Wednesday, 25 May 2016

The Online Extortion Trend

Over the last 12 months, ransomware has rapidly become one of the most prevalent information security threats to a vast number of organisations of any size, as well as the individual consumer. It is a highly lucrative opportunity for criminals and is claiming a growing list of victims. Indeed, at Cyberis, we have experienced a significant upward trend in incident response services and requests for our advice due to ransomware events.

Any organisation with a reasonable threat and vulnerability management programme should have predicted the ransomware threat was likely to increase significantly, right? Well, take a look back at the ‘Cyber Security Predictions for 2015’ that so many information security professionals passionately compose; now compare them to the 2016 predictions. Many examples have focussed on new technologies in the threat horizon, with oversight in assessing new opportunities for threat sources and actors in their predictions. Assessment of criminal motivations in using cryptocurrencies to provide anonymity and to ease the process of money laundering have been overshadowed by the popular interest in the Internet of Things, with many attentions drawn to hacking of the latest consumer products.

Many security vendors and professionals failed to predict criminals’ advances in social engineering techniques for delivery of ransomware, particularly in the credibility of spear-phishing, and the rapid and continuous advancement of increasingly sophisticated payloads.

Organisations have been ill-prepared in managing the risks associated with ransomware, especially in corrective controls and business continuity. As a threat which primarily affects the availability of data, many have been caught off-guard due to poor data management practices and inadequately scoped backups. As a result, some organisations have had little alternative but to pay the ransom demands.

Ultimately, a robust backup strategy with clear recovery objectives, albeit a corrective control, is the single most important step any organisation can take when managing the ransomware risk. Knowing what data assets need to be backed-up and at what frequency, the clear identification of known-good backups and protection of backup data itself, is essential.

Preventive controls for SMEs

It is disappointing to observe the commercialisation of controls aimed at the SME market, branded ‘anti-ransomware’ solutions, using fear, uncertainty and doubt marketing tactics which present ransomware as an entirely different threat to malware, which of course it is not. There are numerous vendor and independent views on the web that convey their message regarding the most effective ransomware controls, however, there is no panacea or a 100% effective defence strategy. Like any malware that has been developed by well-resourced, capable and motivated threat sources, it is not a straightforward threat to manage.

The preventive controls that an organisation selects should be assessed using its normal risk management methodology, assessing amongst other things, the business impacts against the cost of controls. Organisations should also avoid addressing ransomware in isolation, but rather as part of its overall cybersecurity programme.

The principal controls associated with the government-backed Cyber Essentials scheme, provide a good baseline set of technical controls. All five technical controls provide basic cyber protection which are all relevant to ransomware prevention:

  • Boundary firewalls and internet gateways
  • Secure configuration
  • User access controls
  • Malware protection
  • Patch management

According to a number of trusted sources, phishing is currently the number one delivery mechanism of malware, including ransomware, in the UK. For that reason, technical controls must be supported by education and awareness of the threat. The wider advice in the government’s '10 Step To Cyber Security' initiative should therefore be considered as a more comprehensive framework for the prevention of ransomware.

Alongside a robust backup strategy, Cyberis recommends that focus is given to the following preventive controls (EEE) which should not be cost prohibitive for any organisation:

Education – ensure all staff are adequately and regularly trained on all cyber risk to the organisation, this includes awareness of how phishing and spear-phishing attacks exploit human weaknesses.

End-Point Protection – this requires consideration of several controls:

  • Antivirus software, which is kept up-to-date, remains an important control; despite the hype that antivirus software is obsolete because malware signatures change rapidly, protection against known ransomware signatures in the wild still makes sense, as long as it is not relied upon as an exclusive control. In addition to end-point protection, antivirus controls should be implemented in layers across the infrastructure; organisations should consider using different vendors on servers and email gateways.
  • Security patching. Many forms of malware exploit known software vulnerabilities and therefore timely patching of systems, including operating systems and software, is important. Any operating systems and software not supported by the vendor should be decommissioned.
  • Access rights and permissions. In the first instance, review the administrative rights of users – don’t give users administrative or privileged access if they don’t need it; also ensure permissions to execute files is restricted. Then, restrict wider access and permissions to data in the organisation – preventing write-access to data will restrict the encryption scope of ransomware.
  • Software Restriction Policy (SRP) is a feature of Windows that facilitates greater control over unauthorised software from executing.  When SRP is carefully implemented, in combination with limited user access rights and permissions, it can act as a significant malware control. Read the Cyberis blog posted in 2011 for further information: http://blog.cyberis.co.uk/2011/02/how-prevent-virus-infections-in-three.html

Examination – regularly test the effectiveness of the full extent of technical and educational security controls; assess the perimeter controls, end-point protection and staff awareness; consider annual Cyber Essentials Plus certification in this process.

These controls are equally of value to larger organisations in their overall risk treatment strategy. Lastly, detective controls can also play an important role in thwarting a ransomware attack.  Caught early enough, an organisation may be able to stop the attack and restore the affected files.

Friday, 6 May 2016

PCI DSS 3.2 Arrival

Another version of PCI DSS was released by the PCI Security Standards Council on 28 April 2016 - PCI DSS v3.2. The SSC comments that the industry should expect more incremental revisions in the future, to address the changing threat and payment landscape.

What are the technical headlines?

Extended migration deadlines from SSL/early TLS.This update mandates the extended migration deadlines for removal of SSL/early TLS (1.0). The new deadline is 30 June 2018 (with specific deadlines for service providers), with some caveats in POS POI environments. Prior to the deadline, existing implementations of SSL/early TLS must have a formal Risk Mitigation and Migration Plan (RMMP) in place.

The bulletin published in December 2015 (refer to link below) is still technically current; only the deadlines have been superseded. TLS 1.2 is currently the preferred protocol, and early migration is strongly encouraged by the SSC.

Penetration tests every six months for service providers.Effective from 1 Feb 2018, service providers must perform penetration testing on segmentation controls to ensure the segmented environment is truly isolated, at least every six months, rather than annually.

Multi-factor authentication (MFA) scope expansion. The standard now mandates MFA for all individual non-console administrative access to systems handling card data; this is in addition to the existing requirement for MFA for all remote access to the CDE. This is also effective from 1 Feb 2018.

Full details

Details of the changes in full and guidance, including the new DESV requirements for service providers and minor changes to PAN masking, can be found in the full standard and summary of changes: