[metaslider id=2951] … Read More
Archives for November 2016
Security experts warn of new types of malware that threaten to publish instead of encrypt valuable, confidential information.
Right when internet users have learned to be wary of malware that encrypts files and holds them for ransom, security experts are warning that digital extortionists are taking more aggressive steps to get paid.
“You’re seeing different techniques with the goal of improving the conversion rates of people actually paying,” says Jerome Segura, lead malware intelligence analyst at the security firm Malwarebytes.
Instead of simply encoding files so that users can’t access them, some blackmailers armed with a new kind of malware called doxware are threatening to leak potentially sensitive files to the public if a ransom isn’t paid, says Chris Ensey, COO of Dunbar Security Solutions.
“This is a very recent change in the tactics they’re using,” he says, noting that they’ve appeared only within the past few months.
Dunbar has yet to see malware make good on threats to leak data, and Ensey says that at least some variants appear to display fake progress bars purporting to show data transfers to attackers’ servers without actually uploading any files. Storing and leaking files is logistically more difficult than just encrypting them on victims’ own computers, experts say.
But Ensey predicts that by next year there will be actual data leaks attributed to ransomware, if only to motivate more attack victims to pay the ransom.
“I would not guess that we’re far off from public examples of that,” he says.
Previously, security experts advised companies and individual users to make regular backups of important files so they’d be ready to restore them if they were encrypted or damaged by malware. But that’s of less help if malware creators instead threaten to distribute information, potentially exposing companies to liability, or individual users to embarrassment or risk of identity fraud, he says.
“My thinking now is that organizations really have to focus on: How do we isolate sensitive or private information from places where ransomware tends to find itself?” he says. “You have to make it so it’s incredibly hard for that ransomware to touch or gain access to any kind of sensitive data through a standard channel.”
Preventing leaks by computers infected with malware is ultimately similar to protecting data against insider threats. That means that organizations shouldn’t simply have an unencrypted network drive with confidential materials like sensitive business plans or medical records, Ensey says.
Earlier versions of ransomware have already struck institutions with large troves of mission-critical, confidential information, such as hospitals, which could be motivation enough for entities to pay to keep patient records from falling into the wrong hands. But individual consumers represent the bulk of ransomware victims, according to a report released in April by the security firm Symantec. People could feel forced to pay to safeguard anything from financial and medical documents to explicit pictures, particularly if ransomware attacks on smartphones become more common.
“The variants that are out today are mostly Windows-based, so it’s desktop computing,” Ensey says. “If they can adapt it to mobile, I think then you might have an audience for this that would in fact pay the ransom.”
Ransomware creators have recently gotten more aggressive in other ways, too, according to Segura, sometimes actually permanently deleting files rather than leaving them encrypted if victims don’t quickly pay up. Some malware varieties have also focused their energies on particular classes of files likely to be of interest, such as spreadsheets, and future attackers may well use more sophisticated prices to determine how much ransom to charge.
“It’s a business decision. Like marketers, how do you [set] the price?” Segura says. “Finding the sweet spots where people are willing to pay is really important to the economics of the ransomware business.” That might mean charging more when it comes to victims with more apparent business documents or photos, or adjusting ransom amounts for targets in certain geographical regions.
Users looking to stay safe should maintain multiple backups to minimize the risks from disk-encrypting malware and keep sensitive information encrypted or off networked machines altogether. Once files are leaked, it can be difficult or impossible to remove them from the internet.
“If the information is published in some server that’s out of U.S. jurisdiction, for example, then having that information taken down is going to be very, very difficult,” Segura says. That applies equally to business data and sensitive personal files like texts and photos.
“If you think you don’t want your mother or grandmother to see that picture, think about putting it somewhere secure, because you don’t want it leaked,” he says.
Researchers offer a step-by-step approach for covering the basics of cybersecurity.
NIST has been working closely with the Small Business Administration on cybersecurity issues for small business since 2003.
Now, as a follow-up to years of collaboration, NIST recently released a streamlined version of its Cybersecurity Framework geared to small businesses owners.
Released earlier this month, Small Business Information Security: The Fundamentals, runs 54 pages and offers small businesses a snapshot of the core concepts of the framework, which include the following: identify, protect, detect, respond and recover.
Patricia Toth, a supervisory computer scientist and co-author of the report with Celia Paulsen, says the guide came out of numerous workshops NIST held in tandem with the SBA over the past several years.
“We wanted to get some of the main points of the Cybersecurity Framework to the small business audience, but realized that the average small business owner wouldn’t want to pour through the entire framework,” Toth points out.
Frank Dickson, an analyst with IDC who covers security, says the streamlined document NIST put together for small businesspeople does a good job covering the basics of security.
“The only point I would add is that the document stresses strong passwords and while that’s good cyber hygiene, I’d like to see people look more toward stronger authentication,” Dickson says.
Toth adds while stronger authentication makes sense for more mature organizations, the average small business is generally just starting to think about stronger security, so they decided to get people focused on stronger passwords.
Even though it’s streamlined at 54 pages, small business owners may still not know where or how to get started security. Here’s a thumbnail that outlines six steps:
- Manage risk. Small business owners should start by asking what information is most important to the business and what’s essential for them to protect. For example, if a marketing booklet gets leaked it’s probably not as sensitive as if a customer list was exposed. Consider security measures such as data access control and monitoring through the use of platforms like Cyral (https://cyral.com/platform/). This can be one extra step to ensure that confidential data stays secure.
- Train the staff. Run a lunchtime seminar on how to identify phishing attacks and how to notify suspicious email and report it to the owner. It’s also important for the staff to be aware of the company’s policies on using Facebook, YouTube videos or general Internet browsing time. If there are no policies, then make your wishes known to the staff.
- Stay up to date. Keep in mind there are small businesses with close to 100 employees and those with under 10. For the companies with under 10 employees, they may have a tech person who comes to set up the network, but they don’t always have that person handle software updates and patches. We understand there’s a lot going on at your company and you are focused on sales, but don’t let updates and patches sift through the cracks. Automate as much as possible, but try to do the updates when they come out.
- Run backups routinely. So many small businesses don’t do this and with ransomware as much as a threat as it is today, running offsite backups has become more important than ever. Decide if backups need to be run once a day or once a week, but once a month won’t keep your company safe.
- Investigate cyber insurance. Cyber insurance may or may not be worth it to your company. However, it makes sense to talk to some insurance brokers and see where you stand. Whatever you do, don’t call about cyber insurance without having your security program in place. The rates you pay and how much cyber insurance your company qualifies for will be based on your overall security posture. A ratings system has been evolving and has not been standardized yet, and be prepared to do some homework before asking a broker about cyber insurance.
- Seek out a professional IT company. Even larger small businesses tend to have an IT person or outsourced contractor who comes in and sets up and manages the network. Use business contacts or your trade association to find out technology companies with experience running network security, preferably in your industry if possible. For instance, if you own a law firm, you can look for managed IT services especially catering to cyber attack law firm or business. Such companies can set up individual password accounts, secure the routers, install firewalls and web filters and explain how the system runs to the owner or the owner’s designated in-house tech person.
Too many companies try to go it alone and then complain about spending money on a professional IT company. Don’t be that company. One breach of a prized customer list or sales results that get into the wrong hands and it could cost you your business. Working with professional IT people is well worth the expense, especially in this threat landscape.
Improved data processing speed and automation are usually the key capabilities being added to any security product these days, and LogRhythm is the latest to follow the trend.
The company, known for its security information and event management (SIEM) suite, said Thursday these are they key ingredients of the new version 7.2 upgrade to the security intelligence and analytics platform that underlies all of its products.
“One of the big challenges is organizations just don’t have enough security people to throw at the [security] problem, so a goal of ours is how do we automate and make the analysis process as efficient as possible the people you do have are highly effective,” company CTO and co-founder Chris Petersen said in an interview.
The platform enables visibility, data collection and analytics. Improvements include
–Better performance: Up to a 200 per cent increase in performance ingesting data, which the company says critically important to large enterprises such as those exceeding 100,000 messages a second. It could mean reducing the number of rack units supporting LogRhythm applications while supporting the same workloads, Petersen said.
Also, the onboarding data from a variety of enterprise sources is easier. “You can simply point devices to use” – for example a firewall — “and we will intelligently recognize the device, automatically pre-configure it and begin to process that data.” Until now administrators had to do configurations manually;
–Support for more data sources: Twenty more metadata fields have been added to the platform’s data structure. Also support has been extended to a total of 785 data sources (including operating systems, applications, and alarm systems in Perth). In addition, there’s more visibility into cloud infrastructure workloads such as Amazon Web Services, Salesforce and others;
–Improvements to the User and Entity Behavioral Analytics (UEBA) module, which analyzes log data on user activity to identify compromised accounts, privilege misuse and data theft. The new module adds improved threat detection algorithms, stronger kill chain corroboration and improved real time dashboards that help admins with threat hunting;
–Improved security automation and orchestration capabilities allowing security teams to move an alarm into a case and add information for investigation. There are 20 new automated actions giving teams automated playbooks for incident response.
LogRythm competes against other SIEM products including IBM QRadar, Hewlett Packard Enterprises’ ArcSight, Splunk, McAfee Enterprise Security Manager and others.
Contact us for more information or to request a demonstration of the product.
Sophos is being recoginized as a finalist for the best UTM Solution – SC Awards
Best UTM Security Solution
Given the continuous convergence of the market, we’ve decided to retire some categories this year and integrate a number of individual categories from previous years into this unified threat management (UTM) category. The former categories – Best Enterprise Firewall, Best Intrusion Detection System/Intrusion Prevention System Product, Best IPsec/SSL VPN, Best Anti-Malware Gateway and Best Web Content Management – are now integrated here. As formerly, contenders in the UTM security category should take an “in-depth” defense approach. Entrants should have an integrated, multifunction endpoint/UTM offering – not a single-function product. These products typically aggregate a wide variety of threat data into a single unified tool. Many organizations define those threat categories as anti-malware, content management, IDS/IPS and spam filtering, along with firewall/VPN. Entrants should meet this minimum functionality and can include anti-malware gateway, anti-spam gateway and anti-phishing gateway, as well as provide web content filtering for laptops, desktops and, optionally, servers that blocks or filters objectionable websites and content.
LogRhythm was honoured to be a finalist in two categories in the SC Awards 2017
Best Enterprise Security Solution
This includes tools and services from all product sectors specifically designed to meet the requirements of large enterprises. The winning solution will have been a leading solution during the last two years, having helped to strengthen the IT security industry’s continued evolution. – for their Security Intelligence and Analytics Platform
Best Computer Forensic Solution
Products in this category fall into two sub-categories: network and media. The network tools must be exclusively intended for forensic analysis of network events/data. If the product is a SIEM with forensic capabilities, it should be placed in the SIEM category. Media tools cover just about all other non-network forensic tools, including those tools that collect data from media over the network and live forensic tools. This also includes specialized forensic tools that are not intended to analyze network data. – For their Network Monitoring Tool
Best SIEM Solution
Security information and event management (SIEM) tools are used to collect, aggregate and correlate log data for unified analysis and reporting. Typically, these tools can take logs from a large number of sources, normalize them and build a database that allows detailed reporting and analysis. While forensic analysis of network events may be a feature of a SIEM, it is not the only feature, nor is it the primary focus of the tool.