how you might be able to get your data back without paying a ransom.

There have been instances of law enforcement agencies shutting down a  ransomware authors “business” and releasing the decryption keys. Also older  ransomware from groups that no longer are actively infecting new systems have sometimes released their decryption keys.

You can visit a  website like this to help identify which malware has infected your systems so you can get help stopping, removing, and decrypting your locked files. To get a better understanding of the volume of internet threats that exist today, a visual threat map can be helpful. This threat map from Fortinet helps visualize the threats in a more “real-time” visual presentation.

4. Disable Scheduled Tasks

You  should immediately disable any automated or system-scheduled maintenance tasks such as user or system clean-up routines, log deletion tasks,  deleting old backup files, etc. because these automated tasks can remove files you might wish you had later, might be something  your forensic teams might need, or you might perform an action that could prevent a successful remediation from the ransomware attack.

5. Remove Ransomware from Infected Systems

You can use available antivirus tools to identify and successfully remove the ransomware from your computer. If you are already using anti-virus and it didn’t stop the infection, this is probably a good time to investigate your current configuration issues or get a better solution. Once you have scanned and cleaned the system, it is ready to restore your files.

Once you find the right software to scan and detect the malware, run the scanner on all your systems, not just the infected systems. You might think you know which systems are infected, but the scanner can help you determine which systems are actually infected.  You want to do the clean-up and remediation just one time, so do it right the first time.

6. Don’t Pay the Ransom

Note: Only restore your files to systems that you know are clean.

I realize you may not have an option if your critical business files are encrypted, you don’t have good backups you can recover, and you can’t find a free decryption tool. If backups are unavailable or damaged and there is no free decryption tool available, you will be tempted to pay the ransom and recover your files. Just remember you may pay the ransom and still not get your files back. These people are criminals looking for easy money, they are not in the business of being your friend.

While paying the ransom may seem like an easy answer, only consider paying the ransom if all other options have been exhausted and the loss of data will likely result in your company going out of business. Paying the ransom might also get you into trouble with the law, so be very careful and consult an attorney.

7. Restore Your Backups

Note: Only restore your files to systems that you know are clean.

Hopefully you were able to jump right past Step 6 (Don’t Pay the Ransom) because you know not to pay a ransom to a criminal because it only encourages them and finances their next attack. You don’t need to pay the ransom because you either don’t need the files that were encrypted, you were able to find a free decryption tool, or you had good backups ready for you to use.

Restoring backups can take a long time, be difficult to perform, and you still might lose some data. If you have been verifying your backups, practicing the restore process at least once a year, and have a well documented process the effort will be less likely to fail.

If your user files are also backed up to the cloud using a tool like OneDrive, this might also be useful and a quick way to restore a user’s personal files including documents, music, and pictures.

8. Restore Network

Now that you know which systems are clean, the cleaned machine can have access to the internet and other network resources. The infected machines can be cleaned one at a time, files can be restored, then the systems can be returned to the proper network.

Don’t forget to restore internet access for the clean systems. Once you have verified your backup files won’t be over-written, the log files are intact, and what files are required for the audit and forensics teams are saved, you can re-enable scheduled tasks that you have reviewed and know are safe to enable.

9. Change Passwords

Now that you know someone has had access to your systems, you can’t be sure they did not steal your user and system passwords. Have all users reset their passwords. Reset the passwords for all service accounts, accounts used to run scheduled tasks, the KRBTGT account (used by Active Directory), and any enabled accounts used by your systems. Make sure all administrator-level users also change their passwords. Do a full inventory of accounts, looking at the last time the password was changed, and either change the password or disable the account.

10. Investigate Intrusion

Things are now back to normal. Users are back onto their computers, the files are all back where they should be, and users are back to work and not on the telephone with you. That doesn’t mean you are done.

You have to look at what happened so you can make sure it doesn’t happen again.

  • How was the ransomware able to get past your computer controls and be easily installed onto a user’s computer without being detected? Was it a user bypassing a control (authorized or unauthorized), or did the ransomware just not get stopped by any existing security control?
  • Are there changes required to your anti-virus software to make it a stronger defense against ransomware? Is it time to remove the existing solution and replace it with something more powerful or can you just change the configuration of the solution you already own to make it work better?
  • Do you need to make changes to the hardening of your Windows 10 devices to make it harder to bypass your security controls and encrypt the users files?
  • Do you need to alter or improve your corporate firewall controls? What about the security of your remote users and they way they connect to the Virtual Private Network (VPN)?
  • Do you need to make changes to your network to make it harder for software running on the user’s computer to get access to systems like Domain Controllers, Database Servers, File Servers, Web Servers, etc.?
  • Do you need to change the way you perform (or don’t perform) backups of user and system files? How about changes to the way you restore files? Do you have adequate documentation of the procedures used for backing up and restoring files?
  • Do user accounts have the correct level of authorization? Maybe now is a good time to remove elevated permissions from normal users, limit who has elevated permissions, and lock down the use of all admin-level accounts?

Summary

If you need help, now is the time to really get some help figuring out the changes that can help prevent a repeat of the security event. A ransomware incident can stop a company from normal business for days, weeks, or forever.  It can chase away customers, compromise business critical data, and cost you a lot of money to remediate.

Looking at the steps required now can help you practice and plan for a future incident. Careful planning, remediation of security gaps, and technical training can help prevent a successful ransomware attack, shorten the remediation timeline, and help promote confidence in your Information Technology team.

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

Continue reading “10 Steps to Stopping Lateral Movement Attacks”

Cybersecurity Awareness Training

Photo by Katerina Holmes on Pexels.com

Every organization should have an employee cybersecurity awareness training program to help educate all employees about their responsibilities in keeping corporate assets secure, how to secure their computer systems, and help them develop a basic understanding of how to secure their internet accounts from compromise.

Most cyberattacks are coming from hackers, organized crime, and state sponsored attackers in the form of phishing emails, compromised attachments, and malicious links. Users have to be trained on their role in securing the environment. Users must be given the training and awareness to identify threats and avoid making a poor decision or a simple mistake that could cost the business millions of dollars in lost revenue or ransomware payments.

The basics of user cybersecurity awareness training is specific coursework, usually video-based, that helps all employees understand the general threats in todays internet-based workforce, how they fit into that threat landscape, how they become a target for hackers, and what they can do to keep their corporate assets secure from attack. This type of information is usually easily transferable to the employee’s personal life. Your personal Twitter or Facebook account isn’t a corporate asset, but the techniques and methods in the training can usually be applied to those online accounts to make them more secure as well.

Continue reading “Cybersecurity Awareness Training”

How to Avoid Ransomware

Ransomware is malware installed on your machine intended deny access to your critical files. Once you can’t access you documents, pictures, and music the attacker offers to release the files back to you for a fee. Sometimes the fee might be several hundred dollars, but for businesses the fee might be in the millions.

The attacker uses fairly standard attack methods to install software on your computer that scans your system for specific file types, then encrypts the files using a method that is usually not recoverable. Then the malware will present you with a key value to redeem for a decryption key. If you present your key and the appropriate fee, the cyber criminals provide you with a decryption key that makes you files available again. Usually. Sometimes you pay and they don’t respond or the key that is provided doesn’t work correctly.

There are some specific things you can do to make the risk much smaller of a successful attack on your computer, as well as ways to make the impact smaller so you might not have to pay the ransom. Some of these are easy for a non-technical user to tackle, but others are better suited for technical personnel at a business or government agency.

Inexpensive Ways to Reduce Ransomware Attack Success
  • Backup Your Important Data – If you have a backup of your data that hasn’t been encrypted, you probably won’t have to pay the attacker a fee. Depending on how often your data changes, you might be able to perform a weekly backup (there is a utility built into Windows 10, or you can buy a program that doesn’t a backup either to an external hard drive or the cloud). Keep backups separate from your computer so that a successful attack won’t have access to the backup files. If your files get encrypted, you can safely reload Windows 10 onto your computer and copy your files from the backup to the clean laptop.
  • Enable Microsoft DefenderMicrosoft Defender is included with Windows 10. It has some powerful feature to protect your computer from malicious attacks, but only if they are enabled and properly configured. Enable controlled folder access to prevent unauthorized applications from modifying protected files, turn on cloud-delivered protection and automatic sample submission for better protection, and enable tamper protection to prevent the protection from being disabled when you need it the most.  You should also enable the attack surface reduction rules in Defender, including rules that block ransomware activity and other activities associated with and attack.
  • Protect Systems – Don’t have anything directly on the internet that isn’t correctly hardened and patched to prevent an easy attack surface. If you don’t know how to properly configure a server or other infrastructure item, don’t guess because the hackers know what they are looking for when they stage an attack.
  • Use MFA – Enable Multi-Factor Authentication (MFA) when possible. Many online sites now allow you to enable this extra protection that requires you to know your standard account password as well as have possession of a specific device to successfully log into their systems. This can be really handy to prevent someone guessing your password and accessing your Facebook, Twitter, or O365 account from anywhere in the world.
  • Education – Educate yourself on how to detect and avoid phishing emails and potentially malicious websites.

Continue reading “How to Avoid Ransomware”

What is Cybersecurity?

Cybersecurity is the process of protecting networks, systems, data, and programs from digital attacks. Cyberattacks are usually organized and planned attacks intended to gain unauthortized access to business or personal computer systems to allow changing, stealing, or destroying sensitive information. This activity can lead to unplanned business interruptions or subject the victims to extortion in order to get continued access to their data or to prevent the release of sensitive data to the internet.

Understanding Cybersecurity

Cyberattacks are often launched by people employed by organized crime or malicious state actors and are constantly evolving their attacks from one technique to the next as older techniques become less effective and newly discovered vulnerabilities are weaponized.

You don’t have to be a cybersecurity expert to understand the risk and learn how to provide some basic protection for your systems and critical data. This article is intended to provise some basic guideance and to send you in the correct direction to become more effective in protecting your personal or business data.

Continue reading “What is Cybersecurity?”

Securing Windows 10

A Windows 10 laptop right out of the box is not a truly secure laptop. Building a secure laptop using Windows 10 will take a little work. Microsoft has done a good job balancing usability and security, making sure the device is mostly compatible with what an average person wants to do without security getting in the way.

If you want a secure laptop there are some tweaks you need to make to get your laptop to the next level of security.  Some are done by default, but you should make sure you have the settings correct, and some of off by default so you’ll need to configure the settings and turn them on.

I’ll go through some of the settings to show you how you can go from default settings to secure, but you have to understand there are always more things you can do to make your Windows 10 device even more secure. Continue reading “Securing Windows 10”

Understanding the NIST Cybersecurity Framework

Summary

The Cybersecurity Framework Set was an optional standard created by the National Institute of Standards and Technology under the United States Commerce Department. This set of guidelines for private sector companies is intended to help them be  better prepared in identifying, detecting, and responding to cyber-attacks. It also includes some guidelines on how to prevent and recover from a cyberattack.

The NIST Cybersecurity Framework is intended to address the lack of standards when it comes to cybersecurity. As with almost everything else that deals with technology, there are currently major differences in the way companies are using technology to detect and remediate attacks from hackers, malicious users, and ransomware.

With the complexity and frequency of cyberacttacks growing each day, the task of detecting and preventing cyberattacks has gotten too difficult and complex to be left to chance, and a lack of a strategy among most organizations only makes this effort more difficult.

Continue reading “Understanding the NIST Cybersecurity Framework”

10 Steps to Stopping Lateral Movement Attacks

It is estimated that over 75% of cyber attacks come from outside your network. While every attack is unique and tactics may vary, the basic stages of an outsider attack are similar. During the attack, an attacker uses four basic steps to gain a foothold in your environment.

  1. Attack the perimeter – Gain access through any perimeter protections to gain access to the internal resources of the network, like a user’s computer or a server-based resource on the internal network. This can be accomplished using a known vulnerability, or by convincing the user to run a program from an email link or attached file.
  2. Malware Drop – Once they have access to an internal resource, they drop malware onto the endpoint and begin communications to the compromised device, usually though a command and control system. Using the permissions of the current user, they gather intelligence about the network and attempt to elevate their permissions on that endpoint.
  3. Lateral Movement – They now start looking for resources on other systems on the same internal network. As new systems are discovered, they are also compromised and start communicating with the attackers command and control system. They gather more intelligence and try to elevate their permissions on all compromised systems.
  4. Trigger Payload – Once your network and systems are owned by the attacker, they start exfiltrating and/or encrypting the files on the compromised internal resources. Game Over.

There are some common mitigation strategies your organization can implement to help prevent lateral movement (step 3 shown above) during an attack. You won’t always detect the initial compromise of an internal resource, but you can limit the damage that can be inflicted by implementing some basic security steps.

Here are 10 Steps to a reducing a lateral movement attack:

  1. Malware and Virus Detection – Install and properly configure an anti-malware and anti-virus solution on every endpoint. This offers, as a minimum, basic protection from known malware signatures, and probably offers advanced heuristic protection algorithms to detect behavior to indicate malicious activity even on zero-day attack attempts. The Microsoft Defender endpoint protection features in Windows 10 is a good example of this type of software that is highly rated and very effective.
  2. Standard User Accounts – Since users are usually the ones that allow the initial compromise through drive-by downloads or clicking on a phishing email, you must limit the power of the malware by limiting the power of the user. Require all users to login with a standard standard user account and don’t make them a local administrator on any computer. Even administrators should log into their computer with a standard account as a normal practice. They should only log into systems with administrative rights when they need to actually perform administrative tasks.
  3. Enforce Least Privilege – Only allow users access to systems if they have a business need to that resource. Only allow the minimum privileges to allow the user to do exactly what they need to do, nothing more. This helps prevent malware from using the users permissions to gain unauthorized access to sensitive data.
  4. Multifactor Authentication – Implement multi-factor authentication for access to internal and external systems, all applications, and  even social media. This basically requires the user to approve access through an mobile application or SMS message before their computer password is accepted. This means that even if a user’s password is stolen or guessed by an attacker, they can’t access the resource without the user’s cellphone.
  5. Conditional Access Controls – Restricting access based on static elements like location, operating system, or even time of day is a basic control that limits account login, even with approved credentials, to enforce compliance dynamically. Microsoft O365 and Azure offers a wide range of conditional access features based on location, operating systems, user risk, etc. to add security options for greater account protections.
  6. Strong Password Management – Require strong passwords that are different for every account. Never allow users to reuse passwords and encourage users to use password managers so they have strong password hygiene. Block common unsafe passwords (i.e. password1, qwerty123, etc.) and configure systems to log password failure attempts. Configure systems and devices to change or eliminate default passwords and  require every system to have a unique passwords across all privileged accounts. Never store passwords inside a script. Implement SSH key management tools.
  7. Patch Management – Configure systems and devices to automatically download and install vendor patches as soon as they become available. If the system needs to be tested before any patch is applied, do the testing as soon as possible to target installing all vendor patches within 30 days. Less vulnerabilities mean it is harder for an attacker to get into a system through a software security weakness.
  8. Network Segmentation – Group assets (users, application servers, etc.) into logical units that do not trust each other. Segmenting your network reduces the “line of sight” access attackers must have into your internal systems. For access that needs to cross trust zones, require a secured jump server with multi-factor authentication, adaptive access authorization, and session monitoring. If malware can’t access systems, it severely limits an attackers ability to jump from one system to the next. Where possible, go beyond standard network segmentation to segment based on context of the user, role, application and data being requested.
  9. Implement Threat Behavior Monitoring – Implement base security event monitoring and log events that will help you later understand what systems were compromised. Using  advanced threat detection (including user behavior monitoring) you can quickly detect compromised account activity as well as symptoms of insider privilege misuse.
  10. Application Whitelisting – If possible, implement policies to only allow known good applications to execute while you block and log all other applications launch attempts. Windows 10 allows you to implement this functionality using AppLocker. As a minimum you can pre-install the software required by a user and block them from installing any new software.

While backups will not help prevent a successful lateral movement attack, if your files are compromised by an attack your only remediation may be to restore/replace the missing or encrypted files from a recent backup. Don’t forget to include offline backups in your security efforts as a safely net when all preventative measures fail.

While none of these steps will prevent a successful attack on their own, a combination of tactics can truly limit the ability of a successful attack from doing severe damage to your business.  By limiting the scope of an attack you can reduce the cost of recovery, limit the scope/quantity of lost or damaged files, prevent a compromise of critical business intelligence, and build confidence in your ability to protect critical business assets.

Understanding Internet Threat Maps

You usually see threat attack maps as background images on wall mounted televisions behind a talking head giving an interview to explain the internet is a dangerous place. Some people don’t take these types of displays seriously, usually because people don’t understand their limitations or because people put too much stock in what the simple display is attempting to visualize.

While threat maps can be entertaining, as with all information generated for non-technical people, the data is often too complex to be complete on one display.  While a threat map is mostly eye candy with limited context and almost no usable intelligence, there are some very creative ways they can be used to great effect.

One interesting way to use an animated threat map is in your SOC (Security Operations Center) to provide some context to the the global image of constant attacks and how the SOC is tasked with preventing a successful attack in your business. Many non-technical people don’t understand the volume and intensity of attacks, and this will help them understand the size of the cyber-security problem facing your business today.

Continue reading “Understanding Internet Threat Maps”

5 Steps to Prevent Ransomware

In recent years a new term has entered the vocabulary of cybersecurity experts: Ransomware. Wikipedia says: “Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it.” This basically means a computer system is attacked, the user files are encrypted, and the user must pay a fee to regain access to their critical files. While there is a long history of minor attempts by hackers to create this type of malware, the most well known version of this type of malware is known as “Cryptolocker“, that was released in late 2013.

Most ransomware attacks were opportunistic and targeted at individual computers, but recently there has been a change in the threat landscape to target entire organizations. The ransom demands have also transitioned from the equivalent of a few hundred dollars for an individual to millions of dollars for an entire organization.

The impact of a successful ransomware attack are more extensive than just the cost of the ransom. Your organization can suffer the impact of lost productivity, inconvenience to your customers, decreased sales, and even the permanent loss of essential data.

Tips on preventing this type of infection in your organization:

Continue reading “5 Steps to Prevent Ransomware”

May PowerShell: Remove PowerShell V.2

Note: For the month of May 2019, I’m focusing on PowerShell information that could help you better utilize this powerful scripting tool in your environment.

Microsoft recommends you no longer use PowerShell V.2 for security reasons, but it is probably installed on your computers.

Microsoft has done a great job of recently adding powerful new security features in PowerShell. It is also obvious that the security features integrated in the latest versions of PowerShell do not apply to the older versions of PowerShell, which makes its use by malicious attackers to target PowerShell v.2 a risk to your computers. The older version of PowerShell does not have native logging capabilities, it remains undetected, and offers stealth in malicious operations so it is often used for lateral movement and persistence techniques.

For these reasons Microsoft decided that PowerShell v.2 is deprecated from the more recent versions of Windows, so it is also highly recommend to check and remove PowerShell v.2 from your environment.

You can check whether Windows PowerShell 2.0 is installed by running the following (as an administrator). Continue reading “May PowerShell: Remove PowerShell V.2”

5 Steps to Prevent Ransomware

In recent years a new term has entered the vocabulary of cybersecurity experts: Ransomware. Wikipedia says: “Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it.” This basically means a computer system is attacked, the user files are encrypted, and the user must pay a fee to regain access to their critical files. While there is a long history of minor attempts by hackers to create this type of malware, the most well known version of this type of malware is known as “Cryptolocker“, that was released in late 2013.

Most ransomware attacks were opportunistic and targeted at individual computers, but recently there has been a change in the threat landscape to target entire organizations. The ransom demands have also transitioned from the equivalent of a few hundred dollars for an individual to millions of dollars for an entire organization.

The impact of a successful ransomware attack are more extensive than just the cost of the ransom. Your organization can suffer the impact of lost productivity, inconvenience to your customers, decreased sales, and even the permanent loss of essential data.

Continue reading “5 Steps to Prevent Ransomware”

What Is Cybersecurity?

Cybersecurity is the professional practice of actively protecting computer systems, networks, and programs from digital attacks. These remote cyberattacks usually intended to allow unauthorized people or systems to  access, change, or destroy sensitive information; allow for the extortion of money from users; or to briefly interrupt normal business operations.

Protecting computer systems by implementing effective cybersecurity measures is particularly difficult in todays environment because of the sheer number of endpoints that must be protected. Techniques and tools used by modern attackers are becoming more difficult to detect and prevent, which means attacks have a greater chance of success.

With the connected nature of systems in the world today, everyone benefits from an advanced cybersecurity environment. For a person using a computer from home, a cybersecurity attack can result in a range of events including identity theft, extortion, bank fraud, and loss of important data. Attacks on critical infrastructure like power systems, police, hospitals, and banking services can compromise systems essential to keeping people alive.

Continue reading “What Is Cybersecurity?”

Ransomware Lessons

Ransomware is malicious software that attacks a computer or your entire network to force you to pay a fee (ransom) to regain access to your systems. If the fee is not paid within a set timeframe, the criminals who now has access to your systems will wipe the data. Since those systems are unavailable to your organization most businesses are faced with a decision to pay the ransom and get back to business or refuse to pay the ransom and risk forever losing customer data.

Like any other virus or malware the ransomware is usually downloaded from the internet, most often by clicking a suspicious link in an email or on a website.

Continue reading “Ransomware Lessons”

Ransomware: WannaCry Malware Review

The WannaCry ransomware was first noticed on May 12, 2017 and it spread very quickly through many large organizations, infecting systems worldwide. Unlike other ransomware, this sample used the SMBv1 “ETERNALBLUE” exploit to spread. “ETERNALBLUE” became public about a month prior when it was published as part of the Shadowbroker archive of NSA hacking tools.

Prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March 2017 Patch Tuesday release. The patch was released for only supported versions of Windows. In response to the rapid spread of WannaCry, Microsoft eventually released a patch for later versions of Windows as part of MS17-010, going back to include the still popular Windows XP and Windows Server 2003.

One way to detect the spread of the malware was the significant increase in activity on TCP port 445. The increase in traffic was caused by infected systems scanning for more victims. It is still not clear how the infection started. There are some reports of e-mails that included the malware as an attachment, but at this point no actual samples have been made public. It is also possible that the worm entered a corporate network via vulnerable hosts that had TCP port 445 exposed to the internet. The WannaCry malware itself doesn’t have an e-mail component.

At startup, the malware was first checking if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, but it can no longer be assumed that newer versions will still demonstrate this behavior. This was a simple “kill-switch”, since if it found the site it would stop operations.

Eventually, the malware would create an encryption key and encrypt all the user files on the infected PC to prevent normal user access to those files. The idea is to force the user to pay a fee to recover the files they no longer could access.

Encrypted files use the extension: wncry. To decrypt the files, the user is asked to pay $300, which increased to $600 after a few days. The ransomware threatened to delete all user files after a week waiting period.

In addition to encrypting files, the malware also installed a “DOUBLEPULSAR” back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have already been reported with slight changes to the kill switch domain and other settings. There is also a decryption key that can be used on many systems, but prevention is always better than searching for recovery options.

If your version of Windows was supported and you installed all available patches from Microsoft, your system would not have been infected. Microsoft also announced that the new “Windows 10 S” would help prevent ransomware infection as it will only run software purchased from the Microsoft Store.

What Security Threat Are You Overlooking?

A recent european IDC survey of more than 400 organizations discovered that many companies fail to address one of the main causes of data exposure, which is an insider threats. The report shows that most security attacks are caused by users unintentionally using outdated credentials to access secure systems. The problem is only 12 percent of companies surveyed considered insider threats as “highly concerning”, with common threats like viruses, phishing, ransomware, etc. listed as bigger threats requiring more attention.

This gap in security thinking can lead organizations to misunderstand users and miss opportunities to detect intentional user breaches.

Businesses need to shift their security focus away from the actions that must happen after a breach, like dealing with the aftermath of ransomware or removing a new virus, and focus on the true source of the problem which is mostly user behavior. Education can go a long way to reduce activity that leads to dangerous behavior, as well as reducing the events that lead to unintentional misuse of user credentials. This should reduce the threats from multiple sources and allow your security team to focus on those users that need additional attention, as well as those users that have attempted the intentional misuse of user credentials.

It is really an effort to stop reacting to attacks caused by uneducated users doing silly things and be proactive on those threats that you can control.

 

How to disable macros in Microsoft Office

Not everyone has the level of technical expertise to understand why macros are dangerous, or how to disable them. Macros are a really powerful feature in Microsoft Office, allowing you to do many difficult things with the click of a button. These complicated tasks might be formatting a spreadsheet, inserting a standard block of text in Word documents, etc. The problem is malicious code, like a macro virus, can automatically be executed as a standard macro when the user opens a document from an untrusted source.

The creators of these malicious code segments attempt to prevent users from catching on by disguising their malicious document, usually sent as an email attachment,  as something seemingly routine. There are active malware efforts that are actively infecting user computers right now, with examples like PowerSniff! or other examples that have been around in one form or another for many years.

There are three things will prevent almost 100% of all infections:

  • Disable macros in Microsoft Office. This is fairly easy for even non-technical users to accomplish.
  • Another great way to prevent infections is to never open an attachment from an untrusted source.
  • You should also be running anti-virus and anti-malware software on your computer.

These three things will prevent almost 100% of infections.

Disabling Macros in Microsoft Office

  1. Click File > Options.
  2. Click Trust Center, and then click Trust Center Settings.
  3. In the Trust Center, click Macro Settings, where you can make any changes you want and approve them by clicking OK.

Enterprise Efforts

As a technical person, there are several things you can do at your company to help prevent a successful malware attack.

  • Security Training – Make sure you create a policy that outlines user responsibilities for cybersecurity. This includes be aware of potential cyber threats, not opening attachments from untrusted sources, selecting strong passwords, etc. This includes the potential risks of opening macro-enabled office documents.
  • Anti-Malware and Anti-Virus – While software will never be 100% effective in detecting and blocking infections, it can be more effective than nothing.
  • Anti-Spam – Build rules in your spam tool to automatically restrict email attachments with a .zip extension.
  • Default Microsoft Office Security – Use the default setting of “High” for Macro security on all Microsoft Office applications.
  • PowerShell – Publish a Group Policy Object that restricts the use of PowerShell for most users. Allow PowerShell for specific power users on a case-by-case basis.
  • Monitor Activity – Look for unexpected pings from internal computers and keep an eye on unusual network activity.

 

5 Steps to Prevent Ransomware

In recent years a new term has entered the vocabulary of cybersecurity experts: Ransomware. Wikipedia says: “Ransomware is computer malware that installs covertly on a victim’s computer, executes a cryptovirology attack that adversely affects it, and demands a ransom payment to restore it.” This basically means a computer system is attacked, the user files are encrypted, and the user must pay a fee to regain access to their critical files. While there is a long history of minor attempts by hackers to create this type of malware, the most well known version of this type of malware is known as “Cryptolocker“, that was released in late 2013.

Most ransomware attacks were opportunistic and targeted at individual computers, but recently there has been a change in the threat landscape to target entire organizations. The ransom demands have also transitioned from the equivalent of a few hundred dollars for an individual to millions of dollars for an entire organization.

The impact of a successful ransomware attack are more extensive than just the cost of the ransom. Your organization can suffer the impact of lost productivity, inconvenience to your customers, decreased sales, and even the permanent loss of essential data.

Tips on preventing this type of infection in your organization:

  1. Planning – Aggressively patch all systems to prevent known vulnerabilities. All endpoints should also be protected with anti-malware and anti-virus software to automatically detect and respond to any infection attempts. This should also include user training to help users understand how infections are executed, what they can do to minimize the risk of attack, and who they should contact if they have concerns or questions. All user files should be backed up to another location that can’t be accessed by the malware. You want to minimize data loss in the event of a successful attack.
  2. Active Detection – You can minimize the damage from an attack if you are monitoring your enterprise systems and are alerted to the attack as quickly as possible. Threat intelligence software should be used to block suspicious software and alert you to a possible attack. This includes screening email attachments and embedded links, blocking access to known internet malware sites, and security rules to block common malware folders on endpoints to help spot infections before the files are encrypted.
  3. Isolation – Even if malware slips through your defenses and an infection occurs on one device, you need to have procedures in place to isolate the infected system and limit the exposure of the remaining endpoints. To help prevent additional files on the network from being encrypted the infected device must be isolated from the network.
  4. Counterattack – During a ransomware incident, once it has been contained you must eradicate it by using effective counterattack procedures. First replace infected devices and format the compromised hard drives. If you have been effective at the previous steps, you can recover user files from your backups and nothing was lost on the device. By formatting the hard drives you make sure the infection is removed from the device, without the need to worry about residual or hidden files. If you have a network infection, the infection can be much more difficult to contain and cleanup will be much more time consuming. A good relationship wth your anti-malware vendor is essential to make sure they help you with any possible infection, even one from an infection they haven’t seen before.
  5. Resolution – The best way to recover from an attack is having backups of all your important files. Once user systems have been cleaned and files have been restored, the last step is reviewing what went well and what still needs some more work. Was the infection caused by a user bypassing a security control? Was your anti-malware software ineffective? Are there required changes to your procedures or training that would have made your response faster or more effective?

Never be satisfied with “good enough” security, and look for ways to improve your response times, better educate your users, and provide a safer overall environment for your business. Your level of success against a ransomware attack is largely dependent on you and how seriously you prepare for the possibility of a malware attack.

 

New Malware Copied To Your Network Daily

Security researchers at Check Point analyzed information on over 30,000 security incidents discovered by the that company’s ThreatCloud prevention software which is installed at more than 1,000 companies worldwide. Check Point found that employees in most business sectors are downloading potentially harmful files to their company’s networks at an alarming rate.

Check Point says in their new study that a new malicious file downloads have increased 900% per hour:

  • Unknown malware continues its exponential and evolutionary growth. Researchers found a 9x increase in the amount of unknown malware plaguing businesses. This was fueled by the employees, who downloaded a new unknown malware every four seconds. In total, there were nearly 12 million new malware variants discovered every month, with more new malware discovered in the past two years than the previous decade.
  • Security is lagging behind the speedy, on-the-go mobile device. With smartphones and tablets accounting for 60 percent of digital media time spent, businesses’ mobile devices present both an access curse and a business productivity blessing. While employees do not want to be the cause of a company network breach, 1-in-5 will cause one through either mobile malware or malicious Wi-Fi.
  • Endpoints represent the starting points for most threats. Among the businesses surveyed, endpoints were the most common cause of breaches and the most critical component in cyber defenses, with attackers leveraging email in 75 percent of cases. Also, 39 percent of endpoint attacks bypassed the network gateway firewalls, and routine operations uncovered 85 percent of threats after they had already gotten inside the enterprise.

A full copy of the report is available here.

%d bloggers like this: