Posts

Why is Ransomware Successful?

Ransomware is the attack method that you’ve seen over and over again in the headlines and, unfortunately, it’s not going away. Global outbreaks like WannaCrypt, Petya/NotPetya, and BadRabbit have made ransomware a household name. The FBI reports that over 4,000 ransomware attacks occur daily. With its sophistication and frequency of attacks, it makes people think – why is ransomware successful? How can it be stopped? Let’s discuss how company culture, the workforce, malicious outsiders, and proper security configurations contribute to the success of ransomware.

Culture of Apathy

I believe there is a growing apathy in our culture towards confidential data. Honestly, do people even believe data is confidential anymore? According to Pew Research Center, half of Americans feel that their personal information is less secure than it was five years ago. 64% of American adults have experienced data theft via credit card, account number, email account, social media accounts, Social Security number, loan, or tax return compromises. It has become habitual to worry about data breaches, identity theft, and other privacy concerns.

It’s not just about hackers or human error – the apathy in our culture has led to a rise in malicious insiders. Verizon’s 2018 Data Breach Investigations Report includes that 28% of cyberattacks in 2018 involved malicious insiders. When Accenture surveyed 912 healthcare and payer employees in the US and Canada, they found that one in five (18%) would be willing to sell confidential data to unauthorized parties for as little as $500 to $1,000. Even more so, about a quarter of these healthcare and payer employees know someone in their organization who has sold their credentials or access to an unauthorized outsider. One out of five healthcare employees, who are responsible for protecting your data, will give it or give access to it away.

What is your organization’s culture as it relates to information security? Are you building a control environment that will embrace, monitor, and enforce ethical practices?

Workforce Challenges

If your organization, thankfully, hasn’t faced the challenges of malicious insiders and an apathetic culture, you will probably face an ill-prepared workforce. Some things just stay the same, and human error is one of those things.

Phishing is the primary method of attack when it comes to ransomware. In 2017, the Microsoft Office 365 security research team detected approximately 180-200M phishing emails every month. Although more and more organizations are incorporating strong security measures into their strategies, it’s still easy to phish. The Microsoft Security Intelligence Report explains, “An attacker sending a phishing email in bulk to 1,000 individuals just needs to successfully trick one person to obtain access to that person’s credentials…Phishing and other social engineering tactics can be more simple and effective than other methods, and they work most of the time for more human beings. If successful, phishing is an easier way to obtain credentials as compared to exploiting a vulnerability, which is increasingly costly and difficult.” The most successful phishing attempts impersonate popular brands, users, and domains.

You may think that because millennials are becoming a larger portion of our workforce, your organization is better protected. Millennials won’t fall for phishing emails, right? They’ll be wary and spot a social engineering attempt, won’t they? Unfortunately, the data shows that adults aged between 20-29 fall victim to more fraud than adults aged over 70.

Are you providing the necessary training to the newest members of our workforce? Is your workforce your weakest link or your first line of defense?

Malicious Outsiders

Organized criminal groups aren’t stopping; they’re only getting more sophisticated. There’s obviously financial motivation, but malicious outsiders could also be motivated by a political agenda, social cause, convenience, or just for fun. We predict that US cities and the public sector will continue to be a target for malicious attacks, especially nation-states. Nation-states have a goal of disrupting public services. Hospitals, airports, police departments, educational systems, court records, water services, payment portals, technology infrastructure – these cornerstones of the public sector are under attack every day from complex cyber threats and malicious outsiders.

What should the public sector invest in? Cybersecurity awareness to citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning and penetration testing, and competitive compensation for IT personnel.

Proper Security Configurations

Remote Desktop Protocol (RDP) has been called ransomware’s favorite access point – a place that’s commonly unsecure and easily hacked. Even the FBI warned organizations that the use of RDP as an attack vector is on the rise. CrySiS, CryptON, Zenis, and SamSam ransomware have all used RDP to their advantage.

No type of malware completely fades away. Every threat that has ever been classified remains at large. The very first worms and malware ever written still exist and are capable of system infection. Some remain actively developed, maintained, and deployed by proficient black hat hackers. Other older viruses just persist, allowed to continue by poorly maintained systems, old distribution networks, and user complacency. Even when not actively used for data destruction, malware can remain a threat to system stability and continuity.

Do those charged with governance maintain proper security configurations according to best practices? How are your security configurations being tested and validated?

Ransomware continues to be successful because organizations don’t create a culture of defense or a sense of responsibility for data, their workforce isn’t equipped to stand up against cyber threats, the threats from malicious outsider only persist, and proper security configurations are not implemented. How is your organization preparing itself for a ransomware attack? How will you assure your clients that their sensitive data is protected? Contact us today to implement a plan for training your workforce, changing your company culture, and strengthening your cybersecurity practices.

More Ransomware and Cybersecurity Resources

What is Cybersecurity?

When Will it Happen to You? Top Cybersecurity Attacks You Could Face

Horror Stories – 5 Cities Victimized by Cyber Threats

Ransomware Alert: Lessons Learned from the City of Atlanta

Horror Stories – 5 Cities Victimized By Cyber Threats

Hospitals, airports, police departments, educational systems, court records, water services, payment portals, technology infrastructure – these cornerstones of the public sector are under attack every day from complex cyber threats. ICMA and Microsoft’s cybersecurity report claims that 44% of local governments are under attack daily. The FBI reports that over 4,000 ransomware attacks occur daily. This year, when the City of Atlanta was compromised by a ransomware attack, the nation realized the maturity of today’s cyber threats. Hackers from around the world are able to hold our cities hostage through cybersecurity attacks. Why are cities so vulnerable to cyber threats, and how do these cybersecurity attacks even work?

Why Are Cities So Vulnerable to Cyber Threats?

  1. Atlanta – In March 2018, the City of Atlanta suffered from a devastating ransomware attack by SamSam, costing the city more than $2 million in recovery. Multiple types of applications, both internal and customer-facing, were compromised. Thousands of city employees could not access their computers, court dates were rescheduled, water bill payments had to be made in person by check, traffic tickets could not be processed—this ransomware attack completely obstructed the day-to-day operations of the City of Atlanta. The City of Atlanta’s ISO/IEC 27001 ISMS Precertification Audit Report from January 2018, just two months prior to this ransomware attack, reveals that critical cybersecurity best practices were not being met from gaps in policies and procedures, definitions of scope, formal risk assessment processes, vendor management processes, data classification policies, and measurement, reporting, and communication related to risk.
  2. Los Angeles – In December 2016, L.A. County announced that 108 employees fell for a phishing email on May 13. Through this type of cybersecurity attack, the malicious individual was able to gain usernames and passwords for employees who had access to confidential information. Through a forensic investigation, the county found that the names, dates of birth, Social Security numbers, driver’s license numbers, banking information, payment card information, and medical treatment information of 756,000 individuals were potentially impacted by this phishing email.
  3. Baltimore – In March 2018, Baltimore’s 911 dispatch system was attacked, causing staff to manually relay the details given by incoming callers. Obviously, this put a critical hold on the city’s ability to respond to emergencies. Fortunately, although this cybersecurity attack caused inefficient processes, the city didn’t see a slowdown in responders’ response times. Within a week of this hack, the city determined it was caused by a ransomware. Frank Johnson, CIO in the Baltimore Mayor’s Office of Information Technology, called the attack a self-inflicted wound. Their IT team had inadvertently changed a firewall and left a port open for about 24 hours, likely letting the hackers into their network.
  4. San Francisco – When ransomware hit San Francisco’s light rail transit system in November 2016, the San Francisco Municipal Transportation Agency (SFMTA) had two choices: shut down the light rail or let users ride for free. On one of the busiest shopping weeks of the year, the agency let users ride for free. Fortunately, this cybersecurity attack did not impact the functionality of San Francisco’s buses, light rail, street cars, or cable cars. The attacker demanded a $73,000 ransom, but the agency informed the public, “The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.”
  5. Charlotte – In December 2017, a hacker was able to access one Mecklenburg County employee’s log-in credentials through a phishing email. From there, the ransomware attack was launched. About 200 systems were impacted, causing the county to shut down many parts of its network. Fortunately, back-up data was available so that the county did not have to consider paying the $23,000 ransom. IT Chief, Keith Gregg said, “We could not be in the recovery process if we did not have back ups.” To prevent a second attack wave, the county disabled employees’ ability to open certain types of emails. It took almost six weeks and thousands of dollars to rebuild servers, get employee email up and running, and secure the rest of their systems.

Lessons Learned from Cybersecurity in the Public Sector

The number and maturity of cyber threats targeting cities is growing every day. Oftentimes, local governments don’t see it coming or, even after the attack, can’t identify what type of cybersecurity attack hit them. This poses a major issue in mitigating cyber threats. Organizations within the public sector must cover all their bases, casting their preparation net far and wide.

In the five cities we discussed, data was not breached, and ransoms were not paid, but many cities aren’t that lucky. IBM Security and the Ponemon Institute report that in 2018, the average total cost of a data breach in the United States is $7.91 million, with the average stolen record costing $233. There are headlines of new data breaches every day – and the cyber threats are becoming more complex. As the cyber threats mature and the cost of a data breach becomes higher, cities must protect their technology infrastructures.

What are the obstacles? Lack of funds, lack of support from elected officials or management, lack of availability to train personnel, lack of cybersecurity awareness within the organization, and too many IT networks/systems within local government.

What should public sector organizations invest in? Cybersecurity awareness to citizens and elected officials, use of forensic services after incidents or breaches, cybersecurity exercises, vulnerability scanning and penetration testing, and competitive compensation for IT personnel.

These five cities don’t even come close to the number of reported breaches by municipalities. Have you been victimized the cyber threats targeting the public sector?

More Cybersecurity Resources

National Cyber Strategy of the United States of America

Ransomware Alert: Lessons Learned from the City of Atlanta

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

When Will It Happen to You? Top Cybersecurity Attacks You Could Face

In the 2017 Internet Crime Report, an estimated $1.4 billion was lost due to different types of cybersecurity attacks. So, what does that mean for your industry? Simply put: no organization is safe these days. Data breaches have been occurring much more frequently, and malicious hackers are looking for any weak link in your organization to compromise your security posture. You must learn how to protect yourself, your clients, and your data from malicious hackers by ensuring that your security posture is up-to-date, in place, and functioning properly. Let’s take a look at the common types of cybersecurity attacks, how organizations have been affected by them, and what you could be paying in the event that an attack happens to you.

Types of Social Engineering

Social engineering attacks occur every day and can put your organization, your employees, and your clients at risk. Social engineering is a type of cybersecurity attack that leverages and manipulates human interactions in order to gain unauthorized access to your organization. Social engineering targets your employees, from entry-level to C-level, in hopes that they will unintentionally compromise your organization. Types of social engineering attacks include:

  • Phishing: Involves some type of deceptive, false communication, usually intended to compromise credentials or inject malware. I’m guessing that in the last year, you’ve gotten at least one phishing email. These emails attempt to look legitimate, but when you click the embedded link or download the PDF, you compromise your systems.
  • Spear-Phishing: A more targeted, customized attack than phishing. In a spear-phishing attack, the target will see their name, position, office number, or some other piece of personalized information in an email, which tricks them into thinking the email is legitimate.
  • Whaling: When a spear-phisher makes a conscious decision to target C-level employees, this is considered whaling. The logic behind whaling is to attack the most senior-level employees because of their authority and amount of access. It’s not uncommon for whaling attacks to work, because so many executives do not participate in the same security training as other employees.

In 2017 alone, the Internet Crime Report attributes $29.7 million lost due to social engineering attacks. Organizations such as LifeLock, SnapChat, and Seagate have been notable victims of social engineering attacks. Each of these organizations lost critical data such as employees’ social security numbers, W-2 tax information, email addresses, phone numbers, and dates of birth.

Can every single employee at your organization quickly identify a social engineering attack? Social engineering specifically counts on employees’ lack of awareness, inadequate security training, and informal usage policies. With the amount of phishing, spear-phishing, and whaling that occurs every day, employee awareness is crucial to the security of your organization.

Cybersecurity and Malware

Malware is a type of cybersecurity attack that compromise systems through external software that’s specifically been written to harm. Ransomware, a type of sophisticated malware, is the attack method that you’ve seen over and over again in the headlines. Ransomware essentially holds data hostage using encryption keys until the target pays the ransom. This type of malware attack exploits both human and technical weaknesses, and the result is usually a lose-lose scenario. Your organization could pay the ransom and recover the data, but then your ransom is funding other cybersecurity attacks. You pay the ransom but never recover your data, plus have to pay the costs of repair. Or you could choose to not pay and not recover, but then you’ve lost your data and now have to pay the costs of repair. Think about the City of Atlanta – the Ransomware attack by SamSam cost the city over $2.6 million in recovery efforts and took down major department. The financial, reputational, and operational implications are exactly the reason why malware prevention is so important.

Ransomware attacks that have made headlines recently include:

  • WannaCry: Resulted in more than 200,000 infections across 100 countries within days, using leaked vulnerabilities found by the NSA. Britain’s National Health Service and Germany’s Deutsche Bahn were among the hardest hit. Ironically, the critical patch needed to prevent WannaCry was available before the attack began.
  • Petya: Global attack using the EternalBlue vulnerability in Microsoft Windows.
  • NotPetya: Suspected as a state-sponsored attack that represents a weaponization of ransomware; traditional recovery vectors outside of backups and business continuity planning were largely ineffective.

It’s worth noting that no type of malware completely fades away. Every threat that has ever been classified remains at large. The very first worms and malware ever written still exist and are capable of system infection. Black Energy, Storm, Cornficker, and Duqu remain actively developed, maintained, and deployed by proficient black hat hackers. Other older viruses just persist, allowed to continue by poorly maintained systems, old distribution networks, and user complacency. Even when not actively used for data destruction, malware can remain a threat to system stability and continuity.

Denial of Service Attacks

A Denial of Service (DoS) attack is a type of an external intrusion used by malicious hackers to shut down the web servers of organizations – banking, commerce, government, and trade companies – by flooding or crashing them and exploiting vulnerabilities in their systems. Similarly, a Distributed Denial of Service (DDoS) attack is a more extreme, complex form of DoS because hackers infiltrate a system from more than one location, increasing the volume of machines flooding a system and making it more difficult to track and shut down.

These types of cybersecurity attacks prevent employees and other network users from using an organization’s systems, causing organizations to lose both time and money while trying to get their systems back up and running. Although DoS/DDoS attacks don’t often result in the loss of sensitive information, hackers frequently request a ransom. Cryptocurrencies have recently become large targets of Dos/DDoS attacks, with an attack against the cryptocurrency Verge resulting in around $1.7 million being stolen.

What do each of these types of cybersecurity attacks have in common? They each pose major financial, organizational, and reputational risks to all industries, regardless of the size or type of a business. Are you prepared for when, not if, one of these attacks happens to you? Contact us today for information on how we can support you and ensure that you have a strong security posture in place.

More Resources

5 Best Practices for Preventing Ransomware

Defend Yourself Against WannaCrypt

PCI Requirement 5: Protect All Systems Against Malware

Using the NIST Cybersecurity Framework to Protect PHI

SOC for Cybersecurity FAQs

Ransomware Alert: Lessons Learned from the City of Atlanta

What Happened in Atlanta?

On March 22, the City of Atlanta suffered from an incredibly damaging ransomware attack from SamSam. Multiple types of applications, including internal and customer-facing applications that allow bill payment and access court-related documents, were compromised. For over a week, a cross-functional incident response team made up of the FBI, Department of Homeland Security, Microsoft, Cisco Security, and Dell SecureWorks have been working to find a resolution. In the meantime, the city’s operations have been completely disrupted. Thousands of city employees could not access their computers, court dates were rescheduled, water bill payments had to be made in person by check, traffic tickets could not be processed—this ransomware attack has obstructed the day-to-day operations of the City of Atlanta.

Fortunately, some key departments were left unharmed by this attack, including public safety, the water department, and Hartsfield-Jackson Atlanta International Airport. The city reported that there’s been no evidence so far that customer or employee data has been compromised.

Why Did This Ransomware Attack Happen?

The city hasn’t given an official statement on why, but speculation is that critical cybersecurity best practices were not being met. The City of Atlanta’s ISO/IEC 27001 ISMS Precertification Audit Report from January 2018, just two months prior to this ransomware attack, reveals that the city’s current Information Security Management System (ISMS) may not pass a certification audit based on gaps in policies and procedures, definitions of scope, formal risk assessment processes, vendor management processes, data classification policies, and measurement, reporting, and communication related to risk. This gap analysis speaks to the city’s current cybersecurity posture; in the past, we’ve seen that the city hasn’t always followed cybersecurity best practices.

In 2017, the City of Atlanta had five systems compromised by critical patches left not updated. Rendition Infosec’s scan indicates that the city was not patching its Internet-facing hosts that were vulnerable from April 13, 2017 to May 1, 2017—more than a month after critical patches were released my Microsoft on March 14, 2017. This specific incident of a lack of patching hasn’t been proven to be linked to Atlanta’s recent ransomware attack, but it at least shows that the city’s cybersecurity best practices are not sufficient.

How to Prepare for a Ransomware Attack

The City of Atlanta isn’t the only municipality to fall victim to ransomware, but this attack does represent a major escalation from ransomware attacks we’ve seen so far. This year, Connecticut state agencies, the Colorado Department of Transportation, and the City of Allentown have all been hit by ransomware attacks. We see a trend of attackers targeting victims with limited IT budgets, hoping they will tradeoff a ransom for the risk of systems being down. This trend is the state of affairs for many sectors, not just the government.

Cybersecurity best practices offer protection from ransomware attacks. Because public safety services like 911, waste management and water control, and the airport were left unharmed by this attack, this tell us the City of Atlanta had implemented a critical cybersecurity best practice: segmentation. These essential departments were segmented from the rest of the city’s government services. But, the City of Atlanta has been compromised for over a week—this length of time tells us they were not fully prepared for a cybersecurity attack.

From the recent cases, we’ve found that vulnerability management, backup systems, incident response, disaster recovery, and business continuity seem to be the most vulnerable areas among victims. To proactively prepare for a ransomware attack, we recommend implementing cybersecurity best practices in these areas:

  1. Vulnerability Management: We urge you to patch your systems in a timely manner, especially critical updates. The number one target of cyber criminals is known flaws left unpatched. Don’t leave a known vulnerability open to attack.
  2. Backup Systems: Victims of ransomware attacks are often pressured to pay a ransom from the threat of not being able to get back all of their data. Performing regular backups on entire machines can ensure that the data that is critical to your business will still be available after an attack, and can also help make the recovery and restoration process quicker and easier. You should also maintain and test offline backups since some online services are compromised during these types of attacks.
  3. Practicing Incident Response: Your organization’s response to a ransomware attack can’t be made up on the spot. It has to be documented, tested, and implemented. Failure to have an implemented incident response will leave your organization struggling to pick up the pieces following a breach.
  4. Practicing Disaster Recovery and Business Continuity Plans: Day-to-day operations will most certainly be impacted by a ransomware attack. Have you practiced the manual processes that you’ll need to implement if your systems go down?

Over a week later, the City of Atlanta is still working to fully recover from this ransomware attack. The city is updating the public whenever new services have been restored.

Does your organization update patches in a timely manner? Are your systems regularly backed up? Is your incident response plan in place? Don’t let your organization be the next headline. For more information on employee training, incident response, risk assessment, penetration testing, patch management, and other cybersecurity best practices, contact us today.

More Ransomware Preparation Resources

Compliance is Never Enough: Hardening and System Patching

PCI Demystified: Ensure All Systems and Software are Protected from Known Vulnerabilities

The Rise of Ransomware: Best Practices for Preventing Ransomware

Ransomware Alert: Defend Yourself Against WannaCrypt

Ransomware Alert: Defend Yourself Against WannaCrypt

On Friday May 12th, 2017, a large ransomware attack was launched, known as WannaCrypt (a.k.a. WannaCry), which infected more than 230,000 computers across 150 countries, and counting. This unprecedented cyberattack has left organizations struggling in the aftermath as they try to recover. WannaCrypt demands payment of ransom in bitcoin and has spread in several ways; phishing emails and as a worm on unpatched computers.

The attackers responsible for WannaCrypt used the EternalBlue exploit which attacks computers running Microsoft Windows operating systems. Unfortunately, this could have been avoided by many had they installed the updated patch that was released as “critical” by Microsoft to mitigate this vulnerability on March 14th, 2017.

KirkpatrickPrice is urging organizations to update this patch immediately, and to always update patches in a timely manner – particularly critical updates. Organizations must be proactive with their security in order to defend against potential ransomware attacks. Here are four things your organization should do today to protect against a ransomware attack.

4 Things your Organization Should do Today to Prevent WannaCrypt Ransomware Attack:

  1. Update – Updating security patches and keeping operating systems up to date is a critical activity for preventing a malicious cyber-attack, such as WannaCrypt. As organizations have learned from this devastating ransomware, weaknesses in applications and operating systems are the target of malicious hackers. Don’t leave a known vulnerability open to attack.
  2. Backup – When organizations are victims of ransomware attacks, they are pressured to pay a ransom to get back all of their data and files that have been stolen and encrypted by the attackers. Performing regular backups on entire machines can ensure that the data that is critical to your business will still be available. Regularly performing backups for critical data, files, and systems can help make the recovery and restoration process quicker and easier.
  3. Train – Your weakest link will always be your employees. Ransomware targets the human element. By regularly training your employees to recognize and avoid phishing attempts and other strategically crafted social engineering attacks can lessen your chances of being the next WannaCrypt target. KirkpatrickPrice offers phishing assessments and security awareness training that can help spread awareness and educate the workforce.
  4. Test – Performing an advanced external penetration test is a strategic approach to identify weaknesses in network and application security, as would a hacker. Penetration tests allow you to identify and prioritize your risks in order to prevent hackers from infiltrating your critical systems. It can also help you avoid a costly breach and loss of business operability that ransomware attacks will cause.

Don’t wait until it’s too late and you’ve become the next victim of a devastating ransomware attack like WannaCrypt. Do these things to prevent a ransomware attack today and don’t forget to perform regular risk assessments to ensure that you’re properly protecting your organization against any and all malicious threats. For more information about ransomware prevention or risk assessments, contact us today.