For official information on the COVID-19 outbreak in South Africa, go to www.sacoronavirus.co.za

Ransomware Part 2 - Address your Risk

By Carel Krogh on 07 March 2017

So is prevention practical or achievable? Well, not really, it is open for interpretation, almost like art. Is insurance a preventative control? That will depend on the type of data. It all becomes a bit fuzzy and grey the more you delve into it.

How to address your risk

Let’s take a step back. What are the basics to ensure there is at least a basic level of protection to address the risk. Basic security principles will set you up to defend at least against non-specific attacks against your infrastructure. This list is by no means exhaustive as the attacks evolve on a continuous basis.

1. User education, awareness and training

This is your best line of defence, and probably where the control failure will originate from as users are normally the ones responsible for circumvention of technical security controls. Make your users aware of the threat, and empower them to take action when they encounter suspicious emails in the form of tools like checklist on what not to do and what to do when they encounter suspicious emails. Encourage them to adopt best practices.

 

2 Backup regularly & keep a recent copy off-site

This practice will cover a variety of risks as there are other events than can cause files to disappear, such as theft, fire, hardware failures, floods or even an accidental deletions. Regular back-ups as part of your business continuity plan is absolutely key and there are various sources available online to guide you in setting up a proper backup and recovery plan.

 

3 Don’t enable macros in email attachments 

Microsoft turned off auto-execution of macros by default as a security measure. Many variants of ransomware will try and persuade you to turn macros back on, so don’t get fooled into doing it!

 

4 Be cautious about unsolicited attachments

Criminals rely on the fact that you can’t tell if the file or attachment is the one you want until you open it. If unsure, ignore and do not open the attachment.

 

5 Limit administrator privileges on devices

There is a security term you need to familiarize yourself with called least privilege. The ideal would be to give a user just enough privileges to perform his job, and nothing more. Never stay logged in as an administrator any longer than necessary and avoid browsing, opening documents, or other regular work activities while you have administrator rights. Understand what your users are doing in order to lock down and secure the environment.

 

6 Perform software patching early and often

Malware, specifically those that don’t come in via a document, often relies on exploitation of security vulnerabilities in popular applications, such as Microsoft Office, your Internet browser, Flash, and more. The sooner you patch, the fewer vulnerabilities there are to be exploited. According to Flexera Software, the number of vulnerabilities detected in 2016 were 16,081, discovered in 2,484 applications from 263 vendors, which makes the threat a very real one.

 

7 Use security features in your business applications

For instance, Office 2016 includes a “Block macros from running in Office files from the internet” control feature, which helps protect against external malicious content without stopping you using macros internally. It makes sense to look at the application you use to determine how they can contribute to a better security posture. Analyse the environment to ensure you are running the latest registered official versions of software as they will most probably have the latest and greatest bug fixes and controls included.

 

But should you pay them?


Damned if you do, damned if you don`t. If you subscribe to the FBI approach, they suggest you pay. Again, one should consider the data and the recovery strategy you have in place. Only pay if the data is that critical and there is absolutely no way to recover it. The problem is that once you start paying, you are flagged as a payer. Criminals will often pitch the initial ransom at a very small value to test whether the target will pay. If successful, the monetary value might increase incrementally, with different encryption keys every time making the re-use of a once off payment key void. There are documented cases where desperate people looked for tools on the Internet to decrypt, only to find secondary ransomware which encrypted the data again, resulting in 2 payments to get the data back. So you can see the choice is not so simple and it remains a huge gamble to pay the ransom.

 

In summary

Ransomware has quickly emerged as one of the most dangerous cyber threats with global losses now likely running to hundreds of millions of dollars. Historical statistics peg the average number of ransomware infections throughout the majority of 2015 between 23,000 and 35,000 per month, according to Symantec. This spiked to 56,000 in March 2016 when a new variant called Locky was released into the wild. Statistics also show that approximately $209 million was paid to criminals in the first quarter of 2016, and the FBI estimates are even higher. They have expected $1 billion ransom as the mediocre annual income of cyber criminals. Ransom demand for every attack has seen a jump from $294 to $679 in 2016 as criminals are now demanding more than double the ransom they demanded in 2015. It will be a mistake to think that South African business will not be affected as it is a global problem at the moment.

Be proactive, be prepared and be aware.

 

Glossary of Technical Terms

 

Decryption key
In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the transformation of plaintext into ciphertext, and vice versa for decryption algorithms.

 

Least privileged
The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.

 

Macro
A macro in computer science is a rule or pattern that specifies how a certain input sequence (often a sequence of characters) should be mapped to a replacement input sequence (also often a sequence of characters) according to a defined procedure. In some software, a sequence of instructions can be associated to a keyboard or mouse action. Macros can be very useful to software users. They simplify regularly used actions so that the productivity of the user is increased.

 

Malware
Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.

Spear Phishing
Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication

 

Vulnerability
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw

 

REFERENCES

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf
https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-dec-2016.pdf
https://www2.fireeye.com/WEB-RPT-2017-Cyber-Security-Predictions.html
http://resources.flexerasoftware.com/web/pdf/Research-SVM-Vulnerability-Review-2016.pdf

 

 


Related Articles

Ransomware: Rate your Risk - Part 1

By 0 on 15 February 2017

You unlock the factory office, sit down in front of your computer, ready for the month end financial administration and payroll cycle. But it is not your book keeping software that greets you, but a message banner requiring a ransom payment of $200......

IT Building Blocks: Crisis Management Plan Part 2

By 0 on 24 October 2016

Having a crisis management plan assures your company protects its consumers, your company’s reputation, and brand, and avoids or minimizes financial implications in event a crisis were to occur. Every minute counts and how you respond to a crisis is critical to the outcome. ...

IT Building Blocks: Crisis Management Plan Part 1

By 0 on 24 October 2016

Having a crisis management plan assures your company protects its consumers, your company’s reputation, and brand, and avoids or minimizes financial implications in event a crisis were to occur. Every minute counts and how you respond to a crisis is critical to the outcome....