[metaslider id=2951] … Read More
Archives for January 2017
New Year’s Cyber Security Resolution
Welcome to 2017.
The comment that we have heard most often was thank god 2016 was over; for those involved in cyber security it was also a banner year for threats – a rapid increase in ransomware, a DDOS attack that was facilitated by IoT devices and the discovery of one of the largest cyber security breaches in history. With an election that the world watched having an aura of suspicion surrounding nefarious activities that could have decided the outcome, 2017 is shaping up to be a very interesting year.
In 2016 Security professionals had their job cut out for them. They attempted to stop the threats from breaching the perimeter, purchasing and implementing the latest in “next generation” technologies to satisfy a particular threat, such as ransomware – as opposed to looking holistically at the network in its totality. This piecemeal security implementation, while construed as defense in depth, can also lead to potential vulnerabilities within your network.
Knowledge is Power …. you cannot protect what you, as an organization, do not know that you have.
The best way to be ahead of the game is to be prepared for threats today, tomorrow and five year from now. In order to plan your strategy you need to know what you are protecting and from whom you are potentially protecting it from. Think of it like a football strategy – if you put the strategy in place without know your players or who you are playing against – you will ultimately loose .
An internal cyber security threat assessment will provide an organization with valuable information about their network. The first step in the assessment is to generate a blue print of all of your organizations assets, with key information such as a device IP, host Name, MAC address and operating system.
Once the list is complete, an internal vulnerability assessment will provide the listing of assets that require urgent patches to harden against an attack.
Using the innovative Malware Detection system, the threat assessment will provide a detail of traffic that is communicating to known command and control servers ( C&C), websites that are outside corporate policy (such as those located in high risk countries), as well during your assessment it will block potential ransomware attacks such as CryptoLocker for Windows and Linux.Encoder.1 for Linux. If compliance is a requirement, complete the assessment for PCI, HIPAA, SOX or ISO 92001.
The Cyber Threat Assessment is being offered by Symtrex using the SnoopWall NetShield Network Access Control. The SnoopWall Netshield is an IntraNet Security product, install for 45 days and run a comprehensive internal network evaluation, which will include asset detection, identify critical vulnerabilities, assist in hardening and managed your trusted assets, detect and block rogue/malicious devices, and audit and enforce compliance & regulatory requirements.
Contact us to find out more or to coorindate your Cyber Threat Assessment
Security Training 101: Stop Blaming The User
From Dark Reading – Andrew Howard
To err is human, so it makes sense to quit pointing fingers and start protecting the organization from users — and vice versa.
We’ve all seen them: the “don’t take the bait” anti-phishing posters plastered throughout most enterprises. As companies struggle with the various forms of malicious email, from spearphishing to whaling, I’ve noticed security leaders have begun to emphasize monitoring and deterring human, email-related mistakes. In that vein, companies are inserting language into employee agreements regarding cybersecurity hygiene and creating policies that punish lax security habits.
I believe it’s time that we, as cybersecurity professionals, take a step back and reconsider our approach to user error. After all, to err is human, and our energies would be better served not on assessing blame but on protecting the organization from users — and users from themselves.
A user-education program is of preeminent importance. Every modern control framework, from ISO to the NIST Cybersecurity Framework, requires user education. The problem I see in today’s standard corporate information security program is that user education is the first and only line of defense against many threats. For example, many companies don’t allow personally identifiable information to be transferred unencrypted, but have no data-loss prevention technology to prevent it. Frankly, this is irresponsible. When a Social Security number is accidently put in an email, the user gets blamed — not the information security group. This training-only strategy also creates an environment in which every user has to do the right thing, every time, without failure.
Users Make Mistakes: Be Prepared for It
Several months ago, I witnessed a Fortune 250 CISO dress down his director of governance, risk, and compliance because a recent audit found sensitive information on a shared resource not designed for that purpose. Immediately, the CISO and the director discussed implementing new information-classification training requirements for users and a scanning program to find any mistakes by other users, who would also need more training. This line of thinking appears to be common in less-sophisticated enterprises. No discussion of preventive techniques, only detection and blame.
A common methodology for user interface experience testing is to pretend the user is drunk. The thought is, if a drunk user can navigate your application, a sober one can easily do the same. The same methodology should apply to cybersecurity. In the security professional community, we have failed by counting on users to constantly do the right thing. Our focus must not be on eliminating human errors but on preventing them in the first place.
As a consultant, I have reviewed hundreds of presentations for boards of directors throughout my career. Many CISOs struggle with establishing board-appropriate metrics: they wonder about the right level of reporting detail to include and how much board members will understand. But I can always count on the phishing test PowerPoint slide to appear during a presentation. “How many clicks this quarter versus last quarter? How many repeat offenders, even after training? After we introduced training, the click rate dropped from 44% to 32%.” It’s amazing how similar these slides are across different companies, regardless of the industry.
Typically, I see companies with pre-training click rates in the 20% to 30% range improve significantly after several quarters of effort. The absolute best training programs I’ve seen, at security-conscious companies, produce results in the 2% to 3% range. Although remarkable, even this level is too high when it takes just one administrator to fall for a scam. After all, 2% of 50,000 users is still 1,000 users.
In my opinion, the phishing test click-rate is a terrible metric for reporting. It assumes the user is responsible for phishing-related issues and takes the focus off of developing reliable, technical controls.
I would much rather see companies move the focus to detection, and instead track their phishing reportrate or how many users reported a test phishing email to the security group. Improving the number of users who report phishing emails creates a large “human sensor” network to support the information security operations center. Recently, I worked with a company that has seen great results, with fewer incidents, using this model. The approach also has the added benefit of enabling the information security market to work with carrots — rewarding users who report — versus “using a stick” to punish those who click through.
Ultimately, user errors should be classified into two categories: (1) mistakes anyone can make, and (2) mistakes no one should make. Training programs and detection techniques should be focused on the second category. As a community, we should focus on preventing the first, and to accomplish that, we must move beyond blaming users and accept accountability as security’s gatekeepers.
4 Reasons Why You Should Take Ransomware Seriously
From Dark Reading – Dan Larson
The threats keep getting more sophisticated and the stakes keep getting higher. Is your organization ready to meet the challenge?
According to a recent ransomware report from the Institute for Critical Infrastructure Technology (ICIT), 2016 saw a wave of ransomware attacks that were increasingly sophisticated and stealthy. The FBI forecast that the haul from ransomware would reach a billion dollars last year, and it seems as if no industry is safe from being targeted. As ICIT reports, even critical infrastructure entities such as healthcare organizations have become prime targets, with hospitals in the US and Germany paying ransoms rather than risk their patients’ lives.
Why is this alarming increase occurring? ICIT argues that it’s due to the highly profitable nature of ransomware attacks coupled with inadequate enterprise defenses. Combined, these two factors are attracting a more advanced breed of cybercriminal who is motivated by the potential of a bigger payout, faster and more anonymous – and thus less risky – than the advanced persistent threat exploits often used to steal credit card numbers and other sensitive data.
Compounding these challenges is the fact that law enforcement agencies have not provided a unified response to the ransomware threat, in some cases advising victim organizations to pay the ransom to retrieve their data. At the same time, criminal hackers have developed ways to circumvent standard security measures such as sandboxing and intrusion prevention systems.
If that’s not enough to convince you, here are four more reasons to take ransomware seriously:
- Ransomware continues to evolve. Whether your organization is the victim of a ransomware exploit that encrypts files or a type that encrypts the master boot record and blocks access to an entire system, the standard solutions you have in place may not be enough to protect you. New variants of ransomware are continually being developed. They employ an array of techniques aimed at circumventing your security, including deleting Volume Shadow Copies, making it impossible to restore from backup files or avoiding detection by hiding in Microsoft macros or JavaScript files. The criminals who develop ransomware have become so sophisticated that many are offering ransomware as a service, widening the pool of potential victims.
- Standard security solutions may not protect you. Ransomware’s ability to quickly change and mutate utilizing polymorphic or fileless malware has exponentially increased opportunities for ransomware to find its way into your organization. Conventional endpoint protection that relies on signature-based detection isn’t up to the task of finding ransomware before it strikes. Adding solutions such as whitelisting, the ability to detect indicators of compromise, or machine learning can increase your protection, but in some cases will be unable to prevent an attack. And unlike malware infections that slowly exfiltrate your data so that postinfection detection may minimize loss, in the case of ransomware, prevention is often your only recourse. Once ransomware enters undetected, your data is immediately encrypted and inaccessible, or your systems are locked down.
- Compliance may be at stake. Most organizations retain sensitive data that is subject to regulatory legislation mandating its protection. When a breach happens and data is exposed, the victim organization must inform its customers and partners, and can incur substantial fines if regulations are affected. Ransomware attacks may not result in protected data being stolen, but organizations are still responsible for alerting all their constituents if an attack occurs. This can cause significant damage to an organization’s brand. As Dark Reading reports, the Federal Trade Commission (FTC) has come down hard on companies that fail to protect their customers’ data. FTC Chairperson Edith Ramirez recently suggested that a company’s failure to take action to prevent a ransomware attack could result in enforcement action – even if the company hasn’t been the victim of an attack.
- Data recovery can be complex and costly. The cost and complexity of recovering files after a ransomware attack are why many companies, particularly smaller organizations, choose to pay the ransom. Granted, most disaster recovery services ensure that there’s a robust backup and recovery plan in place, to tackle these kind of cases. But, even with a comprehensive backup system, in today’s widely distributed organizations, files can be located across hundreds of devices. Though the attack may begin on one laptop, the ransomware could have access to other systems connected to the laptop, resulting in a costly drain on IT resources as they struggle to map and contain the damage. Even worse, if you’re the victim of a new ransomware variant that’s able to delete your backup files, recovery won’t be an option.
The Best Defense Against Ransomware
To combat the escalating level of ransomware sophistication, organizations need a multifaceted approach with complementary prevention and detection methods. One important method is to focus on indicators of attack (IoAs), a form of behavior-based detection that looks at the underlying actions taken by the threat rather than trying to pattern-match a new file to a signature. An IoA can prevent multiple variants and versions of ransomware families, including new ones not detectable by known signatures or features. Coupled with endpoint detection and response, machine learning, and proactive threat hunting by security experts, organizations can ensure that they have the prevention capabilities in place to alert teams of ransomware attempts before encryption can be initiated.