Tuesday, March 29, 2016

NIST Cybersecurity Framework Adoption Linked to Higher Security Confidence

More organizations plan to adopt the NIST Cybersecurity Framework in the next 12 months than any other IT security framework, yet many struggle to implement the full range of best practices.

COLUMBIA, Md.--(BUSINESS WIRE)--Tenable Network Security revealed today that overall security confidence was higher for organizations leveraging the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), according to findings from the Trends in Security Framework Adoption Survey (PDF).

We recently published the definitive guide to the NIST Cybersecurity Framework.

A Guide to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0) by Dan Shoemaker, Anne Kohnke, and Ken Sigler

•Explains the Department of Homeland Security (DHS) National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0)

•Gives an overview explication of the framework, its concepts, the underlying relationships between the areas, and the general content of those areas

•Provides a road map that allows you to understand the application and uses of the NICE content, as well as applications of this book in training situations

•Aligns with and explains the requirements of a national level initiative to standardize the study of information security (first book to do so)

The Evolution of Ransomware

A recent study titled, "Battling the Big Hack," by IT professional network Spiceworks, found that 80% of organizations experienced an IT security incident in 2015, with 53% of respondents having a concern for ransomware in 2016. But, how did we get here? And how can we avoid these growing attacks in the coming year and beyond? In general, all ransomware pretty much works the same in that it tries to extort money from a user, but each variation of it does something slightly different.

This article discusses the history of ransomware from the first known ransomware to GPCode (RSA encryption schemes), CryptoLocker (Bitcoin transactions), Cryptowall (targeting Windows), and  Locky with many others in between. It closes out the discussion with 2016 ransomware predictions, as well as how to mitigate future malware attacks.

Wednesday, March 23, 2016

Why Most Companies Are Easy Prey for Cyber Attackers

Alarming Data Reveals Why Most Companies Are Easy Prey for Cyber Attackers

LONDON, UK, March 22, 2016 – Varonis Systems, Inc. today revealed the results of a year of anonymous data collected during risk assessments conducted for potential customers on a limited subset of their file systems. The 2015 results show a staggering level of exposure in corporate file systems, including an average of 9.9 million files per assessment that were accessible by every employee in the company.

Of the insights gleaned from dozens of customer risk assessments conducted in mid-to-large enterprises prior to remediation, in a subset of each company’s file systems, Varonis found the average company had:
35.3 million files, stored in 4 million folders, meaning the average folder has 8.8 files
  • 1.1 million folders, or an average of 28% of all folders, with “everyone” group permission enabled –open to all network users
  • 9.9 million files that were accessible by every employee in the company regardless of their roles
  • 2.8 million folders, or 70% of all folders, contained stale data – untouched for the past six months
  • 25,000 user accounts, with 7,700 of them or 31% “stale” – having not logged in for the past 60 days, suggesting former employees, employees who changed roles, or consultants and contractors whose engagements have ended
The ‘everyone’ group is a common convenience for permissions when originally set up. That mass access also makes it astonishingly easy for hackers to steal company data.

Some individual companies’ lowlights that were gleaned from the Varonis risk assessments:
In one company, every employee had access to 82% of the 6.1 million total folders.
  • Another company had more than 2 million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.
  • 50% of another company’s folders had “everyone” group permission and more than 14,000 files in those folders were found to contain sensitive data.
  • A single company had more than 146,000 stale users – accounts whose users had not logged in for the past 60 days.  That’s nearly three times more users than the average FORTUNE 500 company has total employees.
David Gibson, Vice President of Strategy and Market Development at Varonis, said,Although this data presents a bleak look at the average enterprise’s corporate file system environment, the organizations running these risk assessments are taking these challenges seriously. Most of them have since implemented Varonis, embracing a more holistic view of the data on their file and email systems and closing these gaping, often unseen security holes before the next major breach causes heavy damage. Our software is able to provide a granular look at where sensitive data lives, where it is over-exposed within an organization, who is accessing that data, and how to lock it down. While that remediation process is running, our ability to start detecting and stopping many types of insider threats has been a major revelation for our customers.”

New Hybrid Ransomware Targets Backups

Guard against Targeted Hybrid Ransomware

New FBI and Microsoft alerts drive home the exponential growth and innovation of ransomware attacks

(Clearwater, FL) March 22, 2016-- KnowBe4 cautioned companies to heed new FBI and Microsoft alerts, warning of hybrid targeted ransomware attacks that attempt to encrypt an organization’s entire network. Criminal hackers have upped the ante. They are changing their approach and penetrate a network, wipe out all backups, infect all key machines with ransomware and then demand payment. The latest method uses a little-known strain of ransomware called "Samas," first discovered in 2014. According to research reports by Microsoft, the majority of infections thus far have been detected in North America, with a few instances in Europe.

KnowBe4’s CEO Stu Sjouwerman said, “It is not clear yet if the current attack starts with phishing emails which infect a single workstation with ransomware and then installs a Trojan that allows the hackers into the network, or if the network gets penetrated first and subsequently gets infected with ransomware. It could very well be that both attack vectors are used.

Microsoft posted their technical analysis of Samas on TechNet with a detailed overview noting that first an attack-scan gets launched, looking for vulnerabilities, and then malware gets deployed using the PSEXEC tool.

The FBI wrote the first alert (PDF) Feb 18, 2016, and Microsoft published their analysis on March 17, 2016. IntelSecurity also published a PDF with more details about this hybrid attack. The FBI calls it an "aggressive campaign" which initially targeted vulnerable JBOSS applications allowing the hackers in and then infecting the network.

Intel said: "During the past few weeks, we have received information about a new campaign of targeted ransomware attacks. Instead of the normal modus operandi (phishing attacks or drive-by downloads that lead to automatic execution of ransomware), the attackers gained persistent access to the victim’s network through vulnerability exploitation and spread their access to any connected systems that they could. On each system several tools were used to find, encrypt, and delete the original files as well as any backups.

These tools included utilities from Microsoft Sysinternals and parts of open-source projects. After the encryption of the files, a ransom note appears, demanding a payment in Bitcoins to retrieve the files.  By separating particular functions from the ransomware binary, executing certain actions using free available tools and scripts, the adversaries tried to avoid detection as much as possible. This is unlike most ransomware cases that spread wherever possible.

Sjouwerman commented, “It looks like targeted ransomware attacks have indeed arrived and will be around awhile."

KnowBe4 offered tips on prevention and mitigation:

1.      Keep all software applications up to date and patched

2.      Use strong passwords

3.      Disable the loading of Macros in Office programs through Group Policy settings described in an earlier KnowBe4 post

4.      Implement strong backup and recovery policy, such as the 3-2-1 rule (3 copies, 2 different media, 1 offsite).

Thursday, March 17, 2016

PCI Audit Checklist

Do PCI audits feel like dental work for your organization? You put the time in to prepare only to find you need to do (or redo) even more to pass audits.

Don’t dread your next audit. Read Tripwire's PCI checklist to learn how to get a clean checkup - every time.

Tuesday, March 15, 2016

Deadly Dridex Gang Muscles Into Ransomware Racket

March 15, 2016 -- Ransomware is moving rapidly into the malware mainstream. One of the driving factors is the high dollar numbers being racked up by the notorious Dridex banking Trojan gang muscling into ransomware with their new Locky strain. Locky was linked to the Dridex gang by IT security companies Palo Alto Networks and Proofpoint. The Russian Dridex group is the most prominent operating banking malware and has taken the lead over from CryptoWall.

According to KnowBe4 CEO, Stu Sjouwerman, “Ransomware is seeing unprecedented growth with cyber-gangs competing for criminal market share. This competition has spurred furious innovation in strategy and tactics and we see ransomware taking the lead in criminal business models. It isn’t going to get easier. The only way around these tactics are to recognize the Red Flags and inoculate your employees with effective security awareness training and simulated phishing tests.”

The Dridex Locky ransomware strain isn't more sophisticated than other latest generation crypto-ransom malware, but it is rapidly spreading to victim systems. Forbes claims Locky is infecting approximately 90,000 systems per day (that’s over 1 per second) and it typically asks users for 0.5-1 Bitcoin (~420 dollars) to unlock their systems. Locky is disseminated through phishing emails containing Microsoft Word attachments. Each binary of Locky is reportedly uniquely hashed; consequently, signature-based detection by a traditional antivirus product is nearly impossible.

The Dridex gang is the 800-pound gorilla in banking Trojans. Apparently they have seen the profit potential of ransomware and leveraged their extensive criminal infrastructure to get their Locky strain infecting as many machines as possible. Consequently, financial institutions are likely the next major sector to be actively targeted. The FBI just stated that the threat from ransomware is expected to grow, according to an interview in the WSJ.

In the past few days, the Dridex botnet has sent at least 4 million phishing emails with a zip file as the attachment. The zip file contains a JavaScript file which downloads and installs Locky.

What to do about it
1. Block any and all emails with .zip extensions or macros at your email gateway level.
2. Disable Adobe Flash Player, Java and Silverlight if possible. These are used as attack vectors.
3. Step all employees through effective security awareness training, so they can recognize the red flags related to ransomware attacks.
4. Print out this free job aid, laminate it, and hand it out to employees so they can pin it on their wall. 
5. Do a phishing security test on your users and find out if they are going to click on something they shouldn't. 

SOURCE:  Michael Becce, MRB Public Relations, Inc.

Monday, March 14, 2016

Free IoT Security e-book

IoT Security has been identified by Gartner as one of the Top 10 technology areas that should be on every organization's radar in 2017 and 2018. Billions of devices are expected to generate more than 40 zeta bytes of data annually by the year 2020. While the Internet of Things promises many benefits to individuals and enterprises, the unprecedented growth in devices, data and connections leads to bigger security threats. Gemalto's IoT Security e-book discusses the impact of security breaches in a connected world. Learn about the key pillars that form the foundation of a secure IoT infrastructure: securing the device, securing the cloud and security lifecycle management.

When you're ready to learn more or doing something about it, see "Security and Privacy in Internet of Things (IoTs): Models, Algorithms, and Implementations."