Town dusts off typewriters after cyber-attack

This story appeared on the BBC website the other day. Basically the town’s borough council was hit with ransomware and their systems were brought to their knees.

It’s not unusual for one or two devices in an organisation to be infected with Ransomware. Typically those devices are isolated from the network and all other machines checked to ensure that patching and antivirus signatures are up to date. In this case, it would appear that the entire network, including servers, has been infected and devices are having to be built from scratch, with alternative technology (typewriters – some younger readers may need to look these up) being used in the meantime.

This incident immediately raises a number of questions:

  • How did the organisation allow all machines to get infected?
  • Did they have an incident response plan and did it include this scenario?
  • Were there patching and antivirus regimes appropriate, and was there any kind of reporting in place to identify gaps?
  • Does the organisation have a standard build, and were the build states of all 500 devices known?
  • If the ransomware has been dormant since May, does that mean that backups are also infected? How does the organisation know that restoring from backup won’t reinfect their network?
  • What scanning of incoming attachments was carried out?
  • What training have staff had in respect of phishing emails and incident response procedures?

From those questions, it is relatively easy to identify what good practice would be e.g. document and test your incident response plans, make sure patching is kept up to date, and train your staff.

M is for …

MacOS

This is the Operating System used by Apple Macintosh desktop computers, not to be confused with that used by their smartphone and tablet devices which is iOS.

Man in the middle (MITM)

As the name suggests, this is a form of hacking where network traffic or messages are intercepted by someone sitting between the sender and intended recipient.

Typically, the attacker will either take a copy of the traffic so they can see what was being sent, or they will actually change the content of the traffic.

For example, they may change an email which says “I do not want to buy this product” to “I want to buy this product”. It’s therefore quite a dangerous means of attack, particularly as the recipient may not know the messages have been intercepted.

Malware

This is the catch-all term for all types of software which is “bad”, including viruses, worms, trojans and ransomware. Antivirus software is now often labelled Antimalware because it does much more than simply protect against viruses.

Do you have privacy fatigue?

It’s a fact of life these days that we constantly seem to have people giving out dire warnings about being careful what information you share online, who can overhear you giving out your credit card numbers etc. It seems like we’re being warned that there are ears everywhere.

Do you know what? There are.

But these constant messages of your impending doom could also have a negative effect, a sort of “it doesn’t matter what I do, the bad guys will get my data anyway” attitude. This sort of apathy and resignation could be a form of privacy fatigue, and is discussed in this excellent article which my better half kindly shared with me.

It describes how you can tell if you’re suffering from privacy fatigue, and explains what the term means and is based on academic research, which I liked.

There are a couple of points to note about the article though: the sample was quite small – less than 400 people, and the demographic was quite narrow – only people in their 40s and early 50s.

Perhaps the biggest shortcoming in the article as far as I could see was that it didn’t talk about the “so what” aspect of what it had to say (but then it’s in a psychology publication, not a security one so that makes sense). What are the risks of sharing, and why is it important not to become fatigued?

I can still remember the days when mobile phones, smartphones, email, social media and computers didn’t exist. Back then, you wouldn’t dream of standing in the middle of the street and handing out your bank details including statements, or shouting out details of when you were going on holiday. You almost certainly wouldn’t go up to everyone you met and told them where you kept your cheque book and cheque guarantee card (told you I remember a long way back!). Would you have stood on one side of a wall and shouted over it, to whoever might have been listening, who you’re thinking of employing and how much you’re thinking of paying them, or details of a business proposal you’re writing?

I’m guessing that you would agree all of those would be pretty foolish things to do. But effectively, that’s what you’re doing when you drop your guard in respect of privacy.

If you don’t lock down your privacy settings on your social media applications, you’re making every aspect of your life visible to anyone else on the internet.

If you use the same password on multiple websites, you’re making it easier for the bad guys to get access to more of your life.

If you’re talking about confidential things, knowing who else is listening is really important.

Please don’t be complacent. Please be careful. Please don’t get privacy fatigue.

10 Steps to Cyber Security – Part 1 of 2

Through discussions with various clients and perspective clients, at conferences, events and forums, it is very apparent that a lot of companies know that they need to do “something about cyber” but many, particularly in the Small and Medium Enterprise (SME) arena, are unsure of what that something should be.

My response to them is generally along the same lines, and I thought I’d share it with you now. My apologies for those of you who are seasoned cyber professionals, as you will no doubt know this subject inside out, but for those of you who are wondering just how to get started and are looking for a jargon free, pragmatic explanation, read on…

As far back as 2012 the UK government produced the 10 Steps to Cyber Security which companies should follow to help make them more secure, as part of the drive to make the UK a safe place to do business. Those were followed in 2014 by the Cyber Essentials scheme. Both the 10 Steps and Cyber Essentials have had updates over the years, but those updates relate more to guidance and clarification rather than changes to content.

This article sets out the first 5 requirements of the 10 Steps to Cyber Security: I’ll provide the remaining 5 in my next post which will be in a week or so. You will see that a number of these topics overlap, and that’s absolutely fine. There are some very blurred lines, but so long as the topics are covered then that has to be a good thing, right?

1. The first step is to set up a Risk Management regime. This sounds scary, but could be as simple as having an Excel spreadsheet or a Word document where you list all the risks to your business, determine how severe those risks are, and document how you will mitigate those risks. It doesn’t have to be onerous – it could just be your top 5 or 10 risks to start with.

  • For example, if your business relies exclusively on internet orders eg as a retail outlet, then lack of access to the internet would be a serious risk and mitigation measures could involve something like hosting your website with a specialist hosting provider which can provide protection against physical issues like flooding or power cuts and some technical measures such as denial of service attacks.
  • You should bear in mind that this is a regular, repeated process, where you review your risk register regularly and agree with the board appropriate measures based on a cost benefit analysis and your company’s risk tolerance.

2. The second step is to look at Secure Configuration of your systems. All this really means is that you need to make sure that your systems are patched appropriately, that anti-virus / anti-malware software is installed, updated and running, that you have an inventory of the equipment you have and what software is installed on it, and that where possible you’ve documented a standard build for all your devices. Let’s look at those in turn, as it all sounds very complicated:

  • Patches are software updates provided by vendors to address vulnerabilities which are found in all software. These are typically graded in terms of severity from low to critical, the idea being that you apply all critical patches as fast as possible, while low severity are less important. One of the reasons the Wannacry ransomware outbreak hit people so hard in May was because a Critical patch released by Microsoft in March hadn’t been applied to the systems affected: that’s a good example of what can go wrong if you don’t keep patches up to date. Many systems allow patches to be downloaded and installed automatically and, if you don’t have an IT department, it’s a good idea to use that option.
  • Antivirus software is similar to patches, in that vendors release regular updates to tackle new viruses. With the volume of viruses increasing massively on a daily basis, it’s a good idea to install these updates as they come out – at least daily. Many of the larger virus companies such as McAfee and Symantec have products which update automatically, and are well worth considering.
  • As an aside, there are rumours that Mac devices aren’t susceptible to or targeted by viruses: this is not the case anymore so make sure those devices are protected too.
  • Keeping an inventory is sensible: if you don’t know what you’ve got, how can you protect it? And if you don’t know what software is running, how do you know you have all the licenses you need, and how do you know how to rebuild the machine if it is damaged or unavailable for some reason? It just stops you starting from the very beginning, and allows you to be more proactive. Knowing what should be on each machine also helps you to develop a strategy for removing or disabling unnecessary functionality on it. Again, going back to Wannacry in May, one of the methods used by the ransomware from machine to machine was through a network protocol which wasn’t really necessary on most machines. Maintaining an up-to-date inventory could help you identify vulnerabilities like that and close them down quickly.
  • The benefits of having a documented standard build have pretty much been covered in above. It also means that when a new machine is bought, your IT team / support company knows exactly what to install and how to configure it to meet your business needs. This saves time and effort.

3. The third step concerns Network Security. Again there are some jargon words around what this means and what has to be done, but I’ve broken it down as follows:

  • One of the reasons for network security is to protect your networks from attack. A simple way of checking to see how well the network is protected is by engaging a company such as the one I work for to run a penetration test against all your public facing connections. All that this means is that a trusted person, with your permission, tries to see how far they can get into your network: they then report back to you with details of the vulnerabilities they found and how these can be fixed / remediated. They are actually using the same tools and techniques as hackers, but because they have your permission this is known as ethical hacking.
  • Another area to look at in network security is defending your network perimeter. This means that you should have firewalls installed and configured correctly: the penetration test mentioned just now is one way of ensure that they are. Firewalls are typically installed at the place where your internal network meets the internet, often in a specially segregated area called a DMZ or “De-militarised zone”. It’s a way of stopping traffic from the internet getting directly on to your network.
  • As part of firewall configuration, you should ensure that unauthorised access and malicious content is filtered out. There are a range of companies which provide solutions for this sort of thing, but in simple terms your penetration test will help identify the biggest areas of concern. Network protocols are the ways in which computers talk to each other, and run across a range of different ports. You can think of the firewall as a giant colander, where you block up most of the holes (ports) other than those which are needed for passing a specific strand of spaghetti through a specific hole (port).
  • Last and not least in this section is the requirement to monitor and test security controls. We’ve already talked about testing – penetration testing – and monitoring is a way of measuring the effectiveness of your controls. There are a lot of monitoring toolsets available, ranging from reasonably cheap to quite expensive. It’s worth working out what you want to monitor / measure before starting to look for tools to help. This is one area where engaging a consultant may be beneficial.

4. We’ve already talked a little about Malware Prevention, the fourth step, when we talked about Secure Configuration above. What we didn’t mention is that it’s important to develop a policy around how you will use anti-malware software. For example, what happens when a virus is detected. Should it be deleted automatically or perhaps quarantined for analysis? Is there a process for testing removable media such as USB sticks for malware before connecting them to corporate systems (this is often called a sheepdip process). It’s also important that anti-malware software is running on all devices connected to your business environment: monitoring and measurement will help confirm this.

5. Overlapping malware prevention is the fifth step, Removable Media Control. This again requires specific policy statements about the use of removable media: do you allow it or not, are only specific users in specific roles allowed to use it etc, and also sets out the requirements for scanning media for malware, perhaps using the sheepdip process outlines in 4 above.

Hopefully this all makes sense. Please look out for the next installment when I’ll cover the remaining 5 steps, which are:

6. User education and awareness

7. Managing User Privileges

8. Incident Management

9. Monitoring

10. Home and Mobile Working

How does your security measure up?

I published this article on LinkedIn on Monday 3rd July 2017, and I’ve copied it here for you.

If you don’t know what you have, how can you measure it?

We read a lot these days about equipment and training to help combat cyber attacks and reduce risks, but I don’t see much about today’s topic. It’s really good that you have controls in place, with defence in depth etc, but how do you know they’re working?

It seems to me that we often forget to take into account the requirement to measure key components on our systems, so that we know when things are working well and when they’re not. This isn’t about audit, which gives you a snapshot, a point in time view. This is about consistent, regular (possibly even real-time) monitoring and reporting on systems.
The first step in this process is to identify what matters to you most – in many, if not all, cases this will be the data your systems hold. 
Then, look at the controls you have in place, and think about what information would give you assurance that your controls are effective. 
For example, if you have highly sensitive data on all your laptops, knowing which devices are not encrypted might be a really key measurement for you. In this instance, you may decide it is unacceptable for any laptops to be unencrypted, or you may decide you’re happy with a tolerance of 5% or 10%.
One of the fundamental features of reporting is knowing what you have, where it is, and what software is loaded on it. If we look at the recent ransomware outbreaks of Wannacry and Petya, we know that these malware packages make use of specific vulnerabilities which were addressed by specific patches. If your inventory is up to date, you can check for the devices missing those specific patches, and target them immediately, rather than checking every single machine. The same held true with Heartbleed and other outbreaks of a similar nature. 
Some would say that regular reporting on critical patches which have not been installed is a waste of time: personally, I think it’s a good metric and invaluable in deploying resources effectively. You should already have a patch schedule, but does it take into account Critical patches? If not, time to start thinking about being proactive with them and pushing them out outside the patch schedule.  
Similarly, you will probably want to know what devices have aged (out of date) antivirus signatures: if they’re not within a couple of days release then in this day and age you’re running a risk. Report / alert on devices where this is the case, or where AV isn’t running at all. (While you’re at it, you might want to investigate ways of determining whether AV is running but not scanning anything – I have seen this on several occasions.)
You will also probably want to baseline the traffic profile coming into and out of your network so that you know what looks normal, making it easier to spot unusual activity. Pay attention to the days and times that traffic is present: if you get a lot of traffic at 3 in the morning, why is that? 
Finally, when presenting this information to your senior management, don’t leave it as raw figures. Present it in terms of risk and impact, from a financial and reputational viewpoint. That makes it easier to understand why something needs to be done and should help with getting additional resources to address those risks. 

If you don’t measure what you have, how can you improve it?

Lesson to be learned from Wannacry Friday

This article was published on LinkedIn on 16th May 2017. I’ve copied it in its entirety for you here. 

If you don’t know what you have, how can you protect it effectively?

Last Friday, the world received a massive wake up call, in regards to the vulnerability of it’s computer systems, their interconnectedness and the impact of failure or disruption on a large scale. In some respects it was reminiscent of the “fire sale” in Die Hard 4.0, though in the movie the attacks were specifically targeted and the motives were purely financial. 

In the real life event, infected systems were not deliberately targeted – as far as we can tell at the moment. What better way to hide your true motives or targets than to hide them in plain site along with multiple other victims who in effect become collateral damage. That has shades of the first Jack Reacher movie, but is a viable tactic which is used often. (I’ll do my best not to make this article all about movies, please bear with me.) Misdirection is a common ploy: think of it as a bit like while you’re looking at a fire in a field, someone is stealing your belongings from your house behind you. 

As more detail comes to light, with suggestions that the North Koreans were involved as source of the Lazarus Group (who famously were behind the Sony Pictures attack several of years ago, and the Bangladeshi bank theft last year), it’s been interesting to watch vendors and consultants vying for a piece of the “action”. A contact of mine noted on LinkedIn that all the GDPR experts had “disappeared” or had suddenly become Ransomware experts overnight. Opportunism or good business sense? I think the jury is still out and I’ve seen both praise and condemnation levelled at a whole range of people and businesses. 

I recently wrote a piece cautioning users to beware of vendors selling the latest and greatest in terms of shiny equipment or jazzy software. Friday’s attack brought this home in spectacular fashion I think. I’ve long been an advocate of doing the simple things well, and addressing your threats through a risk based approach. And what did we find the main reasons for infection were? 

  1. Poor patching. A Critical patch had been released by Microsoft on 14th March, and would have protected systems from being infected if it had been deployed. This is a simple thing to fix. Examine your patching schedules / processes, and ensure that Critical patches are deployed as soon as possible. They’re Critical for a reason. Don’t forget that after patches have been applied you should reboot the machine, check that the patches are in place and only if they are, move on. 
  2. Unnecessary protocols not shut down or disabled. The SMB protocol appeared to be the main method used by the ransomware to spread once inside an organisation. It should not be omnipresent in most networks, but gets installed by default by some new systems. Disable it if you don’t need it, and check after every upgrade or new implementation that it is still disabled. Run internal network penetration tests and / or vulnerability scans on a regular basis – at least annually – and remediate any Critical, High or Medium risks highlighted in a timely manner. Then test again, to make sure you’ve not introduced any further vulnerabilities. 
  3. Use of unsupported software. I know that in some cases software cannot be upgraded because legacy systems depend on it, and that goes for Operating systems too. Lack of support means no security patches or (in most cases) antivirus patches. Lack of support means your environment is becoming more at risk every day. I you have to use unsupported software, make sure it is fully patched up to and including the latest patches, then look for options which help reduce the risk. For example, can it be run in a virtual environment? Can it be run with a whitelist of permitted applications and software versions? If so, do both of those things. 
  4. Poor user awareness. It appears that a good proportion of infections came when documents which had been emailed in were opened by unsuspecting users. Training your staff in how to spot suspicious emails, documents and links has to be more than just a tick box exercise carried out once a year. It has to be something which people are actively involved in, something they talk about on a regular basis. They can then ask colleagues for their views or opinions on suspect mail or attachments without fear of being thought silly or being too cautious. Talking about this sort of thing needs to be a normal and common part of everyday business life. 

It can be seen that these are simple to do fix, and don’t necessarily cost the earth. The first three are really good candidates to include on a risk register and / or monthly (perhaps weekly?) security report. In all things cyber, it’s important to be able to know what “normal” looks like for your environment so that you can then measure improvements (or otherwise) of implementing new solutions. The last aspect, user awareness, appears to be changing slowly and I think we can do more to help speed it up. 

One thing that hasn’t come up too often in the analysis after the fact is something which isn’t particularly easy to do but which would help in cases like Friday’s. I’m talking about good asset management: knowing what you have and what’s on it. Having a corporate view of what software is currently – or at least was in place yesterday – could go a long way to knowing which devices you need to concentrate on. It sounds complicated, so let me explain.

My perception is that many systems were shut down as a precautionary measure, because people didn’t know where the infection was coming from or how it was spreading. Once those facts were known, restarting everything took quite a while because each individual machine would have to be manually checked to ensure it wasn’t infected and that it was patched appropriately. A good and up-to-date software inventory / asset list would have shown which devices were patched and could therefore be discounted from needing so much manual time. 

There’s a tried and tested mantra which I still like: if you don’t know what you have, how can you protect it effectively? 

In summary – you don’t need shiny hardware or high cost software. Do the simple things really well, keep measuring how well you’re doing them, and you’re in a great starting place. 

What next after Friday’s Ransomware attacks?

Perhaps predictably, vendors of all sorts are appearing on LinkedIn and elsewhere selling their solutions to the mass attack of Friday. I presume they are hoping to cash in when work resumes for many tomorrow and we find that there may be additional victims from Friday. 

There’s been a lot written by a lot of people on what happened and how you can protect yourself (I’ve done it too), and there still seems to be a lot of scaremongering, with prophecies of doom for what will unfold tomorrow (Monday).

I think that now is a time for calm. Now is a time for taking simple, careful steps to enhance existing security practices and to show that global attacks like this can be tackled effectively. There’s some good, sensible advice in this latest update from the NCSC here in the UK, and I’d urge you all to read it and act accordingly.

NCSC Latest Statement on International Ransomware Attack

Global Cyber Attack 

Yesterday, May 12th 2017 saw a mass global cyber attack launched with impeccable timing just before the weekend. Over 75000 machines were affected in around 100 countries – so far. 

It is believed that a hacking group called Shadow Crew is behind the attack. This is the same group that hacked the CIA in the USA and a couple of months ago released hacking tools developed by that agency and the NSA.

The effect was for many businesses and government departments to be hit with Ransomware (which I’ll cover on here soon). This encrypted files and could only be removed by paying a ransom in a virtual currency called Bitcoin. 

Once the ransom is paid the bad guys may or may not decrypt the files – there are no guarantees. 

I said it was good timing because the Ransomware gives users 3 days to pay the fine. Many users will have started their weekend already (and in much of the Middle East the weekend is Friday and Saturday) so there’s a good chance that some users will not get to their devices in time and will have to pay – or trash their machines and rebuild them.

Many businesses and government agencies such as the NHS simply shut all systems down in order to prevent them being infected. This is one reason why the impact has been so huge.

No doubt the plan is that once the fix is known (for devices which are infected) then it will be applied to machines individually as they are restarted. 

It’s also worth mentioning that at present this doesn’t look like any kind of data breach. Files have been encrypted so the data is inaccessible, but the data hasn’t been accessed or copied – as far as we can tell at the moment. 

That’s what happened, so how do you protect yourself and your business? The answer is surprising straightforward. 

  1. Install the MS-17-010 patch on all Microsoft Windows devices. This Critical patch was released by Microsoft on 14 March this year, and the Ransomware takes advantage of a vulnerability which the patch fixes. If your machine has been set to apply updates automatically, then assuming you’ve rebooted your machine since the update was applied you should be safe. If you don’t have Auto Update enabled – manually search for updates and install them now. 
  2. If you’re on a network, make sure that your network administrators have disabled the SMB protocol on all devices that don’t need it. This is how the Ransomware spreads on an internal network.  
  3. Make sure your antivirus software is up to date and running 
  4. Be extra careful when clicking on links you don’t recognise and on unsolicited documents.
  5. Make sure any devices you use for backing up your data are not physically connected to your computer – if they are, then chances are your backups could get infected too. 

That’s all you need to do. It’s clear from this outbreak that the things I’ve been talking about – patching, antivirus, backups, phishing awareness etc – which are all simple things to do but often neglected, are all really good protection against even global attacks. 

I’ll be releasing a podcast about this later today, so keep your eyes peeled for that!